package dk.digitalidentity.samlmodule.service;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import dk.digitalidentity.samlmodule.config.settings.DISAML_Configuration;
import dk.digitalidentity.samlmodule.model.CompactToken;
import dk.digitalidentity.samlmodule.model.PrivilegeList;
import dk.digitalidentity.samlmodule.model.SamlGrantedAuthority;
import dk.digitalidentity.samlmodule.model.SamlLoginPostProcessor;
import dk.digitalidentity.samlmodule.model.TokenUser;
import dk.digitalidentity.samlmodule.service.saml.DISAML_OpenSAMLHelperService;
import dk.digitalidentity.samlmodule.util.exceptions.InternalException;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Attribute;
import org.opensaml.saml.saml2.core.AttributeStatement;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.impl.AssertionMarshaller;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.w3c.dom.Element;
import org.w3c.dom.ls.DOMImplementationLS;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSSerializer;

@Component
/* loaded from: input_file:dk/digitalidentity/samlmodule/service/DISAML_TokenUserService.class */
public class DISAML_TokenUserService {
    private static final Logger log = LoggerFactory.getLogger(DISAML_TokenUserService.class);

    @Autowired(required = false)
    private SamlLoginPostProcessor postProcesser;

    @Autowired
    private DISAML_Configuration configuration;

    @Autowired
    private DISAML_OpenSAMLHelperService samlHelperService;

    public Object loadUserBySAML(Assertion assertion) throws UsernameNotFoundException {
        ArrayList<SamlGrantedAuthority> arrayList = new ArrayList<>();
        HashMap hashMap = new HashMap();
        String value = assertion.getSubject().getNameID().getValue();
        String str = "";
        String str2 = null;
        try {
            if (this.configuration.isStoreRawToken()) {
                str2 = tokenToRawString(assertion);
            } else {
                logAssertion(assertion);
            }
            str = extractCvr(assertion);
            extractAttributes(assertion, hashMap);
            extractRolesFromOioBpp(assertion, arrayList);
            extractRolesFromClaim(assertion, arrayList);
        } catch (Exception e) {
            log.error("Bad or missing token", e);
        }
        TokenUser build = TokenUser.builder().authorities(arrayList).rawToken(str2).cvr(str).attributes(hashMap).username(value).build();
        if (this.postProcesser != null) {
            this.postProcesser.process(build);
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(build.getUsername(), "N/A", build.getAuthorities());
        usernamePasswordAuthenticationToken.setDetails(build);
        SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
        return build;
    }

    public void logout() {
        SecurityContextHolder.clearContext();
    }

    private void extractAttributes(Assertion assertion, Map<String, Object> map) {
        if (assertion.getSubject() != null) {
            String x509NameIdValue = getX509NameIdValue("CN", assertion.getSubject().getNameID());
            String x509NameIdValue2 = getX509NameIdValue("Serial", assertion.getSubject().getNameID());
            map.put(TokenUser.ATTRIBUTE_NAME, x509NameIdValue);
            map.put(TokenUser.ATTRIBUTE_UUID, x509NameIdValue2);
        }
        if (assertion.getAttributeStatements() != null) {
            for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
                if (attributeStatement.getAttributes() != null && !attributeStatement.getAttributes().isEmpty()) {
                    for (Attribute attribute : attributeStatement.getAttributes()) {
                        if (attribute.getAttributeValues() != null && !attribute.getAttributeValues().isEmpty()) {
                            map.put(attribute.getName(), ((XMLObject) attribute.getAttributeValues().get(0)).getTextContent());
                        }
                    }
                }
            }
        }
    }

    private String extractCvr(Assertion assertion) {
        return assertion.getSubject() != null ? getX509NameIdValue("O", assertion.getSubject().getNameID()) : "";
    }

    private void extractRolesFromOioBpp(Assertion assertion, ArrayList<SamlGrantedAuthority> arrayList) throws InternalException {
        if (assertion.getAttributeStatements() != null) {
            for (AttributeStatement attributeStatement : assertion.getAttributeStatements()) {
                if (attributeStatement.getAttributes() != null) {
                    Map<String, String> extractAttributeValues = this.samlHelperService.extractAttributeValues(attributeStatement);
                    if (extractAttributeValues.containsKey("dk:gov:saml:attribute:Privileges_intermediate")) {
                        try {
                            for (PrivilegeList.PrivilegeGroup privilegeGroup : ((PrivilegeList) JAXBContext.newInstance(new Class[]{PrivilegeList.class}).createUnmarshaller().unmarshal(new InputStreamReader(new ByteArrayInputStream(Base64.getDecoder().decode(extractAttributeValues.get("dk:gov:saml:attribute:Privileges_intermediate")))))).getPrivilegeGroup()) {
                                ArrayList arrayList2 = null;
                                if (privilegeGroup.getConstraint() != null) {
                                    arrayList2 = new ArrayList();
                                    for (PrivilegeList.Constraint constraint : privilegeGroup.getConstraint()) {
                                        arrayList2.add(new SamlGrantedAuthority.Constraint(constraint.getName(), constraint.getValue()));
                                    }
                                }
                                if (privilegeGroup.getPrivilege() != null) {
                                    for (PrivilegeList.Privilege privilege : privilegeGroup.getPrivilege()) {
                                        SamlGrantedAuthority.SamlGrantedAuthorityBuilder builder = SamlGrantedAuthority.builder();
                                        builder.authority("ROLE_" + privilege.getValue());
                                        if (privilegeGroup.getConstraint() != null) {
                                            builder.constraints(arrayList2);
                                        }
                                        if (StringUtils.hasLength(privilegeGroup.getScope())) {
                                            builder.scope(privilegeGroup.getScope());
                                        }
                                        arrayList.add(builder.build());
                                    }
                                }
                            }
                        } catch (JAXBException e) {
                            throw new InternalException((Throwable) e);
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
    }

    private void extractRolesFromClaim(Assertion assertion, ArrayList<SamlGrantedAuthority> arrayList) {
        List attributeStatements;
        List attributeValues;
        if (!StringUtils.hasLength(this.configuration.getClaims().getRoleClaimName()) || (attributeStatements = assertion.getAttributeStatements()) == null || attributeStatements.isEmpty()) {
            return;
        }
        Iterator it = attributeStatements.iterator();
        while (it.hasNext()) {
            List<Attribute> attributes = ((AttributeStatement) it.next()).getAttributes();
            if (attributes != null && !attributes.isEmpty()) {
                for (Attribute attribute : attributes) {
                    if (this.configuration.getClaims().getRoleClaimName().equalsIgnoreCase(attribute.getName()) && (attributeValues = attribute.getAttributeValues()) != null) {
                        Iterator it2 = attributeValues.iterator();
                        while (it2.hasNext()) {
                            arrayList.add(new SamlGrantedAuthority("ROLE_" + ((XMLObject) it2.next()).getDOM().getTextContent()));
                        }
                    }
                }
            }
        }
    }

    private static String getX509NameIdValue(String str, NameID nameID) {
        if (nameID == null || !StringUtils.hasLength(nameID.getValue()) || !Objects.equals(nameID.getFormat(), "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName")) {
            return null;
        }
        String value = nameID.getValue();
        StringBuilder sb = new StringBuilder();
        int indexOf = value.indexOf(str + "=");
        if (indexOf >= 0) {
            for (int length = indexOf + str.length() + 1; length < value.length() && value.charAt(length) != ','; length++) {
                sb.append(value.charAt(length));
            }
        }
        return sb.toString();
    }

    private String tokenToRawString(Assertion assertion) throws MarshallingException {
        Element marshall = new AssertionMarshaller().marshall(assertion);
        StringWriter stringWriter = new StringWriter();
        DOMImplementationLS dOMImplementationLS = (DOMImplementationLS) marshall.getOwnerDocument().getImplementation().getFeature("LS", "3.0");
        LSOutput createLSOutput = dOMImplementationLS.createLSOutput();
        createLSOutput.setCharacterStream(stringWriter);
        LSSerializer createLSSerializer = dOMImplementationLS.createLSSerializer();
        createLSSerializer.getDomConfig().setParameter("xml-declaration", false);
        createLSSerializer.getDomConfig().setParameter("format-pretty-print", false);
        createLSSerializer.write(marshall, createLSOutput);
        return stringWriter.toString();
    }

    private void logAssertion(Assertion assertion) {
        try {
            switch (this.configuration.getSp().getAssertionLogging()) {
                case FULL:
                    logFullToken(assertion);
                    break;
                case COMPACT:
                    logCompactToken(assertion);
                    break;
            }
        } catch (Exception e) {
            log.error("Failed to log token", e);
        }
    }

    private void logFullToken(Assertion assertion) throws MarshallingException {
        Element marshall = new AssertionMarshaller().marshall(assertion);
        StringWriter stringWriter = new StringWriter();
        DOMImplementationLS dOMImplementationLS = (DOMImplementationLS) marshall.getOwnerDocument().getImplementation().getFeature("LS", "3.0");
        LSOutput createLSOutput = dOMImplementationLS.createLSOutput();
        createLSOutput.setCharacterStream(stringWriter);
        LSSerializer createLSSerializer = dOMImplementationLS.createLSSerializer();
        createLSSerializer.getDomConfig().setParameter("xml-declaration", false);
        createLSSerializer.getDomConfig().setParameter("format-pretty-print", true);
        createLSSerializer.write(marshall, createLSOutput);
        log.info("Full token =\n" + stringWriter.toString());
    }

    private void logCompactToken(Assertion assertion) throws JsonProcessingException {
        CompactToken compactToken = new CompactToken();
        if (assertion.getSubject() != null && assertion.getSubject().getNameID() != null) {
            compactToken.setNameId(assertion.getSubject().getNameID().getValue());
        }
        compactToken.setCvr(extractCvr(assertion));
        if (StringUtils.hasLength(this.configuration.getClaims().getRoleClaimName())) {
            List attributeStatements = assertion.getAttributeStatements();
            if (attributeStatements == null || attributeStatements.isEmpty()) {
                return;
            }
            Iterator it = attributeStatements.iterator();
            while (it.hasNext()) {
                List<Attribute> attributes = ((AttributeStatement) it.next()).getAttributes();
                if (attributes != null && !attributes.isEmpty()) {
                    for (Attribute attribute : attributes) {
                        if (this.configuration.getClaims().getRoleClaimName().equalsIgnoreCase(attribute.getName())) {
                            StringBuilder sb = new StringBuilder();
                            for (XMLObject xMLObject : attribute.getAttributeValues()) {
                                if (sb.length() > 0) {
                                    sb.append(",");
                                }
                                sb.append(xMLObject.getDOM().getTextContent());
                            }
                            compactToken.setRoles(sb.toString());
                        }
                    }
                }
            }
        } else if (assertion.getAttributeStatements() != null) {
            Iterator it2 = assertion.getAttributeStatements().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                AttributeStatement attributeStatement = (AttributeStatement) it2.next();
                if (attributeStatement.getAttributes() != null) {
                    Map<String, String> extractAttributeValues = this.samlHelperService.extractAttributeValues(attributeStatement);
                    if (extractAttributeValues.containsKey("dk:gov:saml:attribute:Privileges_intermediate")) {
                        compactToken.setRoles(new String(Base64.getDecoder().decode(extractAttributeValues.get("dk:gov:saml:attribute:Privileges_intermediate")), StandardCharsets.UTF_8));
                        break;
                    }
                }
            }
        }
        log.info("Compact token = " + new ObjectMapper().writeValueAsString(compactToken));
    }
}
