package org.apereo.cas.support.saml.web.idp.profile;

import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import net.shibboleth.utilities.java.support.net.URLBuilder;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.saml.idp.SamlIdPCoreProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.BrowserSessionStorage;
import org.apereo.cas.web.cookie.CasCookieBuilder;
import org.apereo.cas.web.flow.SingleSignOnParticipationRequest;
import org.apereo.cas.web.flow.SingleSignOnParticipationStrategy;
import org.apereo.cas.web.support.WebUtils;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jooq.lambda.fi.util.function.CheckedSupplier;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder;
import org.opensaml.saml.common.SAMLException;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.BindingDescriptor;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.metadata.Endpoint;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.RedirectView;

@Controller
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/AbstractSamlIdPProfileHandlerController.class */
public abstract class AbstractSamlIdPProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSamlIdPProfileHandlerController.class);

    @Generated
    private final Object $lock = new Object[0];
    protected final SamlProfileHandlerConfigurationContext configurationContext;

    /* JADX INFO: Access modifiers changed from: protected */
    public static void logCasValidationAssertion(Assertion assertion) {
        LOGGER.debug("CAS Assertion Valid: [{}]", Boolean.valueOf(assertion.isValid()));
        LOGGER.debug("CAS Assertion Principal: [{}]", assertion.getPrincipal().getName());
        LOGGER.debug("CAS Assertion authentication Date: [{}]", assertion.getAuthenticationDate());
        LOGGER.debug("CAS Assertion ValidFrom Date: [{}]", assertion.getValidFromDate());
        LOGGER.debug("CAS Assertion ValidUntil Date: [{}]", assertion.getValidUntilDate());
        LOGGER.debug("CAS Assertion Attributes: [{}]", assertion.getAttributes());
        LOGGER.debug("CAS Assertion Principal Attributes: [{}]", assertion.getPrincipal().getAttributes());
    }

    protected static MessageContext bindRelayStateParameter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Pair<? extends RequestAbstractType, MessageContext> pair, String str) {
        MessageContext messageContext = (MessageContext) pair.getValue();
        LOGGER.trace("Relay state is [{}]", str);
        SAMLBindingSupport.setRelayState(messageContext, str);
        return messageContext;
    }

    @ExceptionHandler({PrincipalException.class, UnauthorizedServiceException.class, SamlException.class})
    public ModelAndView handleUnauthorizedServiceException(HttpServletRequest httpServletRequest, Exception exc) {
        return WebUtils.produceUnauthorizedErrorView(exc);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Optional<SamlRegisteredServiceServiceProviderMetadataFacade> getSamlMetadataFacadeFor(SamlRegisteredService samlRegisteredService, RequestAbstractType requestAbstractType) {
        return SamlRegisteredServiceServiceProviderMetadataFacade.get(this.configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), samlRegisteredService, requestAbstractType);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Optional<SamlRegisteredServiceServiceProviderMetadataFacade> getSamlMetadataFacadeFor(SamlRegisteredService samlRegisteredService, String str) {
        return SamlRegisteredServiceServiceProviderMetadataFacade.get(this.configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), samlRegisteredService, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SamlRegisteredService verifySamlRegisteredService(String str) {
        if (StringUtils.isBlank(str)) {
            throw new UnauthorizedServiceException("screen.service.error.message", "Could not verify/locate SAML registered service since no serviceId is provided");
        }
        WebApplicationService createService = this.configurationContext.getWebApplicationServiceFactory().createService(str);
        createService.getAttributes().put("entityId", CollectionUtils.wrapList(new Object[]{str}));
        LOGGER.debug("Checking service access in CAS service registry for [{}]", createService);
        SamlRegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(createService, SamlRegisteredService.class);
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.warn("[{}] is not found in the registry or service access is denied.", str);
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        LOGGER.debug("Located SAML service in the registry as [{}] with the metadata location of [{}]", findServiceBy.getServiceId(), findServiceBy.getMetadataLocation());
        return findServiceBy;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Type inference failed for: r0v17, types: [org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext$AuthenticatedAssertionContextBuilder] */
    public AuthenticatedAssertionContext buildCasAssertion(Authentication authentication, Service service, RegisteredService registeredService, Map<String, List<Object>> map) {
        Map attributes = registeredService.getAttributeReleasePolicy().getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(registeredService).service(service).principal(authentication.getPrincipal()).build());
        String resolveUsername = registeredService.getUsernameAttributeProvider().resolveUsername(authentication.getPrincipal(), service, registeredService);
        attributes.putAll(map);
        return AuthenticatedAssertionContext.builder().name(resolveUsername).authenticationDate(DateTimeUtils.zonedDateTimeOf(authentication.getAuthenticationDate())).validFromDate(DateTimeUtils.zonedDateTimeOf(authentication.getAuthenticationDate())).attributes(CollectionUtils.merge(new Map[]{attributes, this.configurationContext.getAuthenticationAttributeReleasePolicy().getAuthenticationAttributesForRelease(authentication, (org.apereo.cas.validation.Assertion) null, Map.of(), registeredService)})).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Type inference failed for: r0v1, types: [org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext$AuthenticatedAssertionContextBuilder] */
    public AuthenticatedAssertionContext buildCasAssertion(String str, RegisteredService registeredService, Map<String, Object> map) {
        return AuthenticatedAssertionContext.builder().name(str).attributes(map).build();
    }

    protected ModelAndView issueAuthenticationRequestRedirect(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getLeft();
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, pair);
        LOGGER.debug("Created service url [{}]", DigestUtils.abbreviate(constructServiceUrl));
        CasConfigurationProperties casProperties = this.configurationContext.getCasProperties();
        String constructRedirectUrl = CommonUtils.constructRedirectUrl(casProperties.getServer().getLoginUrl(), "service", constructServiceUrl, authnRequest.isForceAuthn().booleanValue(), authnRequest.isPassive().booleanValue());
        LOGGER.debug("Redirecting SAML authN request to [{}]", constructRedirectUrl);
        if (casProperties.getAuthn().getSamlIdp().getCore().getSessionStorageType() != SamlIdPCoreProperties.SessionStorageTypes.BROWSER_SESSION_STORAGE) {
            LOGGER.debug("Redirecting SAML authN request to [{}]", constructRedirectUrl);
            ModelAndView modelAndView = new ModelAndView(new RedirectView(constructRedirectUrl));
            modelAndView.setStatus(HttpStatus.FOUND);
            return modelAndView;
        }
        Optional trackableSession = this.configurationContext.getSessionStore().getTrackableSession(new JEEContext(httpServletRequest, httpServletResponse));
        Class<BrowserSessionStorage> cls = BrowserSessionStorage.class;
        Objects.requireNonNull(BrowserSessionStorage.class);
        BrowserSessionStorage browserSessionStorage = (BrowserSessionStorage) trackableSession.map(cls::cast).orElseThrow(() -> {
            return new IllegalStateException("Unable to determine trackable session for storage");
        });
        browserSessionStorage.setDestinationUrl(constructRedirectUrl);
        return new ModelAndView("storage/casSessionStorageWriteView", "sessionStorage", browserSessionStorage);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String constructServiceUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Pair<? extends SignableSAMLObject, MessageContext> pair) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getLeft();
        URLBuilder uRLBuilder = new URLBuilder(this.configurationContext.getCallbackService().getId());
        uRLBuilder.getQueryParams().add(new net.shibboleth.utilities.java.support.collection.Pair("entityId", SamlIdPUtils.getIssuerFromSamlObject(authnRequest)));
        storeAuthenticationRequest(httpServletRequest, httpServletResponse, pair);
        String buildURL = uRLBuilder.buildURL();
        LOGGER.trace("Built service callback url [{}]", buildURL);
        return CommonUtils.constructServiceUrl(httpServletRequest, httpServletResponse, buildURL, this.configurationContext.getCasProperties().getServer().getName(), "service", "ticket", false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ModelAndView initiateAuthenticationRequest(Pair<? extends RequestAbstractType, MessageContext> pair, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        autoConfigureCookiePath(httpServletRequest);
        verifySamlAuthenticationRequest(pair, httpServletRequest);
        Optional<TicketGrantingTicket> singleSignOnSessionExists = singleSignOnSessionExists(pair, httpServletRequest, httpServletResponse);
        if (singleSignOnSessionExists.isEmpty()) {
            return issueAuthenticationRequestRedirect(pair, httpServletRequest, httpServletResponse);
        }
        buildResponseBasedSingleSignOnSession(pair, singleSignOnSessionExists.get(), httpServletRequest, httpServletResponse);
        return null;
    }

    protected void buildResponseBasedSingleSignOnSession(Pair<? extends RequestAbstractType, MessageContext> pair, TicketGrantingTicket ticketGrantingTicket, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject((AuthnRequest) pair.getLeft());
        WebApplicationService createService = this.configurationContext.getWebApplicationServiceFactory().createService(issuerFromSamlObject);
        createService.getAttributes().put("entityId", CollectionUtils.wrapList(new Object[]{issuerFromSamlObject}));
        SamlRegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(createService, SamlRegisteredService.class);
        this.configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(createService).authentication(ticketGrantingTicket.getAuthentication()).registeredService(findServiceBy).httpRequest(httpServletRequest).httpResponse(httpServletResponse).build()).throwExceptionIfNeeded();
        AuthenticatedAssertionContext buildCasAssertion = buildCasAssertion(ticketGrantingTicket.getAuthentication(), createService, findServiceBy, Map.of());
        Pair<? extends RequestAbstractType, MessageContext> buildAuthenticationContextPair = buildAuthenticationContextPair(httpServletRequest, httpServletResponse, pair);
        String determineProfileBinding = determineProfileBinding(buildAuthenticationContextPair);
        SAMLBindingSupport.setRelayState((MessageContext) buildAuthenticationContextPair.getRight(), SAMLBindingSupport.getRelayState((MessageContext) buildAuthenticationContextPair.getRight()));
        httpServletResponse.reset();
        getConfigurationContext().getTicketRegistry().addTicket(getConfigurationContext().getTicketFactory().get(ServiceTicket.class).create(ticketGrantingTicket, createService, false, ServiceTicket.class));
        getConfigurationContext().getTicketRegistry().updateTicket(ticketGrantingTicket);
        buildSamlResponse(httpServletResponse, httpServletRequest, buildAuthenticationContextPair, buildCasAssertion, determineProfileBinding);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Type inference failed for: r0v11, types: [org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext$SamlProfileBuilderContextBuilder] */
    public void buildSamlResponse(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<? extends RequestAbstractType, MessageContext> pair, AuthenticatedAssertionContext authenticatedAssertionContext, String str) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) AuthnRequest.class.cast(pair.getKey());
        Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> registeredServiceAndFacade = getRegisteredServiceAndFacade(authnRequest);
        String entityId = ((SamlRegisteredServiceServiceProviderMetadataFacade) registeredServiceAndFacade.getValue()).getEntityId();
        LOGGER.debug("Preparing SAML2 response for [{}]", entityId);
        this.configurationContext.getResponseBuilder().mo25build(SamlProfileBuilderContext.builder().samlRequest(authnRequest).httpRequest(httpServletRequest).httpResponse(httpServletResponse).authenticatedAssertion(authenticatedAssertionContext).registeredService((SamlRegisteredService) registeredServiceAndFacade.getKey()).adaptor((SamlRegisteredServiceServiceProviderMetadataFacade) registeredServiceAndFacade.getValue()).binding(str).messageContext((MessageContext) pair.getValue()).build());
        LOGGER.info("Built the SAML2 response for [{}]", entityId);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<? extends RequestAbstractType, MessageContext> buildAuthenticationContextPair(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Pair<? extends RequestAbstractType, MessageContext> pair) {
        return Pair.of((RequestAbstractType) pair.getLeft(), bindRelayStateParameter(httpServletRequest, httpServletResponse, pair, (String) Optional.ofNullable(SAMLBindingSupport.getRelayState((MessageContext) pair.getValue())).orElseGet(() -> {
            return httpServletRequest.getParameter("RelayState");
        })));
    }

    protected Optional<TicketGrantingTicket> singleSignOnSessionExists(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthnRequest authnRequest = (AuthnRequest) AuthnRequest.class.cast(pair.getLeft());
        if (authnRequest.isForceAuthn().booleanValue()) {
            LOGGER.trace("Authentication request asks for forced authn. Ignoring existing single sign-on session, if any");
            return Optional.empty();
        }
        String retrieveCookieValue = this.configurationContext.getTicketGrantingTicketCookieGenerator().retrieveCookieValue(httpServletRequest);
        if (StringUtils.isBlank(retrieveCookieValue)) {
            LOGGER.trace("Single sign-on session cannot be found or determined. Ignoring single sign-on session");
            return Optional.empty();
        }
        TicketGrantingTicket ticketGrantingTicket = this.configurationContext.getTicketRegistrySupport().getTicketGrantingTicket(retrieveCookieValue);
        if (ticketGrantingTicket == null) {
            LOGGER.debug("Authentication transaction linked to single sign-on session cannot determined.");
            return Optional.empty();
        }
        Authentication authentication = ticketGrantingTicket.getAuthentication();
        LOGGER.debug("Located single sign-on authentication for principal [{}]", authentication.getPrincipal());
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
        WebApplicationService createService = this.configurationContext.getWebApplicationServiceFactory().createService(issuerFromSamlObject);
        SingleSignOnParticipationRequest attribute = SingleSignOnParticipationRequest.builder().httpServletRequest(httpServletRequest).build().attribute(Service.class.getName(), createService).attribute(RegisteredService.class.getName(), this.configurationContext.getServicesManager().findServiceBy(createService)).attribute(Issuer.class.getName(), issuerFromSamlObject).attribute(Authentication.class.getName(), authentication).attribute(TicketGrantingTicket.class.getName(), retrieveCookieValue).attribute(AuthnRequest.class.getName(), authnRequest);
        SingleSignOnParticipationStrategy singleSignOnParticipationStrategy = this.configurationContext.getSingleSignOnParticipationStrategy();
        LOGGER.debug("Checking for single sign-on participation for issuer [{}]", issuerFromSamlObject);
        return singleSignOnParticipationStrategy.supports(attribute) && singleSignOnParticipationStrategy.isParticipating(attribute) ? Optional.of(ticketGrantingTicket) : Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(Pair<? extends RequestAbstractType, MessageContext> pair, HttpServletRequest httpServletRequest) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getKey();
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
        LOGGER.debug("Located issuer [{}] from authentication request", issuerFromSamlObject);
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(issuerFromSamlObject);
        LOGGER.debug("Fetching SAML2 metadata adaptor for [{}]", issuerFromSamlObject);
        Optional optional = SamlRegisteredServiceServiceProviderMetadataFacade.get(this.configurationContext.getSamlRegisteredServiceCachingMetadataResolver(), verifySamlRegisteredService, authnRequest);
        if (optional.isEmpty()) {
            LOGGER.warn("No metadata could be found for [{}]", issuerFromSamlObject);
            throw new UnauthorizedServiceException("screen.service.error.message", "Cannot find metadata linked to " + issuerFromSamlObject);
        }
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = (SamlRegisteredServiceServiceProviderMetadataFacade) optional.get();
        verifyAuthenticationContextSignature((Pair<? extends SignableSAMLObject, MessageContext>) pair, httpServletRequest, (RequestAbstractType) authnRequest, samlRegisteredServiceServiceProviderMetadataFacade, verifySamlRegisteredService);
        Endpoint determineEndpointForRequest = SamlIdPUtils.determineEndpointForRequest(Pair.of(authnRequest, (MessageContext) pair.getRight()), samlRegisteredServiceServiceProviderMetadataFacade, determineProfileBinding(pair));
        LOGGER.debug("Determined SAML2 endpoint for authentication request as [{}]", StringUtils.defaultIfBlank(determineEndpointForRequest.getResponseLocation(), determineEndpointForRequest.getLocation()));
        SamlUtils.logSamlObject(this.configurationContext.getOpenSamlConfigBean(), authnRequest);
        return Pair.of(verifySamlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
    }

    protected void verifyAuthenticationContextSignature(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletRequest httpServletRequest, RequestAbstractType requestAbstractType, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, SamlRegisteredService samlRegisteredService) throws Exception {
        verifyAuthenticationContextSignature((MessageContext) pair.getValue(), httpServletRequest, requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade, samlRegisteredService);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyAuthenticationContextSignature(MessageContext messageContext, HttpServletRequest httpServletRequest, RequestAbstractType requestAbstractType, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade, SamlRegisteredService samlRegisteredService) throws Exception {
        if (SAMLBindingSupport.isMessageSigned(messageContext)) {
            if (!samlRegisteredServiceServiceProviderMetadataFacade.isAuthnRequestsSigned() || samlRegisteredService.isSkipValidatingAuthnRequest()) {
                return;
            }
            LOGGER.trace("The authentication context is signed; Proceeding to validate signatures...");
            this.configurationContext.getSamlObjectSignatureValidator().verifySamlProfileRequestIfNeeded(requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade, httpServletRequest, messageContext);
            return;
        }
        LOGGER.trace("The authentication context is not signed");
        if (!samlRegisteredServiceServiceProviderMetadataFacade.isAuthnRequestsSigned() || samlRegisteredService.isSkipValidatingAuthnRequest()) {
            LOGGER.trace("Request is not signed or validation is skipped, so there is no need to verify its signature.");
        } else {
            LOGGER.error("Metadata for [{}] says authentication requests are signed, yet request is not", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            throw new SAMLException("Request is not signed but should be");
        }
    }

    protected Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> getRegisteredServiceAndFacade(AuthnRequest authnRequest) {
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
        LOGGER.debug("Located issuer [{}] from authentication context", issuerFromSamlObject);
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(issuerFromSamlObject);
        LOGGER.debug("Located SAML metadata for [{}]", verifySamlRegisteredService.getServiceId());
        Optional<SamlRegisteredServiceServiceProviderMetadataFacade> samlMetadataFacadeFor = getSamlMetadataFacadeFor(verifySamlRegisteredService, (RequestAbstractType) authnRequest);
        if (samlMetadataFacadeFor.isEmpty()) {
            throw new UnauthorizedServiceException("screen.service.error.message", "Cannot find metadata linked to " + issuerFromSamlObject);
        }
        return Pair.of(verifySamlRegisteredService, samlMetadataFacadeFor.get());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public MessageContext decodeSoapRequest(final HttpServletRequest httpServletRequest) {
        return (MessageContext) FunctionUtils.doAndHandle(new CheckedSupplier<MessageContext>() { // from class: org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController.1
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public MessageContext m6get() throws Throwable {
                HTTPSOAP11Decoder hTTPSOAP11Decoder = new HTTPSOAP11Decoder();
                hTTPSOAP11Decoder.setParserPool(AbstractSamlIdPProfileHandlerController.this.configurationContext.getOpenSamlConfigBean().getParserPool());
                hTTPSOAP11Decoder.setHttpServletRequest(httpServletRequest);
                BindingDescriptor bindingDescriptor = new BindingDescriptor();
                bindingDescriptor.setId(getClass().getName());
                bindingDescriptor.setShortName(getClass().getName());
                bindingDescriptor.setSignatureCapable(true);
                bindingDescriptor.setSynchronous(true);
                hTTPSOAP11Decoder.setBindingDescriptor(bindingDescriptor);
                hTTPSOAP11Decoder.initialize();
                hTTPSOAP11Decoder.decode();
                return hTTPSOAP11Decoder.getMessageContext();
            }
        }, th -> {
            return null;
        }).get();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void autoConfigureCookiePath(HttpServletRequest httpServletRequest) {
        CasConfigurationProperties casProperties = this.configurationContext.getCasProperties();
        if (casProperties.getAuthn().getSamlIdp().getCore().getSessionStorageType() == SamlIdPCoreProperties.SessionStorageTypes.TICKET_REGISTRY && casProperties.getSessionReplication().getCookie().isAutoConfigureCookiePath()) {
            String contextPath = httpServletRequest.getContextPath();
            String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
            CasCookieBuilder samlDistributedSessionCookieGenerator = this.configurationContext.getSamlDistributedSessionCookieGenerator();
            String cookiePath = samlDistributedSessionCookieGenerator.getCookiePath();
            if (!StringUtils.isBlank(cookiePath)) {
                LOGGER.trace("SAML2 authentication cookie domain is [{}] with path [{}]", samlDistributedSessionCookieGenerator.getCookieDomain(), cookiePath);
            } else {
                LOGGER.debug("Setting path for cookies for SAML2 distributed session cookie generator to: [{}]", str);
                samlDistributedSessionCookieGenerator.setCookiePath(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ModelAndView handleSsoPostProfileRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, BaseHttpServletRequestXMLMessageDecoder baseHttpServletRequestXMLMessageDecoder) {
        return (ModelAndView) FunctionUtils.doAndHandle(() -> {
            Pair<? extends SignableSAMLObject, MessageContext> orElseThrow = getConfigurationContext().getSamlHttpRequestExtractor().extract(httpServletRequest, baseHttpServletRequestXMLMessageDecoder, AuthnRequest.class).orElseThrow(() -> {
                return new IllegalArgumentException("Unable to extract SAML request");
            });
            return initiateAuthenticationRequest(Pair.of((AuthnRequest) AuthnRequest.class.cast(orElseThrow.getLeft()), (MessageContext) orElseThrow.getRight()), httpServletResponse, httpServletRequest);
        }, WebUtils::produceErrorView).get();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final Pair<? extends RequestAbstractType, MessageContext> retrieveAuthenticationRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) {
        Pair<? extends RequestAbstractType, MessageContext> pair;
        synchronized (this.$lock) {
            LOGGER.info("Received SAML callback profile request [{}]", httpServletRequest.getRequestURI());
            pair = (Pair) SamlIdPUtils.retrieveSamlRequest(new JEEContext(httpServletRequest, httpServletResponse), this.configurationContext.getSessionStore(), this.configurationContext.getOpenSamlConfigBean(), AuthnRequest.class).orElseThrow(() -> {
                return new IllegalArgumentException("SAML request or context could not be determined from session store");
            });
        }
        return pair;
    }

    protected void storeAuthenticationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Pair<? extends SignableSAMLObject, MessageContext> pair) throws Exception {
        synchronized (this.$lock) {
            SamlIdPUtils.storeSamlRequest(new JEEContext(httpServletRequest, httpServletResponse), this.configurationContext.getOpenSamlConfigBean(), this.configurationContext.getSessionStore(), pair);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String determineProfileBinding(Pair<? extends RequestAbstractType, MessageContext> pair) {
        AuthnRequest authnRequest = (AuthnRequest) AuthnRequest.class.cast(pair.getKey());
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = (SamlRegisteredServiceServiceProviderMetadataFacade) getRegisteredServiceAndFacade(authnRequest).getValue();
        String str = (String) StringUtils.defaultIfBlank(authnRequest.getProtocolBinding(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        LOGGER.debug("Determined authentication request binding is [{}], issued by [{}]", str, authnRequest.getIssuer().getValue());
        String entityId = samlRegisteredServiceServiceProviderMetadataFacade.getEntityId();
        LOGGER.debug("Checking metadata for [{}] to see if binding [{}] is supported", entityId, str);
        LOGGER.debug("Binding [{}] is supported by [{}]", samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerService(str).getBinding(), entityId);
        return str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Generated
    public AbstractSamlIdPProfileHandlerController(SamlProfileHandlerConfigurationContext samlProfileHandlerConfigurationContext) {
        this.configurationContext = samlProfileHandlerConfigurationContext;
    }

    @Generated
    public SamlProfileHandlerConfigurationContext getConfigurationContext() {
        return this.configurationContext;
    }
}
