package org.apereo.cas.support.saml.web.idp.profile.query;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.attribute.PrincipalAttributeRepositoryFetcher;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.services.RegisteredServiceUsernameProviderContext;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController;
import org.apereo.cas.support.saml.web.idp.profile.SamlProfileHandlerConfigurationContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.AuthenticatedAssertionContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.query.SamlAttributeQueryTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.validation.Assertion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.AttributeQuery;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/query/SamlIdPSaml2AttributeQueryProfileHandlerController.class */
public class SamlIdPSaml2AttributeQueryProfileHandlerController extends AbstractSamlIdPProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlIdPSaml2AttributeQueryProfileHandlerController.class);

    public SamlIdPSaml2AttributeQueryProfileHandlerController(SamlProfileHandlerConfigurationContext samlProfileHandlerConfigurationContext) {
        super(samlProfileHandlerConfigurationContext);
    }

    /* JADX WARN: Type inference failed for: r0v16, types: [org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext$SamlProfileBuilderContextBuilder] */
    /* JADX WARN: Type inference failed for: r0v93, types: [org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext$SamlProfileBuilderContextBuilder] */
    @PostMapping(path = {"/idp/profile/SAML2/SOAP/AttributeQuery"})
    protected void handlePostRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        if (!this.configurationContext.getCasProperties().getAuthn().getSamlIdp().getCore().isAttributeQueryProfileEnabled()) {
            LOGGER.warn("SAML2 attribute query profile is not enabled");
            httpServletResponse.setStatus(501);
            return;
        }
        MessageContext decodeSoapRequest = decodeSoapRequest(httpServletRequest);
        AttributeQuery attributeQuery = (AttributeQuery) decodeSoapRequest.getMessage();
        try {
            String value = ((AttributeQuery) Objects.requireNonNull(attributeQuery)).getIssuer().getValue();
            SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(value);
            SamlRegisteredServiceServiceProviderMetadataFacade orElseThrow = getSamlMetadataFacadeFor(verifySamlRegisteredService, (RequestAbstractType) attributeQuery).orElseThrow(() -> {
                return new UnauthorizedServiceException("screen.service.error.message", "Cannot find metadata linked to " + value);
            });
            verifyAuthenticationContextSignature(decodeSoapRequest, httpServletRequest, (RequestAbstractType) attributeQuery, orElseThrow, verifySamlRegisteredService);
            String createTicketIdFor = getConfigurationContext().getTicketFactory().get(SamlAttributeQueryTicket.class).createTicketIdFor(determineNameIdForQuery(attributeQuery, verifySamlRegisteredService, orElseThrow), orElseThrow.getEntityId());
            LOGGER.debug("Created ticket id for attribute query [{}]", createTicketIdFor);
            SamlAttributeQueryTicket ticket = getConfigurationContext().getTicketRegistry().getTicket(createTicketIdFor, SamlAttributeQueryTicket.class);
            if (ticket == null || ticket.isExpired()) {
                LOGGER.warn("Attribute query ticket [{}] has either expired, or it is linked to a single sign-on session that is no longer valid and has now expired", createTicketIdFor);
                throw new InvalidTicketException(createTicketIdFor);
            }
            Authentication authentication = ticket.getAuthentication();
            Map consentableAttributes = verifySamlRegisteredService.getAttributeReleasePolicy().getConsentableAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(verifySamlRegisteredService).service(ticket.getService()).principal(resolvePrincipalForAttributeQuery(authentication, verifySamlRegisteredService)).build());
            LOGGER.debug("Initial consentable principal attributes are [{}]", consentableAttributes);
            Map<String, Object> merge = CollectionUtils.merge(new Map[]{consentableAttributes, getConfigurationContext().getAuthenticationAttributeReleasePolicy().getAuthenticationAttributesForRelease(authentication, (Assertion) null, Map.of(), verifySamlRegisteredService)});
            String resolveUsername = verifySamlRegisteredService.getUsernameAttributeProvider().resolveUsername(RegisteredServiceUsernameProviderContext.builder().registeredService(verifySamlRegisteredService).service(ticket.getService()).principal(authentication.getPrincipal()).build());
            LOGGER.debug("Principal id used for attribute query response should be [{}]", resolveUsername);
            LOGGER.debug("Final attributes to be processed for the SAML2 response are [{}]", merge);
            AuthenticatedAssertionContext buildCasAssertion = buildCasAssertion(resolveUsername, verifySamlRegisteredService, merge);
            httpServletRequest.setAttribute(AttributeQuery.class.getSimpleName(), attributeQuery);
            getConfigurationContext().getResponseBuilder().mo26build(SamlProfileBuilderContext.builder().samlRequest(attributeQuery).httpRequest(httpServletRequest).httpResponse(httpServletResponse).authenticatedAssertion(Optional.of(buildCasAssertion)).registeredService(verifySamlRegisteredService).adaptor(orElseThrow).binding("urn:oasis:names:tc:SAML:2.0:bindings:SOAP").messageContext(decodeSoapRequest).build());
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            httpServletRequest.setAttribute("samlError", "Unable to build SOAP response: " + StringUtils.defaultString(e.getMessage()));
            getConfigurationContext().getSamlFaultResponseBuilder().mo26build(SamlProfileBuilderContext.builder().samlRequest(attributeQuery).httpRequest(httpServletRequest).httpResponse(httpServletResponse).binding("urn:oasis:names:tc:SAML:2.0:bindings:SOAP").messageContext(decodeSoapRequest).build());
        }
    }

    private Principal resolvePrincipalForAttributeQuery(Authentication authentication, RegisteredService registeredService) {
        HashSet hashSet = new HashSet(0);
        if (registeredService != null) {
            hashSet.addAll(registeredService.getAttributeReleasePolicy().getPrincipalAttributesRepository().getAttributeRepositoryIds());
        }
        Principal principal = authentication.getPrincipal();
        Map retrieve = PrincipalAttributeRepositoryFetcher.builder().attributeRepository(getConfigurationContext().getAttributeRepository()).principalId(principal.getId()).activeAttributeRepositoryIdentifiers(hashSet).currentPrincipal(principal).build().retrieve();
        LOGGER.debug("Attributes retrieved from attribute repositories are [{}]", retrieve);
        return PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(principal.getId(), retrieve);
    }

    private String determineNameIdForQuery(AttributeQuery attributeQuery, SamlRegisteredService samlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) {
        return attributeQuery.getSubject().getNameID() == null ? getConfigurationContext().getSamlObjectEncrypter().decode(attributeQuery.getSubject().getEncryptedID(), samlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade).getValue() : attributeQuery.getSubject().getNameID().getValue();
    }
}
