package org.apereo.cas.support.saml.web.idp.profile;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPConstants;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/SSOPostProfileCallbackHandlerController.class */
public class SSOPostProfileCallbackHandlerController extends AbstractSamlProfileHandlerController {
    @RequestMapping(path = {SamlIdPConstants.ENDPOINT_SAML2_SSO_PROFILE_POST_CALLBACK}, method = {RequestMethod.GET})
    protected void handleCallbackProfileRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        this.logger.info("Received SAML callback profile request [{}]", httpServletRequest.getRequestURI());
        AuthnRequest retrieveAuthnRequest = retrieveAuthnRequest(httpServletRequest);
        if (retrieveAuthnRequest == null) {
            this.logger.error("Can not validate the request because the original Authn request can not be found.");
            httpServletResponse.setStatus(403);
            return;
        }
        String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, "ticket");
        if (StringUtils.isBlank(safeGetParameter)) {
            this.logger.error("Can not validate the request because no [{}] is provided via the request", "ticket");
            httpServletResponse.setStatus(403);
            return;
        }
        Cas30ServiceTicketValidator cas30ServiceTicketValidator = new Cas30ServiceTicketValidator(getServerPrefix());
        cas30ServiceTicketValidator.setRenew(retrieveAuthnRequest.isForceAuthn().booleanValue());
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, retrieveAuthnRequest);
        this.logger.debug("Created service url for validation: [{}]", constructServiceUrl);
        Assertion validate = cas30ServiceTicketValidator.validate(safeGetParameter, constructServiceUrl);
        Thread.sleep(1L);
        logCasValidationAssertion(validate);
        if (!validate.isValid()) {
            throw new SamlException("CAS assertion received is invalid. This normally indicates that the assertion received has expired  and is not valid within the time constraints of the authentication event");
        }
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(SamlIdPUtils.getIssuerFromSamlRequest(retrieveAuthnRequest));
        SamlRegisteredServiceServiceProviderMetadataFacade samlMetadataFacadeFor = getSamlMetadataFacadeFor(verifySamlRegisteredService, retrieveAuthnRequest);
        this.logger.debug("Preparing SAML response for [{}]", samlMetadataFacadeFor.getEntityId());
        this.responseBuilder.build(retrieveAuthnRequest, httpServletRequest, httpServletResponse, validate, verifySamlRegisteredService, samlMetadataFacadeFor);
        this.logger.info("Built the SAML response for [{}]", samlMetadataFacadeFor.getEntityId());
    }
}
