package org.apereo.cas.support.saml.web.idp.profile;

import com.google.common.base.Throwables;
import java.io.ByteArrayInputStream;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.util.Map;
import java.util.Optional;
import javax.annotation.PostConstruct;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.net.URLBuilder;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.collections4.map.CaseInsensitiveMap;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.RegexRegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPConstants;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileSamlResponseBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSigner;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.Pair;
import org.jasig.cas.client.authentication.DefaultAuthenticationRedirectStrategy;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.servlet.BaseHttpServletRequestXMLMessageDecoder;
import org.opensaml.saml.common.SAMLException;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;

@Controller
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/AbstractSamlProfileHandlerController.class */
public abstract class AbstractSamlProfileHandlerController {
    protected SamlObjectSigner samlObjectSigner;
    protected ParserPool parserPool;
    protected Service callbackService;
    protected ServicesManager servicesManager;
    protected ServiceFactory<WebApplicationService> webApplicationServiceFactory;
    protected SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver;
    protected OpenSamlConfigBean configBean;
    protected SamlProfileSamlResponseBuilder responseBuilder;
    private String serverPrefix;
    private String serverName;
    private String authenticationContextRequestParameter;
    private String loginUrl;
    private String logoutUrl;
    private boolean forceSignedLogoutRequests;
    private boolean singleLogoutCallbacksDisabled;
    protected transient Logger logger = LoggerFactory.getLogger(getClass());
    protected Map<String, String> authenticationContextClassMappings = new CaseInsensitiveMap();

    @PostConstruct
    protected void initialize() {
        this.callbackService = registerCallback(SamlIdPConstants.ENDPOINT_SAML2_SSO_PROFILE_POST_CALLBACK);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SamlRegisteredServiceServiceProviderMetadataFacade getSamlMetadataFacadeFor(SamlRegisteredService samlRegisteredService, AuthnRequest authnRequest) {
        return SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, (RequestAbstractType) authnRequest);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SamlRegisteredServiceServiceProviderMetadataFacade getSamlMetadataFacadeFor(SamlRegisteredService samlRegisteredService, String str) {
        return SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SamlRegisteredService verifySamlRegisteredService(String str) {
        if (StringUtils.isBlank(str)) {
            throw new UnauthorizedServiceException("screen.service.error.message", "Could not verify/locate SAML registered service since no serviceId is provided");
        }
        this.logger.debug("Checking service access in CAS service registry for [{}]", str);
        SamlRegisteredService findServiceBy = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(str));
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            this.logger.warn("[{}] is not found in the registry or service access is denied. Ensure service is registered in service registry", str);
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        if (!(findServiceBy instanceof SamlRegisteredService)) {
            this.logger.error("Service [{}] is found in registry but it is not defined as a SAML service", str);
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        SamlRegisteredService samlRegisteredService = findServiceBy;
        this.logger.debug("Located SAML service in the registry as [{}] with the metadata location of [{}]", samlRegisteredService.getServiceId(), samlRegisteredService.getMetadataLocation());
        return samlRegisteredService;
    }

    protected Service registerCallback(String str) {
        Service createService = this.webApplicationServiceFactory.createService(this.serverPrefix.concat(str.concat(".+")));
        this.logger.debug("Initialized callback service [{}]", createService);
        if (!this.servicesManager.matchesExistingService(createService)) {
            RegexRegisteredService regexRegisteredService = new RegexRegisteredService();
            regexRegisteredService.setId(new SecureRandom().nextLong());
            regexRegisteredService.setEvaluationOrder(0);
            regexRegisteredService.setName(regexRegisteredService.getClass().getSimpleName());
            regexRegisteredService.setDescription("SAML Authentication Request");
            regexRegisteredService.setServiceId(createService.getId());
            this.logger.debug("Saving callback service [{}] into the registry", regexRegisteredService);
            this.servicesManager.save(regexRegisteredService);
            this.servicesManager.load();
        }
        return createService;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthnRequest retrieveAuthnRequest(HttpServletRequest httpServletRequest) throws Exception {
        this.logger.debug("Retrieving authentication request from scope");
        return XMLObjectSupport.unmarshallFromInputStream(this.configBean.getParserPool(), new ByteArrayInputStream(EncodingUtils.decodeBase64(httpServletRequest.getParameter("SAMLRequest").getBytes(StandardCharsets.UTF_8))));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<? extends SignableSAMLObject, MessageContext> decodeRequest(HttpServletRequest httpServletRequest, BaseHttpServletRequestXMLMessageDecoder baseHttpServletRequestXMLMessageDecoder, Class<? extends SignableSAMLObject> cls) {
        this.logger.info("Received SAML profile request [{}]", httpServletRequest.getRequestURI());
        try {
            baseHttpServletRequestXMLMessageDecoder.setHttpServletRequest(httpServletRequest);
            baseHttpServletRequestXMLMessageDecoder.setParserPool(this.parserPool);
            baseHttpServletRequestXMLMessageDecoder.initialize();
            baseHttpServletRequestXMLMessageDecoder.decode();
            MessageContext messageContext = baseHttpServletRequestXMLMessageDecoder.getMessageContext();
            SignableSAMLObject signableSAMLObject = (SignableSAMLObject) messageContext.getMessage();
            if (signableSAMLObject == null) {
                throw new SAMLException("No " + cls.getName() + " could be found in this request context. Decoder has failed.");
            }
            if (!cls.isAssignableFrom(signableSAMLObject.getClass())) {
                throw new ClassCastException("SAML object [" + signableSAMLObject.getClass().getName() + " type does not match " + cls);
            }
            this.logger.debug("Decoded SAML object [{}] from http request", signableSAMLObject.getElementQName());
            return new Pair<>(signableSAMLObject, messageContext);
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void logCasValidationAssertion(Assertion assertion) {
        this.logger.info("CAS Assertion Valid: [{}]", Boolean.valueOf(assertion.isValid()));
        this.logger.debug("CAS Assertion Principal: [{}]", assertion.getPrincipal().getName());
        this.logger.debug("CAS Assertion AuthN Date: [{}]", assertion.getAuthenticationDate());
        this.logger.debug("CAS Assertion ValidFrom Date: [{}]", assertion.getValidFromDate());
        this.logger.debug("CAS Assertion ValidUntil Date: [{}]", assertion.getValidUntilDate());
        this.logger.debug("CAS Assertion Attributes: [{}]", assertion.getAttributes());
        this.logger.debug("CAS Assertion Principal Attributes: [{}]", assertion.getPrincipal().getAttributes());
    }

    protected void issueAuthenticationRequestRedirect(AuthnRequest authnRequest, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, authnRequest);
        this.logger.debug("Created service url [{}]", constructServiceUrl);
        String buildRedirectUrlByRequestedAuthnContext = buildRedirectUrlByRequestedAuthnContext(CommonUtils.constructRedirectUrl(this.loginUrl, "service", constructServiceUrl, authnRequest.isForceAuthn().booleanValue(), authnRequest.isPassive().booleanValue()), authnRequest, httpServletRequest);
        this.logger.debug("Redirecting SAML authN request to \"[{}]\"", buildRedirectUrlByRequestedAuthnContext);
        new DefaultAuthenticationRedirectStrategy().redirect(httpServletRequest, httpServletResponse, buildRedirectUrlByRequestedAuthnContext);
    }

    protected String buildRedirectUrlByRequestedAuthnContext(String str, AuthnRequest authnRequest, HttpServletRequest httpServletRequest) {
        if (authnRequest.getRequestedAuthnContext() == null || this.authenticationContextClassMappings == null || this.authenticationContextClassMappings.isEmpty()) {
            return str;
        }
        Optional findFirst = authnRequest.getRequestedAuthnContext().getAuthnContextClassRefs().stream().filter(authnContextClassRef -> {
            return this.authenticationContextClassMappings.containsKey(authnContextClassRef.getAuthnContextClassRef());
        }).findFirst();
        if (!findFirst.isPresent()) {
            return str;
        }
        return str + '&' + this.authenticationContextRequestParameter + '=' + this.authenticationContextClassMappings.get(((AuthnContextClassRef) findFirst.get()).getAuthnContextClassRef());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String constructServiceUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthnRequest authnRequest) throws SamlException {
        try {
            StringWriter transformSamlObject = SamlUtils.transformSamlObject(this.configBean, authnRequest);
            Throwable th = null;
            try {
                URLBuilder uRLBuilder = new URLBuilder(this.callbackService.getId());
                uRLBuilder.getQueryParams().add(new net.shibboleth.utilities.java.support.collection.Pair("entityId", SamlIdPUtils.getIssuerFromSamlRequest(authnRequest)));
                uRLBuilder.getQueryParams().add(new net.shibboleth.utilities.java.support.collection.Pair("SAMLRequest", EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8))));
                String buildURL = uRLBuilder.buildURL();
                this.logger.debug("Built service callback url [{}]", buildURL);
                String constructServiceUrl = CommonUtils.constructServiceUrl(httpServletRequest, httpServletResponse, buildURL, this.serverName, "service", "ticket", false);
                if (transformSamlObject != null) {
                    if (0 != 0) {
                        try {
                            transformSamlObject.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        transformSamlObject.close();
                    }
                }
                return constructServiceUrl;
            } finally {
            }
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initiateAuthenticationRequest(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        RequestAbstractType requestAbstractType = (AuthnRequest) AuthnRequest.class.cast(pair.getFirst());
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, verifySamlRegisteredService(SamlIdPUtils.getIssuerFromSamlRequest(requestAbstractType)), requestAbstractType);
        MessageContext messageContext = (MessageContext) pair.getSecond();
        if (SAMLBindingSupport.isMessageSigned(messageContext)) {
            this.samlObjectSigner.verifySamlProfileRequestIfNeeded(requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade.getMetadataResolver(), httpServletRequest, messageContext);
        } else {
            if (samlRegisteredServiceServiceProviderMetadataFacade.isAuthnRequestsSigned()) {
                this.logger.error("Metadata for [{}] says authentication requests are signed, yet this authentication request is not", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
                throw new SAMLException("AuthN request is not signed but should be");
            }
            this.logger.info("Authentication request is not signed, so there is no need to verify its signature.");
        }
        SamlUtils.logSamlObject(this.configBean, requestAbstractType);
        issueAuthenticationRequestRedirect(requestAbstractType, httpServletRequest, httpServletResponse);
    }

    public void setSamlObjectSigner(SamlObjectSigner samlObjectSigner) {
        this.samlObjectSigner = samlObjectSigner;
    }

    public void setParserPool(ParserPool parserPool) {
        this.parserPool = parserPool;
    }

    public void setServicesManager(ServicesManager servicesManager) {
        this.servicesManager = servicesManager;
    }

    public void setWebApplicationServiceFactory(ServiceFactory<WebApplicationService> serviceFactory) {
        this.webApplicationServiceFactory = serviceFactory;
    }

    public void setSamlRegisteredServiceCachingMetadataResolver(SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver) {
        this.samlRegisteredServiceCachingMetadataResolver = samlRegisteredServiceCachingMetadataResolver;
    }

    public void setConfigBean(OpenSamlConfigBean openSamlConfigBean) {
        this.configBean = openSamlConfigBean;
    }

    public void setResponseBuilder(SamlProfileSamlResponseBuilder samlProfileSamlResponseBuilder) {
        this.responseBuilder = samlProfileSamlResponseBuilder;
    }

    public Map<String, String> getAuthenticationContextClassMappings() {
        return this.authenticationContextClassMappings;
    }

    public void setAuthenticationContextClassMappings(Map<String, String> map) {
        this.authenticationContextClassMappings = map;
    }

    public String getLoginUrl() {
        return this.loginUrl;
    }

    public void setLoginUrl(String str) {
        this.loginUrl = str;
    }

    public String getServerPrefix() {
        return this.serverPrefix;
    }

    public void setServerPrefix(String str) {
        this.serverPrefix = str;
    }

    public String getServerName() {
        return this.serverName;
    }

    public void setServerName(String str) {
        this.serverName = str;
    }

    public String getAuthenticationContextRequestParameter() {
        return this.authenticationContextRequestParameter;
    }

    public void setAuthenticationContextRequestParameter(String str) {
        this.authenticationContextRequestParameter = str;
    }

    public boolean isSingleLogoutCallbacksDisabled() {
        return this.singleLogoutCallbacksDisabled;
    }

    public void setSingleLogoutCallbacksDisabled(boolean z) {
        this.singleLogoutCallbacksDisabled = z;
    }

    public boolean isForceSignedLogoutRequests() {
        return this.forceSignedLogoutRequests;
    }

    public void setForceSignedLogoutRequests(boolean z) {
        this.forceSignedLogoutRequests = z;
    }

    public String getLogoutUrl() {
        return this.logoutUrl;
    }

    public void setLogoutUrl(String str) {
        this.logoutUrl = str;
    }
}
