package org.apereo.cas.support.saml.web.idp.profile;

import java.util.Date;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlIdPConstants;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.BaseSamlObjectSigner;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.cas.web.support.WebUtils;
import org.jasig.cas.client.authentication.AttributePrincipalImpl;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.AssertionImpl;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.BindingDescriptor;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.ecp.Response;
import org.opensaml.soap.messaging.context.SOAP11Context;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/ECPProfileHandlerController.class */
public class ECPProfileHandlerController extends AbstractSamlProfileHandlerController {
    private static final Logger LOGGER = LoggerFactory.getLogger(ECPProfileHandlerController.class);
    private final SamlProfileObjectBuilder<? extends SAMLObject> samlEcpFaultResponseBuilder;

    public ECPProfileHandlerController(BaseSamlObjectSigner baseSamlObjectSigner, ParserPool parserPool, AuthenticationSystemSupport authenticationSystemSupport, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver, OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<Response> samlProfileObjectBuilder, SamlProfileObjectBuilder<? extends SAMLObject> samlProfileObjectBuilder2, Set<String> set, String str, String str2, String str3, String str4, String str5, boolean z, boolean z2, SamlObjectSignatureValidator samlObjectSignatureValidator) {
        super(baseSamlObjectSigner, parserPool, authenticationSystemSupport, servicesManager, serviceFactory, samlRegisteredServiceCachingMetadataResolver, openSamlConfigBean, samlProfileObjectBuilder, set, str, str2, str3, str4, str5, z, z2, samlObjectSignatureValidator);
        this.samlEcpFaultResponseBuilder = samlProfileObjectBuilder2;
    }

    @PostMapping(path = {SamlIdPConstants.ENDPOINT_SAML2_IDP_ECP_PROFILE_SSO}, consumes = {"text/xml", SamlIdPConstants.ECP_SOAP_PAOS_CONTENT_TYPE}, produces = {"text/xml", SamlIdPConstants.ECP_SOAP_PAOS_CONTENT_TYPE})
    public void handleEcpRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        MessageContext decodeSoapRequest = decodeSoapRequest(httpServletRequest);
        Credential extractBasicAuthenticationCredential = extractBasicAuthenticationCredential(httpServletRequest, httpServletResponse);
        if (extractBasicAuthenticationCredential == null) {
            LOGGER.error("Credentials could not be extracted from the SAML ECP request");
        } else if (decodeSoapRequest == null) {
            LOGGER.error("SAML ECP request could not be determined from the authentication request");
        } else {
            handleEcpRequest(httpServletResponse, httpServletRequest, decodeSoapRequest, extractBasicAuthenticationCredential, "urn:oasis:names:tc:SAML:2.0:bindings:PAOS");
        }
    }

    protected void handleEcpRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, MessageContext messageContext, Credential credential, String str) {
        LOGGER.debug("Handling ECP request for SOAP context [{}]", messageContext);
        SamlUtils.logSamlObject(this.configBean, messageContext.getSubcontext(SOAP11Context.class).getEnvelope());
        AuthnRequest authnRequest = (AuthnRequest) messageContext.getMessage();
        Pair<? extends SignableSAMLObject, MessageContext> of = Pair.of(authnRequest, messageContext);
        try {
            LOGGER.debug("Verifying ECP authentication request [{}]", authnRequest);
            Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest = verifySamlAuthenticationRequest(of, httpServletRequest);
            LOGGER.debug("Attempting to authenticate ECP request for credential id [{}]", credential.getId());
            Authentication authenticateEcpRequest = authenticateEcpRequest(credential, of);
            LOGGER.debug("Authenticated [{}] successfully with authenticated principal [{}]", credential.getId(), authenticateEcpRequest.getPrincipal());
            LOGGER.debug("Building ECP SAML response for [{}]", credential.getId());
            Assertion buildEcpCasAssertion = buildEcpCasAssertion(authenticateEcpRequest, (RegisteredService) verifySamlAuthenticationRequest.getKey());
            LOGGER.debug("CAS assertion to use for building ECP SAML response is [{}]", buildEcpCasAssertion);
            buildSamlResponse(httpServletResponse, httpServletRequest, of, buildEcpCasAssertion, str);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            buildEcpFaultResponse(httpServletResponse, httpServletRequest, Pair.of(authnRequest, e.getMessage()));
        } catch (AuthenticationException e2) {
            LOGGER.error(e2.getMessage(), e2);
            buildEcpFaultResponse(httpServletResponse, httpServletRequest, Pair.of(authnRequest, (String) e2.getHandlerErrors().values().stream().map((v0) -> {
                return v0.getSimpleName();
            }).collect(Collectors.joining(","))));
        }
    }

    protected void buildEcpFaultResponse(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<AuthnRequest, String> pair) {
        httpServletRequest.setAttribute(SamlIdPConstants.REQUEST_ATTRIBUTE_ERROR, pair.getValue());
        this.samlEcpFaultResponseBuilder.mo23build((AuthnRequest) pair.getKey(), httpServletRequest, httpServletResponse, null, null, null, "urn:oasis:names:tc:SAML:2.0:bindings:PAOS");
    }

    protected Authentication authenticateEcpRequest(Credential credential, Pair<AuthnRequest, MessageContext> pair) {
        String issuerFromSamlRequest = SamlIdPUtils.getIssuerFromSamlRequest((RequestAbstractType) pair.getKey());
        LOGGER.debug("Located issuer [{}] from request prior to authenticating [{}]", issuerFromSamlRequest, credential.getId());
        Service createService = this.webApplicationServiceFactory.createService(issuerFromSamlRequest);
        LOGGER.debug("Executing authentication request for service [{}] on behalf of credential id [{}]", createService, credential.getId());
        return this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(createService, new Credential[]{credential}).getAuthentication();
    }

    protected Assertion buildEcpCasAssertion(Authentication authentication, RegisteredService registeredService) {
        return new AssertionImpl(new AttributePrincipalImpl(authentication.getPrincipal().getId(), registeredService.getAttributeReleasePolicy().getAttributes(authentication.getPrincipal(), registeredService)), DateTimeUtils.dateOf(authentication.getAuthenticationDate()), (Date) null, DateTimeUtils.dateOf(authentication.getAuthenticationDate()), authentication.getAttributes());
    }

    protected MessageContext decodeSoapRequest(HttpServletRequest httpServletRequest) {
        try {
            HTTPSOAP11Decoder hTTPSOAP11Decoder = new HTTPSOAP11Decoder();
            hTTPSOAP11Decoder.setParserPool(this.parserPool);
            hTTPSOAP11Decoder.setHttpServletRequest(httpServletRequest);
            BindingDescriptor bindingDescriptor = new BindingDescriptor();
            bindingDescriptor.setId(getClass().getName());
            bindingDescriptor.setShortName(getClass().getName());
            bindingDescriptor.setSignatureCapable(true);
            bindingDescriptor.setSynchronous(true);
            hTTPSOAP11Decoder.setBindingDescriptor(bindingDescriptor);
            hTTPSOAP11Decoder.initialize();
            hTTPSOAP11Decoder.decode();
            return hTTPSOAP11Decoder.getMessageContext();
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return null;
        }
    }

    private Credential extractBasicAuthenticationCredential(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            UsernamePasswordCredentials extract = new BasicAuthExtractor(getClass().getSimpleName()).extract(WebUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse));
            if (extract == null) {
                return null;
            }
            LOGGER.debug("Received basic authentication ECP request from credentials [{}]", extract);
            return new UsernamePasswordCredential(extract.getUsername(), extract.getPassword());
        } catch (Exception e) {
            LOGGER.warn(e.getMessage(), e);
            return null;
        }
    }
}
