package org.apereo.cas.support.saml.web.idp.profile.sso;

import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlIdPConstants;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.BaseSamlObjectSigner;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/sso/SSOPostProfileCallbackHandlerController.class */
public class SSOPostProfileCallbackHandlerController extends AbstractSamlProfileHandlerController {
    private static final Logger LOGGER = LoggerFactory.getLogger(SSOPostProfileCallbackHandlerController.class);

    public SSOPostProfileCallbackHandlerController(BaseSamlObjectSigner baseSamlObjectSigner, ParserPool parserPool, AuthenticationSystemSupport authenticationSystemSupport, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver, OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<Response> samlProfileObjectBuilder, Set<String> set, String str, String str2, String str3, String str4, String str5, boolean z, boolean z2, SamlObjectSignatureValidator samlObjectSignatureValidator) {
        super(baseSamlObjectSigner, parserPool, authenticationSystemSupport, servicesManager, serviceFactory, samlRegisteredServiceCachingMetadataResolver, openSamlConfigBean, samlProfileObjectBuilder, set, str, str2, str3, str4, str5, z, z2, samlObjectSignatureValidator);
    }

    @GetMapping(path = {SamlIdPConstants.ENDPOINT_SAML2_SSO_PROFILE_POST_CALLBACK})
    protected void handleCallbackProfileRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        LOGGER.info("Received SAML callback profile request [{}]", httpServletRequest.getRequestURI());
        AuthnRequest retrieveSamlAuthenticationRequestFromHttpRequest = retrieveSamlAuthenticationRequestFromHttpRequest(httpServletRequest);
        if (retrieveSamlAuthenticationRequestFromHttpRequest == null) {
            LOGGER.error("Can not validate the request because the original Authn request can not be found.");
            httpServletResponse.setStatus(403);
        } else if (StringUtils.isBlank(CommonUtils.safeGetParameter(httpServletRequest, "ticket"))) {
            LOGGER.error("Can not validate the request because no [{}] is provided via the request", "ticket");
            httpServletResponse.setStatus(403);
        } else {
            Pair<AuthnRequest, MessageContext> buildAuthenticationContextPair = buildAuthenticationContextPair(httpServletRequest, retrieveSamlAuthenticationRequestFromHttpRequest);
            buildSamlResponse(httpServletResponse, httpServletRequest, buildAuthenticationContextPair, validateRequestAndBuildCasAssertion(httpServletResponse, httpServletRequest, buildAuthenticationContextPair), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        }
    }

    protected Pair<AuthnRequest, MessageContext> buildAuthenticationContextPair(HttpServletRequest httpServletRequest, AuthnRequest authnRequest) {
        return Pair.of(authnRequest, bindRelayStateParameter(httpServletRequest));
    }

    private MessageContext<SAMLObject> bindRelayStateParameter(HttpServletRequest httpServletRequest) {
        MessageContext<SAMLObject> messageContext = new MessageContext<>();
        String parameter = httpServletRequest.getParameter("RelayState");
        LOGGER.debug("RelayState is [{}]", parameter);
        SAMLBindingSupport.setRelayState(messageContext, parameter);
        return messageContext;
    }

    private Assertion validateRequestAndBuildCasAssertion(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<AuthnRequest, MessageContext> pair) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getKey();
        String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, "ticket");
        Cas30ServiceTicketValidator cas30ServiceTicketValidator = new Cas30ServiceTicketValidator(this.serverPrefix);
        cas30ServiceTicketValidator.setRenew(authnRequest.isForceAuthn().booleanValue());
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, pair);
        LOGGER.debug("Created service url for validation: [{}]", constructServiceUrl);
        Assertion validate = cas30ServiceTicketValidator.validate(safeGetParameter, constructServiceUrl);
        logCasValidationAssertion(validate);
        return validate;
    }
}
