package org.apereo.cas.ws.idp.web;

import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.SerializationUtils;
import org.apache.commons.lang3.StringEscapeUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apereo.cas.authentication.AuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.SecurityTokenTicketFactory;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.http.HttpClient;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.CookieUtils;
import org.apereo.cas.ws.idp.services.WSFederationRelyingPartyTokenProducer;
import org.jasig.cas.client.authentication.AttributePrincipal;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.Cas30ServiceTicketValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:org/apereo/cas/ws/idp/web/WSFederationValidateRequestCallbackController.class */
public class WSFederationValidateRequestCallbackController extends BaseWSFederationRequestController {
    private static final Logger LOGGER = LoggerFactory.getLogger(WSFederationValidateRequestCallbackController.class);
    private final WSFederationRelyingPartyTokenProducer relyingPartyTokenProducer;

    public WSFederationValidateRequestCallbackController(ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, CasConfigurationProperties casConfigurationProperties, WSFederationRelyingPartyTokenProducer wSFederationRelyingPartyTokenProducer, AuthenticationServiceSelectionStrategy authenticationServiceSelectionStrategy, HttpClient httpClient, SecurityTokenTicketFactory securityTokenTicketFactory, TicketRegistry ticketRegistry, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator, TicketRegistrySupport ticketRegistrySupport) {
        super(servicesManager, serviceFactory, casConfigurationProperties, authenticationServiceSelectionStrategy, httpClient, securityTokenTicketFactory, ticketRegistry, cookieRetrievingCookieGenerator, ticketRegistrySupport);
        this.relyingPartyTokenProducer = wSFederationRelyingPartyTokenProducer;
    }

    @GetMapping(path = {"/ws/idp/federationcallback"})
    protected ModelAndView handleFederationRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        WSFederationRequest of = WSFederationRequest.of(httpServletRequest);
        LOGGER.debug("Received callback profile request [{}]", httpServletRequest.getRequestURI());
        LOGGER.debug("Located matching service [{}]", findAndValidateFederationRequestForRegisteredService(httpServletResponse, httpServletRequest, of));
        if (StringUtils.isBlank(CommonUtils.safeGetParameter(httpServletRequest, "ticket"))) {
            LOGGER.error("Can not validate the request because no [{}] is provided via the request", "ticket");
            return new ModelAndView("error", new HashMap(), HttpStatus.FORBIDDEN);
        }
        Assertion validateRequestAndBuildCasAssertion = validateRequestAndBuildCasAssertion(httpServletResponse, httpServletRequest, of);
        SecurityToken securityTokenFromRequest = getSecurityTokenFromRequest(httpServletRequest);
        if (securityTokenFromRequest == null) {
            LOGGER.debug("No security token is yet available. Invoking security token service to issue token");
            securityTokenFromRequest = validateSecurityTokenInAssertion(validateRequestAndBuildCasAssertion, httpServletRequest, httpServletResponse);
        }
        addSecurityTokenTicketToRegistry(httpServletRequest, securityTokenFromRequest);
        return postResponseBackToRelyingParty(produceRelyingPartyToken(httpServletResponse, httpServletRequest, of, securityTokenFromRequest, validateRequestAndBuildCasAssertion), of);
    }

    private void addSecurityTokenTicketToRegistry(HttpServletRequest httpServletRequest, SecurityToken securityToken) {
        LOGGER.debug("Adding security token as a ticket to CAS ticket registry...");
        TicketGrantingTicket ticketGrantingTicketFromRequest = CookieUtils.getTicketGrantingTicketFromRequest(this.ticketGrantingTicketCookieGenerator, this.ticketRegistry, httpServletRequest);
        this.ticketRegistry.addTicket(this.securityTokenTicketFactory.create(ticketGrantingTicketFromRequest, securityToken));
        this.ticketRegistry.updateTicket(ticketGrantingTicketFromRequest);
    }

    private static ModelAndView postResponseBackToRelyingParty(String str, WSFederationRequest wSFederationRequest) throws Exception {
        String wreply = StringUtils.isNotBlank(wSFederationRequest.getWreply()) ? wSFederationRequest.getWreply() : wSFederationRequest.getWtrealm();
        HashMap hashMap = new HashMap();
        hashMap.put("originalUrl", wreply);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("wa", "wsignin1.0");
        hashMap2.put("wresult", StringEscapeUtils.unescapeHtml4(str));
        hashMap2.put("wtrealm", wSFederationRequest.getWtrealm());
        if (StringUtils.isNotBlank(wSFederationRequest.getWctx())) {
            hashMap2.put("wctx", wSFederationRequest.getWctx());
        }
        hashMap.put("parameters", hashMap2);
        LOGGER.debug("Posting relying party token to [{}]", wreply);
        return new ModelAndView("casPostResponseView", hashMap);
    }

    private String produceRelyingPartyToken(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, WSFederationRequest wSFederationRequest, SecurityToken securityToken, Assertion assertion) {
        return this.relyingPartyTokenProducer.produce(securityToken, findAndValidateFederationRequestForRegisteredService(httpServletResponse, httpServletRequest, wSFederationRequest), wSFederationRequest, httpServletRequest, assertion);
    }

    private static SecurityToken validateSecurityTokenInAssertion(Assertion assertion, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        LOGGER.debug("Validating security token in CAS assertion...");
        AttributePrincipal principal = assertion.getPrincipal();
        if (principal.getAttributes().containsKey("securityToken")) {
            return (SecurityToken) SerializationUtils.deserialize(EncodingUtils.decodeBase64((String) principal.getAttributes().get("securityToken")));
        }
        throw new UnauthorizedServiceException("screen.service.error.message");
    }

    private Assertion validateRequestAndBuildCasAssertion(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, WSFederationRequest wSFederationRequest) throws Exception {
        String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, "ticket");
        Cas30ServiceTicketValidator cas30ServiceTicketValidator = new Cas30ServiceTicketValidator(this.casProperties.getServer().getPrefix());
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, wSFederationRequest);
        LOGGER.debug("Created service url for validation: [{}]", constructServiceUrl);
        Assertion validate = cas30ServiceTicketValidator.validate(safeGetParameter, constructServiceUrl);
        LOGGER.debug("Located CAS assertion [{}]", validate);
        return validate;
    }
}
