package org.apereo.cas.ws.idp.web;

import java.net.URI;
import java.time.Instant;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.http.client.utils.URIBuilder;
import org.apereo.cas.authentication.AuthenticationServiceSelectionStrategy;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.wsfed.WsFederationProperties;
import org.apereo.cas.services.RegexRegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.ticket.SecurityTokenTicket;
import org.apereo.cas.ticket.SecurityTokenTicketFactory;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.RandomUtils;
import org.apereo.cas.util.http.HttpClient;
import org.apereo.cas.web.support.CookieRetrievingCookieGenerator;
import org.apereo.cas.web.support.WebUtils;
import org.apereo.cas.ws.idp.services.WSFederationRegisteredService;
import org.jasig.cas.client.util.CommonUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.servlet.ModelAndView;

@Controller
/* loaded from: input_file:org/apereo/cas/ws/idp/web/BaseWSFederationRequestController.class */
public abstract class BaseWSFederationRequestController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(BaseWSFederationRequestController.class);
    protected final ServicesManager servicesManager;
    protected final ServiceFactory<WebApplicationService> webApplicationServiceFactory;
    protected final Service callbackService = registerCallback("/ws/idp/federationcallback");
    protected final CasConfigurationProperties casProperties;
    protected final AuthenticationServiceSelectionStrategy serviceSelectionStrategy;
    protected final HttpClient httpClient;
    protected final SecurityTokenTicketFactory securityTokenTicketFactory;
    protected final TicketRegistry ticketRegistry;
    protected final CookieRetrievingCookieGenerator ticketGrantingTicketCookieGenerator;
    protected final TicketRegistrySupport ticketRegistrySupport;

    public BaseWSFederationRequestController(ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, CasConfigurationProperties casConfigurationProperties, AuthenticationServiceSelectionStrategy authenticationServiceSelectionStrategy, HttpClient httpClient, SecurityTokenTicketFactory securityTokenTicketFactory, TicketRegistry ticketRegistry, CookieRetrievingCookieGenerator cookieRetrievingCookieGenerator, TicketRegistrySupport ticketRegistrySupport) {
        this.servicesManager = servicesManager;
        this.webApplicationServiceFactory = serviceFactory;
        this.casProperties = casConfigurationProperties;
        this.serviceSelectionStrategy = authenticationServiceSelectionStrategy;
        this.httpClient = httpClient;
        this.securityTokenTicketFactory = securityTokenTicketFactory;
        this.ticketRegistry = ticketRegistry;
        this.ticketGrantingTicketCookieGenerator = cookieRetrievingCookieGenerator;
        this.ticketRegistrySupport = ticketRegistrySupport;
    }

    private Service registerCallback(String str) {
        Service createService = this.webApplicationServiceFactory.createService(str);
        if (!this.servicesManager.matchesExistingService(createService)) {
            LOGGER.debug("Initializing callback service [{}]", createService);
            RegexRegisteredService regexRegisteredService = new RegexRegisteredService();
            regexRegisteredService.setId(Math.abs(RandomUtils.getNativeInstance().nextLong()));
            regexRegisteredService.setEvaluationOrder(0);
            regexRegisteredService.setName(regexRegisteredService.getClass().getSimpleName());
            regexRegisteredService.setDescription("WS-Federation Authentication Request");
            regexRegisteredService.setServiceId(createService.getId().concat(".+"));
            LOGGER.debug("Saving callback service [{}] into the registry", regexRegisteredService);
            this.servicesManager.save(regexRegisteredService);
            this.servicesManager.load();
        }
        return createService;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String constructServiceUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WSFederationRequest wSFederationRequest) {
        try {
            URIBuilder uRIBuilder = new URIBuilder(this.callbackService.getId());
            uRIBuilder.addParameter("wa", wSFederationRequest.getWa());
            uRIBuilder.addParameter("wreply", wSFederationRequest.getWreply());
            uRIBuilder.addParameter("wtrealm", wSFederationRequest.getWtrealm());
            if (StringUtils.isNotBlank(wSFederationRequest.getWctx())) {
                uRIBuilder.addParameter("wctx", wSFederationRequest.getWctx());
            }
            if (StringUtils.isNotBlank(wSFederationRequest.getWfresh())) {
                uRIBuilder.addParameter("wfresh", wSFederationRequest.getWfresh());
            }
            if (StringUtils.isNotBlank(wSFederationRequest.getWhr())) {
                uRIBuilder.addParameter("whr", wSFederationRequest.getWhr());
            }
            if (StringUtils.isNotBlank(wSFederationRequest.getWreq())) {
                uRIBuilder.addParameter("wreq", wSFederationRequest.getWreq());
            }
            URI build = uRIBuilder.build();
            LOGGER.trace("Built service callback url [{}]", build);
            return CommonUtils.constructServiceUrl(httpServletRequest, httpServletResponse, build.toString(), this.casProperties.getServer().getName(), "service", "ticket", false);
        } catch (Exception e) {
            throw new SamlException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityToken getSecurityTokenFromRequest(HttpServletRequest httpServletRequest) {
        TicketGrantingTicket ticket;
        String retrieveCookieValue = this.ticketGrantingTicketCookieGenerator.retrieveCookieValue(httpServletRequest);
        if (!StringUtils.isNotBlank(retrieveCookieValue) || (ticket = this.ticketRegistry.getTicket(retrieveCookieValue, TicketGrantingTicket.class)) == null) {
            return null;
        }
        String str = (String) ticket.getDescendantTickets().stream().filter(str2 -> {
            return str2.startsWith("STS");
        }).findFirst().orElse(null);
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        SecurityTokenTicket ticket2 = this.ticketRegistry.getTicket(str, SecurityTokenTicket.class);
        if (ticket2 == null || ticket2.isExpired()) {
            LOGGER.warn("Security token ticket [{}] is not found or has expired", str);
            return null;
        }
        if (!ticket2.getSecurityToken().isExpired()) {
            return ticket2.getSecurityToken();
        }
        LOGGER.warn("Security token linked to ticket [{}] has expired", str);
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean shouldRenewAuthentication(WSFederationRequest wSFederationRequest, HttpServletRequest httpServletRequest) {
        Instant created;
        if (StringUtils.isBlank(wSFederationRequest.getWfresh()) || NumberUtils.isCreatable(wSFederationRequest.getWfresh())) {
            return false;
        }
        long parseLong = Long.parseLong(wSFederationRequest.getWfresh().trim());
        if (parseLong == 0) {
            return false;
        }
        SecurityToken securityTokenFromRequest = getSecurityTokenFromRequest(httpServletRequest);
        if (securityTokenFromRequest == null) {
            return true;
        }
        long j = parseLong * 60 * 1000;
        if (j <= 0 || (created = securityTokenFromRequest.getCreated()) == null) {
            return false;
        }
        Date date = new Date();
        date.setTime(created.toEpochMilli() + j);
        return date.before(new Date());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WSFederationRegisteredService findAndValidateFederationRequestForRegisteredService(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, WSFederationRequest wSFederationRequest) {
        WSFederationRegisteredService wsFederationRegisteredService = getWsFederationRegisteredService(this.serviceSelectionStrategy.resolveServiceFrom(this.webApplicationServiceFactory.createService(constructServiceUrl(httpServletRequest, httpServletResponse, wSFederationRequest))));
        WsFederationProperties.IdentityProvider idp = this.casProperties.getAuthn().getWsfedIdp().getIdp();
        if (StringUtils.isBlank(wSFederationRequest.getWtrealm()) || !StringUtils.equals(wSFederationRequest.getWtrealm(), wsFederationRegisteredService.getRealm())) {
            LOGGER.warn("Realm [{}] is not authorized for matching service [{}]", wSFederationRequest.getWtrealm(), wsFederationRegisteredService);
            throw new UnauthorizedServiceException("screen.service.error.message", "");
        }
        if (StringUtils.equals(idp.getRealm(), wsFederationRegisteredService.getRealm())) {
            return wsFederationRegisteredService;
        }
        LOGGER.warn("Realm [{}] is not authorized for the identity provider realm [{}]", wSFederationRequest.getWtrealm(), idp.getRealm());
        throw new UnauthorizedServiceException("screen.service.error.message", "");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public WSFederationRegisteredService getWsFederationRegisteredService(Service service) {
        WSFederationRegisteredService findServiceBy = this.servicesManager.findServiceBy(service, WSFederationRegisteredService.class);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, findServiceBy);
        return findServiceBy;
    }

    @ExceptionHandler({Exception.class})
    public ModelAndView handleUnauthorizedServiceException(HttpServletRequest httpServletRequest, Exception exc) {
        return WebUtils.produceUnauthorizedErrorView();
    }
}
