package org.apereo.cas.ws.idp.services;

import java.io.StringWriter;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import lombok.Generated;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.fediz.core.exception.ProcessingException;
import org.apache.cxf.staxutils.W3CDOMStreamWriter;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.authentication.SecurityTokenServiceClient;
import org.apereo.cas.authentication.SecurityTokenServiceClientBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.ws.idp.WSFederationClaims;
import org.apereo.cas.ws.idp.web.WSFederationRequest;
import org.jasig.cas.client.validation.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.w3c.dom.Element;

/* loaded from: input_file:org/apereo/cas/ws/idp/services/DefaultRelyingPartyTokenProducer.class */
public class DefaultRelyingPartyTokenProducer implements WSFederationRelyingPartyTokenProducer {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultRelyingPartyTokenProducer.class);
    private final SecurityTokenServiceClientBuilder clientBuilder;
    private final CipherExecutor<String, String> credentialCipherExecutor;

    @Override // org.apereo.cas.ws.idp.services.WSFederationRelyingPartyTokenProducer
    public String produce(SecurityToken securityToken, WSFederationRegisteredService wSFederationRegisteredService, WSFederationRequest wSFederationRequest, HttpServletRequest httpServletRequest, Assertion assertion) {
        LOGGER.debug("Building security token service client for service [{}]", wSFederationRegisteredService);
        SecurityTokenServiceClient buildClientForRelyingPartyTokenResponses = this.clientBuilder.buildClientForRelyingPartyTokenResponses(securityToken, wSFederationRegisteredService);
        mapAttributesToRequestedClaims(wSFederationRegisteredService, buildClientForRelyingPartyTokenResponses, assertion);
        return serializeRelyingPartyToken(requestSecurityTokenResponse(wSFederationRegisteredService, buildClientForRelyingPartyTokenResponses, assertion));
    }

    private static String serializeRelyingPartyToken(Element element) {
        StringWriter stringWriter = new StringWriter();
        Transformer newTransformer = TransformerFactory.newInstance().newTransformer();
        newTransformer.setOutputProperty("omit-xml-declaration", BooleanUtils.toStringYesNo(Boolean.TRUE));
        newTransformer.transform(new DOMSource(element), new StreamResult(stringWriter));
        return stringWriter.toString();
    }

    private static void mapAttributesToRequestedClaims(WSFederationRegisteredService wSFederationRegisteredService, SecurityTokenServiceClient securityTokenServiceClient, Assertion assertion) {
        try {
            W3CDOMStreamWriter w3CDOMStreamWriter = new W3CDOMStreamWriter();
            w3CDOMStreamWriter.writeStartElement("wst", "Claims", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
            w3CDOMStreamWriter.writeNamespace("wst", "http://docs.oasis-open.org/ws-sx/ws-trust/200512");
            w3CDOMStreamWriter.writeNamespace("ic", "http://schemas.xmlsoap.org/ws/2005/05/identity");
            w3CDOMStreamWriter.writeAttribute("Dialect", "http://schemas.xmlsoap.org/ws/2005/05/identity");
            Map attributes = assertion.getPrincipal().getAttributes();
            LOGGER.debug("Mapping principal attributes [{}] to claims for service [{}]", attributes, wSFederationRegisteredService);
            attributes.forEach((str, obj) -> {
                try {
                    if (WSFederationClaims.contains(str)) {
                        String uri = WSFederationClaims.valueOf(str).getUri();
                        LOGGER.debug("Requesting claim [{}] mapped to [{}]", str, uri);
                        w3CDOMStreamWriter.writeStartElement("ic", "ClaimValue", "http://schemas.xmlsoap.org/ws/2005/05/identity");
                        w3CDOMStreamWriter.writeAttribute("Uri", uri);
                        w3CDOMStreamWriter.writeAttribute("Optional", Boolean.TRUE.toString());
                        for (Object obj : CollectionUtils.toCollection(obj)) {
                            if (obj instanceof String) {
                                w3CDOMStreamWriter.writeStartElement("ic", "Value", "http://schemas.xmlsoap.org/ws/2005/05/identity");
                                w3CDOMStreamWriter.writeCharacters((String) obj);
                                w3CDOMStreamWriter.writeEndElement();
                            }
                        }
                        w3CDOMStreamWriter.writeEndElement();
                    } else {
                        LOGGER.warn("Request claim [{}] is not defined/supported by CAS", str);
                    }
                } catch (Exception e) {
                    LOGGER.error(e.getMessage(), e);
                }
            });
            w3CDOMStreamWriter.writeEndElement();
            securityTokenServiceClient.setClaims(w3CDOMStreamWriter.getDocument().getDocumentElement());
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
    }

    private Element requestSecurityTokenResponse(WSFederationRegisteredService wSFederationRegisteredService, SecurityTokenServiceClient securityTokenServiceClient, Assertion assertion) {
        try {
            String name = assertion.getPrincipal().getName();
            securityTokenServiceClient.getProperties().put("security.username", name);
            securityTokenServiceClient.getProperties().put("security.password", (String) this.credentialCipherExecutor.encode(name));
            LOGGER.debug("Requesting security token response for service [{}] as [{}]", wSFederationRegisteredService, name);
            return securityTokenServiceClient.requestSecurityTokenResponse(wSFederationRegisteredService.getAppliesTo());
        } catch (SoapFault e) {
            if (e.getFaultCode() == null || !"RequestFailed".equals(e.getFaultCode().getLocalPart())) {
                throw e;
            }
            throw new IllegalArgumentException((Throwable) new ProcessingException(ProcessingException.TYPE.BAD_REQUEST));
        }
    }

    @Generated
    public DefaultRelyingPartyTokenProducer(SecurityTokenServiceClientBuilder securityTokenServiceClientBuilder, CipherExecutor<String, String> cipherExecutor) {
        this.clientBuilder = securityTokenServiceClientBuilder;
        this.credentialCipherExecutor = cipherExecutor;
    }
}
