package org.apereo.cas.ws.idp.web;

import java.util.HashMap;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.SerializationUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.SecurityTokenTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.support.CookieUtils;
import org.apereo.cas.ws.idp.services.WSFederationRegisteredService;
import org.jasig.cas.client.validation.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:org/apereo/cas/ws/idp/web/WSFederationValidateRequestCallbackController.class */
public class WSFederationValidateRequestCallbackController extends BaseWSFederationRequestController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WSFederationValidateRequestCallbackController.class);

    public WSFederationValidateRequestCallbackController(WSFederationRequestConfigurationContext wSFederationRequestConfigurationContext) {
        super(wSFederationRequestConfigurationContext);
    }

    private static ModelAndView postResponseBackToRelyingParty(String str, WSFederationRequest wSFederationRequest) {
        String wreply = StringUtils.isNotBlank(wSFederationRequest.getWreply()) ? wSFederationRequest.getWreply() : wSFederationRequest.getWtrealm();
        HashMap hashMap = new HashMap();
        hashMap.put("wa", "wsignin1.0");
        hashMap.put("wresult", StringEscapeUtils.unescapeHtml4(str));
        hashMap.put("wtrealm", wSFederationRequest.getWtrealm());
        if (StringUtils.isNotBlank(wSFederationRequest.getWctx())) {
            hashMap.put("wctx", wSFederationRequest.getWctx());
        }
        LOGGER.trace("Posting relying party token to [{}]", wreply);
        return new ModelAndView("casPostResponseView", CollectionUtils.wrap("originalUrl", wreply, "parameters", hashMap));
    }

    @GetMapping(path = {"/ws/idp/federationcallback"})
    protected ModelAndView handleFederationRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        WSFederationRequest of = WSFederationRequest.of(httpServletRequest);
        LOGGER.debug("Received callback profile request [{}]", httpServletRequest.getRequestURI());
        Service resolveServiceFrom = getConfigContext().getServiceSelectionStrategy().resolveServiceFrom(getConfigContext().getWebApplicationServiceFactory().createService(constructServiceUrl(httpServletRequest, httpServletResponse, of)));
        resolveServiceFrom.getAttributes().put("wreply", CollectionUtils.wrapList(new Object[]{of.getWreply()}));
        resolveServiceFrom.getAttributes().put("wtrealm", CollectionUtils.wrapList(new Object[]{of.getWtrealm()}));
        resolveServiceFrom.getAttributes().put("wctx", CollectionUtils.wrapList(new Object[]{of.getWctx()}));
        LOGGER.debug("Located matching service [{}]", findAndValidateFederationRequestForRegisteredService(resolveServiceFrom, of));
        if (StringUtils.isBlank(httpServletRequest.getParameter("ticket"))) {
            LOGGER.error("Can not validate the request because no [{}] is provided via the request", "ticket");
            return new ModelAndView("error", new HashMap(0), HttpStatus.FORBIDDEN);
        }
        Assertion validateRequestAndBuildCasAssertion = validateRequestAndBuildCasAssertion(httpServletResponse, httpServletRequest, of);
        SecurityToken securityTokenFromRequest = getSecurityTokenFromRequest(httpServletRequest);
        SecurityToken securityToken = (SecurityToken) FunctionUtils.doIfNull(securityTokenFromRequest, () -> {
            LOGGER.debug("No security token is yet available. Invoking security token service to issue token");
            return fetchSecurityTokenFromAssertion(validateRequestAndBuildCasAssertion, resolveServiceFrom);
        }, () -> {
            return securityTokenFromRequest;
        }).get();
        addSecurityTokenTicketToRegistry(httpServletRequest, securityToken);
        return postResponseBackToRelyingParty(produceRelyingPartyToken(httpServletRequest, resolveServiceFrom, of, securityToken, validateRequestAndBuildCasAssertion), of);
    }

    private SecurityToken fetchSecurityTokenFromAssertion(Assertion assertion, Service service) {
        String name = assertion.getPrincipal().getName();
        Optional fetch = getConfigContext().getSecurityTokenServiceTokenFetcher().fetch(service, name);
        if (!fetch.isEmpty()) {
            return (SecurityToken) fetch.get();
        }
        LOGGER.warn("No security token could be retrieved for service [{}] and principal [{}]", service, name);
        throw new UnauthorizedServiceException("screen.service.error.message");
    }

    private void addSecurityTokenTicketToRegistry(HttpServletRequest httpServletRequest, SecurityToken securityToken) throws Exception {
        LOGGER.trace("Creating security token as a ticket to CAS ticket registry...");
        TicketRegistry ticketRegistry = getConfigContext().getTicketRegistry();
        TicketGrantingTicket ticketGrantingTicketFromRequest = CookieUtils.getTicketGrantingTicketFromRequest(getConfigContext().getTicketGrantingTicketCookieGenerator(), ticketRegistry, httpServletRequest);
        SecurityTokenTicket create = getConfigContext().getTicketFactory().get(SecurityTokenTicket.class).create(ticketGrantingTicketFromRequest, SerializationUtils.serialize(securityToken));
        LOGGER.trace("Created security token ticket [{}]", create);
        ticketRegistry.addTicket(create);
        LOGGER.trace("Added security token as a ticket to CAS ticket registry...");
        ticketRegistry.updateTicket(ticketGrantingTicketFromRequest);
    }

    private String produceRelyingPartyToken(HttpServletRequest httpServletRequest, Service service, WSFederationRequest wSFederationRequest, SecurityToken securityToken, Assertion assertion) throws Exception {
        WSFederationRegisteredService findAndValidateFederationRequestForRegisteredService = findAndValidateFederationRequestForRegisteredService(service, wSFederationRequest);
        LOGGER.debug("Located registered service [{}] to create relying-party tokens...", findAndValidateFederationRequestForRegisteredService);
        return getConfigContext().getRelyingPartyTokenProducer().produce(securityToken, findAndValidateFederationRequestForRegisteredService, wSFederationRequest, httpServletRequest, assertion);
    }

    private Assertion validateRequestAndBuildCasAssertion(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, WSFederationRequest wSFederationRequest) throws Exception {
        String parameter = httpServletRequest.getParameter("ticket");
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, wSFederationRequest);
        LOGGER.trace("Created service url for validation: [{}]", constructServiceUrl);
        Assertion validate = getConfigContext().getTicketValidator().validate(parameter, constructServiceUrl);
        LOGGER.debug("Located CAS assertion [{}]", validate);
        return validate;
    }
}
