package org.apereo.cas.support.wsfederation.web.flow;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.wsfederation.WsFederationConfiguration;
import org.apereo.cas.support.wsfederation.WsFederationHelper;
import org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.web.support.WebUtils;
import org.opensaml.saml.saml1.core.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.action.AbstractAction;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/support/wsfederation/web/flow/WsFederationAction.class */
public class WsFederationAction extends AbstractAction {
    private static final String LOCALE = "locale";
    private static final String METHOD = "method";
    private static final String PROVIDERURL = "WsFederationIdentityProviderUrl";
    private static final String QUERYSTRING = "?wa=wsignin1.0&wtrealm=";
    private static final String SERVICE = "service";
    private static final String THEME = "theme";
    private static final String WA = "wa";
    private static final String WRESULT = "wresult";
    private static final String WSIGNIN = "wsignin1.0";
    private static final Logger LOGGER = LoggerFactory.getLogger(WsFederationAction.class);
    private final WsFederationHelper wsFederationHelper;
    private final WsFederationConfiguration configuration;
    private final CentralAuthenticationService centralAuthenticationService;
    private final AuthenticationSystemSupport authenticationSystemSupport;
    private final ServicesManager servicesManager;
    private final String authorizationUrl;

    public WsFederationAction(AuthenticationSystemSupport authenticationSystemSupport, CentralAuthenticationService centralAuthenticationService, WsFederationConfiguration wsFederationConfiguration, WsFederationHelper wsFederationHelper, ServicesManager servicesManager) {
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.centralAuthenticationService = centralAuthenticationService;
        this.configuration = wsFederationConfiguration;
        this.wsFederationHelper = wsFederationHelper;
        this.servicesManager = servicesManager;
        this.authorizationUrl = this.configuration.getIdentityProviderUrl() + QUERYSTRING;
    }

    protected Event doExecute(RequestContext requestContext) throws Exception {
        try {
            String parameter = WebUtils.getHttpServletRequest(requestContext).getParameter(WA);
            return (StringUtils.isNotBlank(parameter) && parameter.equalsIgnoreCase(WSIGNIN)) ? handleWsFederationAuthenticationRequest(requestContext) : routeToLoginRequest(requestContext);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return error();
        }
    }

    private Event routeToLoginRequest(RequestContext requestContext) {
        HttpServletRequest httpServletRequest = WebUtils.getHttpServletRequest(requestContext);
        HttpSession session = httpServletRequest.getSession();
        Service service = (Service) requestContext.getFlowScope().get(SERVICE);
        if (service != null) {
            session.setAttribute(SERVICE, service);
        }
        saveRequestParameter(httpServletRequest, session, THEME);
        saveRequestParameter(httpServletRequest, session, LOCALE);
        saveRequestParameter(httpServletRequest, session, METHOD);
        String str = this.authorizationUrl + getRelyingPartyIdentifier(service);
        LOGGER.info("Preparing to redirect to the IdP [{}]", str);
        requestContext.getFlowScope().put(PROVIDERURL, str);
        LOGGER.debug("Returning error event");
        return error();
    }

    private Event handleWsFederationAuthenticationRequest(RequestContext requestContext) {
        String parameter = WebUtils.getHttpServletRequest(requestContext).getParameter(WRESULT);
        LOGGER.debug("Parameter [{}] received: [{}]", WRESULT, parameter);
        if (StringUtils.isBlank(parameter)) {
            LOGGER.error("No [{}] parameter is found", WRESULT);
            return error();
        }
        LOGGER.debug("Attempting to create an assertion from the token parameter");
        Assertion parseTokenFromString = this.wsFederationHelper.parseTokenFromString(parameter, this.configuration);
        if (parseTokenFromString == null) {
            LOGGER.error("Could not validate assertion via parsing the token from [{}]", WRESULT);
            return error();
        }
        LOGGER.debug("Attempting to validate the signature on the assertion");
        if (this.wsFederationHelper.validateSignature(parseTokenFromString, this.configuration)) {
            return buildCredentialsFromAssertion(requestContext, parseTokenFromString);
        }
        LOGGER.error("WS Requested Security Token is blank or the signature is not valid.");
        return error();
    }

    private Event buildCredentialsFromAssertion(RequestContext requestContext, Assertion assertion) {
        try {
            HttpServletRequest httpServletRequest = WebUtils.getHttpServletRequest(requestContext);
            HttpSession session = httpServletRequest.getSession();
            Service service = (Service) session.getAttribute(SERVICE);
            LOGGER.debug("Creating credential based on the provided assertion");
            WsFederationCredential createCredentialFromToken = this.wsFederationHelper.createCredentialFromToken(assertion);
            String relyingPartyIdentifier = getRelyingPartyIdentifier(service);
            if (createCredentialFromToken == null || !createCredentialFromToken.isValid(relyingPartyIdentifier, this.configuration.getIdentityProviderIdentifier(), this.configuration.getTolerance())) {
                LOGGER.warn("SAML assertions are blank or no longer valid based on RP identifier [{}] and IdP identifier [{}]", relyingPartyIdentifier, this.configuration.getIdentityProviderIdentifier());
                String str = this.authorizationUrl + relyingPartyIdentifier;
                requestContext.getFlowScope().put(PROVIDERURL, str);
                LOGGER.warn("Created authentication url [{}] and returning error", str);
                return error();
            }
            LOGGER.debug("Validated assertion for the created credential successfully");
            if (this.configuration.getAttributeMutator() != null) {
                LOGGER.debug("Modifying credential attributes based on [{}]", this.configuration.getAttributeMutator().getClass().getSimpleName());
                this.configuration.getAttributeMutator().modifyAttributes(createCredentialFromToken.getAttributes());
            }
            requestContext.getFlowScope().put(SERVICE, service);
            restoreRequestAttribute(httpServletRequest, session, THEME);
            restoreRequestAttribute(httpServletRequest, session, LOCALE);
            restoreRequestAttribute(httpServletRequest, session, METHOD);
            LOGGER.debug("Creating final authentication result based on the given credential");
            AuthenticationResult handleAndFinalizeSingleAuthenticationTransaction = this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, new Credential[]{createCredentialFromToken});
            LOGGER.debug("Attempting to create a ticket-granting ticket for the authentication result");
            WebUtils.putTicketGrantingTicketInScopes(requestContext, this.centralAuthenticationService.createTicketGrantingTicket(handleAndFinalizeSingleAuthenticationTransaction));
            LOGGER.info("Token validated and new [{}] created: [{}]", createCredentialFromToken.getClass().getName(), createCredentialFromToken);
            return success();
        } catch (AbstractTicketException e) {
            LOGGER.error(e.getMessage(), e);
            return error();
        }
    }

    private String getRelyingPartyIdentifier(Service service) {
        String relyingPartyIdentifier = this.configuration.getRelyingPartyIdentifier();
        if (service != null) {
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, findServiceBy);
            if (findServiceBy.getProperties().containsKey("wsfed.relyingPartyIdentifier")) {
                relyingPartyIdentifier = ((RegisteredServiceProperty) findServiceBy.getProperties().get("wsfed.relyingPartyIdentifier")).getValue();
            }
        }
        LOGGER.debug("Determined relying party identifier for [{}] to be [{}]", service, relyingPartyIdentifier);
        return relyingPartyIdentifier;
    }

    private static void restoreRequestAttribute(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        httpServletRequest.setAttribute(str, (String) httpSession.getAttribute(str));
    }

    private static void saveRequestParameter(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        String parameter = httpServletRequest.getParameter(str);
        if (parameter != null) {
            httpSession.setAttribute(str, parameter);
        }
    }
}
