package org.apereo.cas.support.wsfederation.web.flow;

import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collection;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.wsfederation.WsFederationConfiguration;
import org.apereo.cas.support.wsfederation.WsFederationHelper;
import org.apereo.cas.support.wsfederation.authentication.principal.WsFederationCredential;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.web.support.WebUtils;
import org.opensaml.saml.saml1.core.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.action.AbstractAction;
import org.springframework.webflow.action.EventFactorySupport;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/support/wsfederation/web/flow/WsFederationAction.class */
public class WsFederationAction extends AbstractAction {
    private static final String LOCALE = "locale";
    private static final String METHOD = "method";
    private static final String PROVIDERURL = "WsFederationIdentityProviderUrl";
    private static final String QUERYSTRING = "?wa=wsignin1.0&wtrealm=%s&wctx=%s";
    private static final String THEME = "theme";
    private static final String WA = "wa";
    private static final String WRESULT = "wresult";
    private static final String WSIGNIN = "wsignin1.0";
    private static final String WCTX = "wctx";
    private static final Logger LOGGER = LoggerFactory.getLogger(WsFederationAction.class);
    private final WsFederationHelper wsFederationHelper;
    private final Collection<WsFederationConfiguration> configuration;
    private final CentralAuthenticationService centralAuthenticationService;
    private final AuthenticationSystemSupport authenticationSystemSupport;
    private final ServicesManager servicesManager;

    /* loaded from: input_file:org/apereo/cas/support/wsfederation/web/flow/WsFederationAction$WsFedClient.class */
    public static class WsFedClient implements Serializable {
        private static final long serialVersionUID = 2733280849157146990L;
        private String redirectUrl;
        private String name;
        private String replyingPartyId;

        public String getRedirectUrl() {
            return this.redirectUrl;
        }

        public void setRedirectUrl(String str) {
            this.redirectUrl = str;
        }

        public String getName() {
            return this.name;
        }

        public void setName(String str) {
            this.name = str;
        }

        public String getReplyingPartyId() {
            return this.replyingPartyId;
        }

        public void setReplyingPartyId(String str) {
            this.replyingPartyId = str;
        }
    }

    public WsFederationAction(AuthenticationSystemSupport authenticationSystemSupport, CentralAuthenticationService centralAuthenticationService, Collection<WsFederationConfiguration> collection, WsFederationHelper wsFederationHelper, ServicesManager servicesManager) {
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.centralAuthenticationService = centralAuthenticationService;
        this.configuration = collection;
        this.wsFederationHelper = wsFederationHelper;
        this.servicesManager = servicesManager;
    }

    protected Event doExecute(RequestContext requestContext) {
        try {
            String parameter = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext).getParameter(WA);
            if (StringUtils.isNotBlank(parameter) && parameter.equalsIgnoreCase(WSIGNIN)) {
                return handleWsFederationAuthenticationRequest(requestContext);
            }
            WsFederationConfiguration orElse = this.configuration.stream().filter((v0) -> {
                return v0.isAutoRedirect();
            }).findFirst().orElse(null);
            if (orElse != null) {
                return routeToLoginRequest(requestContext, orElse);
            }
            prepareLoginViewWithWsFederationClients(requestContext);
            return new EventFactorySupport().event(this, "proceed");
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            throw new UnauthorizedServiceException("screen.service.error.message", e.getMessage());
        }
    }

    private void prepareLoginViewWithWsFederationClients(RequestContext requestContext) {
        ArrayList arrayList = new ArrayList();
        Service service = (Service) requestContext.getFlowScope().get("service");
        this.configuration.forEach(wsFederationConfiguration -> {
            WsFedClient wsFedClient = new WsFedClient();
            wsFedClient.setName(wsFederationConfiguration.getName());
            String relyingPartyIdentifier = getRelyingPartyIdentifier(service, requestContext, wsFederationConfiguration);
            wsFedClient.setRedirectUrl(getAuthorizationUrl(wsFederationConfiguration) + relyingPartyIdentifier);
            wsFedClient.setReplyingPartyId(relyingPartyIdentifier);
            arrayList.add(wsFedClient);
        });
        requestContext.getFlowScope().put("wsfedUrls", arrayList);
    }

    private Event routeToLoginRequest(RequestContext requestContext, WsFederationConfiguration wsFederationConfiguration) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpSession session = httpServletRequestFromExternalWebflowContext.getSession();
        UUID randomUUID = UUID.randomUUID();
        Service service = (Service) requestContext.getFlowScope().get("service");
        if (service != null) {
            session.setAttribute("service-" + randomUUID.toString(), service);
        }
        saveRequestParameter(httpServletRequestFromExternalWebflowContext, session, THEME);
        saveRequestParameter(httpServletRequestFromExternalWebflowContext, session, LOCALE);
        saveRequestParameter(httpServletRequestFromExternalWebflowContext, session, METHOD);
        String format = String.format(getAuthorizationUrl(wsFederationConfiguration), getRelyingPartyIdentifier(service, requestContext, wsFederationConfiguration), randomUUID.toString());
        LOGGER.info("Preparing to redirect to the IdP [{}]", format);
        requestContext.getFlowScope().put(PROVIDERURL, format);
        return error();
    }

    private static String getAuthorizationUrl(WsFederationConfiguration wsFederationConfiguration) {
        return wsFederationConfiguration.getIdentityProviderUrl() + QUERYSTRING;
    }

    private Event handleWsFederationAuthenticationRequest(RequestContext requestContext) {
        String parameter = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext).getParameter(WRESULT);
        LOGGER.debug("Parameter [{}] received: [{}]", WRESULT, parameter);
        if (StringUtils.isBlank(parameter)) {
            LOGGER.error("No [{}] parameter is found", WRESULT);
            return error();
        }
        LOGGER.debug("Attempting to create an assertion from the token parameter");
        Pair<Assertion, WsFederationConfiguration> buildAndVerifyAssertion = this.wsFederationHelper.buildAndVerifyAssertion(this.wsFederationHelper.getRequestSecurityTokenFromResult(parameter), this.configuration);
        if (buildAndVerifyAssertion == null) {
            LOGGER.error("Could not validate assertion via parsing the token from [{}]", WRESULT);
            return error();
        }
        LOGGER.debug("Attempting to validate the signature on the assertion");
        if (this.wsFederationHelper.validateSignature(buildAndVerifyAssertion)) {
            return buildCredentialsFromAssertion(requestContext, buildAndVerifyAssertion);
        }
        LOGGER.error("WS Requested Security Token is blank or the signature is not valid.");
        throw new IllegalArgumentException("WS Requested Security Token is blank or the signature is not valid.");
    }

    private Event buildCredentialsFromAssertion(RequestContext requestContext, Pair<Assertion, WsFederationConfiguration> pair) {
        try {
            HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
            HttpSession session = httpServletRequestFromExternalWebflowContext.getSession();
            String parameter = httpServletRequestFromExternalWebflowContext.getParameter(WCTX);
            LOGGER.debug("Parameter [{}] received: [{}]", WCTX, parameter);
            if (StringUtils.isBlank(parameter)) {
                LOGGER.error("No [{}] parameter is found", WCTX);
                return error();
            }
            Service service = (Service) session.getAttribute("service-" + parameter);
            LOGGER.debug("Creating credential based on the provided assertion");
            WsFederationCredential createCredentialFromToken = this.wsFederationHelper.createCredentialFromToken((Assertion) pair.getKey());
            WsFederationConfiguration wsFederationConfiguration = (WsFederationConfiguration) pair.getValue();
            String relyingPartyIdentifier = getRelyingPartyIdentifier(service, requestContext, wsFederationConfiguration);
            if (createCredentialFromToken == null || !createCredentialFromToken.isValid(relyingPartyIdentifier, wsFederationConfiguration.getIdentityProviderIdentifier(), wsFederationConfiguration.getTolerance())) {
                LOGGER.warn("SAML assertions are blank or no longer valid based on RP identifier [{}] and IdP identifier [{}]", relyingPartyIdentifier, wsFederationConfiguration.getIdentityProviderIdentifier());
                String str = getAuthorizationUrl(wsFederationConfiguration) + relyingPartyIdentifier;
                requestContext.getFlowScope().put(PROVIDERURL, str);
                LOGGER.warn("Created authentication url [{}] and returning error", str);
                return error();
            }
            LOGGER.debug("Validated assertion for the created credential successfully");
            if (wsFederationConfiguration.getAttributeMutator() != null) {
                LOGGER.debug("Modifying credential attributes based on [{}]", wsFederationConfiguration.getAttributeMutator().getClass().getSimpleName());
                wsFederationConfiguration.getAttributeMutator().modifyAttributes(createCredentialFromToken.getAttributes());
            }
            requestContext.getFlowScope().put("service", service);
            restoreRequestAttribute(httpServletRequestFromExternalWebflowContext, session, THEME);
            restoreRequestAttribute(httpServletRequestFromExternalWebflowContext, session, LOCALE);
            restoreRequestAttribute(httpServletRequestFromExternalWebflowContext, session, METHOD);
            LOGGER.debug("Creating final authentication result based on the given credential");
            AuthenticationResult handleAndFinalizeSingleAuthenticationTransaction = this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, new Credential[]{createCredentialFromToken});
            LOGGER.debug("Attempting to create a ticket-granting ticket for the authentication result");
            WebUtils.putTicketGrantingTicketInScopes(requestContext, this.centralAuthenticationService.createTicketGrantingTicket(handleAndFinalizeSingleAuthenticationTransaction));
            LOGGER.info("Token validated and new [{}] created: [{}]", createCredentialFromToken.getClass().getName(), createCredentialFromToken);
            return success();
        } catch (AbstractTicketException e) {
            LOGGER.error(e.getMessage(), e);
            return error();
        }
    }

    private String getRelyingPartyIdentifier(Service service, RequestContext requestContext, WsFederationConfiguration wsFederationConfiguration) {
        String relyingPartyIdentifier = wsFederationConfiguration.getRelyingPartyIdentifier();
        if (service != null) {
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, findServiceBy);
            if (RegisteredServiceProperty.RegisteredServiceProperties.WSFED_RELYING_PARTY_ID.isAssignedTo(findServiceBy)) {
                relyingPartyIdentifier = RegisteredServiceProperty.RegisteredServiceProperties.WSFED_RELYING_PARTY_ID.getPropertyValue(findServiceBy).getValue();
            }
        }
        LOGGER.debug("Determined relying party identifier for [{}] to be [{}]", service, relyingPartyIdentifier);
        return relyingPartyIdentifier;
    }

    private static void restoreRequestAttribute(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        httpServletRequest.setAttribute(str, (String) httpSession.getAttribute(str));
    }

    private static void saveRequestParameter(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        String parameter = httpServletRequest.getParameter(str);
        if (parameter != null) {
            httpSession.setAttribute(str, parameter);
        }
    }
}
