package net.shibboleth.idp.cas.flow;

import java.net.URI;
import java.net.URISyntaxException;
import javax.annotation.Nonnull;
import net.shibboleth.idp.cas.config.ConfigLookupFunction;
import net.shibboleth.idp.cas.config.ValidateConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolError;
import net.shibboleth.idp.cas.protocol.ProtocolParam;
import net.shibboleth.idp.cas.protocol.TicketValidationRequest;
import net.shibboleth.idp.cas.protocol.TicketValidationResponse;
import net.shibboleth.idp.cas.proxy.ProxyAuthenticator;
import net.shibboleth.idp.cas.proxy.ProxyIdentifiers;
import net.shibboleth.idp.cas.ticket.ProxyTicket;
import net.shibboleth.idp.cas.ticket.ServiceTicket;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.http.client.utils.URIBuilder;
import org.joda.time.DateTime;
import org.joda.time.Instant;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.trust.TrustEngine;
import org.opensaml.security.x509.X509Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:net/shibboleth/idp/cas/flow/ValidateProxyCallbackAction.class */
public class ValidateProxyCallbackAction extends AbstractCASProtocolAction<TicketValidationRequest, TicketValidationResponse> {
    private final Logger log = LoggerFactory.getLogger(ValidateProxyCallbackAction.class);
    private final ConfigLookupFunction<ValidateConfiguration> configLookupFunction = new ConfigLookupFunction<>(ValidateConfiguration.class);

    @Nonnull
    private final ProxyAuthenticator<TrustEngine<? super X509Credential>> proxyAuthenticator;

    @Nonnull
    private final TicketService ticketService;

    public ValidateProxyCallbackAction(@Nonnull ProxyAuthenticator<TrustEngine<? super X509Credential>> proxyAuthenticator, @Nonnull TicketService ticketService) {
        this.proxyAuthenticator = (ProxyAuthenticator) Constraint.isNotNull(proxyAuthenticator, "ProxyAuthenticator cannot be null");
        this.ticketService = (TicketService) Constraint.isNotNull(ticketService, "TicketService cannot be null");
    }

    @Nonnull
    protected Event doExecute(@Nonnull RequestContext requestContext, @Nonnull ProfileRequestContext profileRequestContext) {
        TrustEngine trustEngine;
        TicketValidationRequest cASRequest = getCASRequest(profileRequestContext);
        TicketValidationResponse cASResponse = getCASResponse(profileRequestContext);
        ServiceTicket cASTicket = getCASTicket(profileRequestContext);
        ValidateConfiguration apply = this.configLookupFunction.apply(profileRequestContext);
        if (apply == null) {
            this.log.info("Proxy-granting ticket configuration undefined");
            return ProtocolError.IllegalState.event(this);
        }
        if (apply.getSecurityConfiguration() == null || apply.getSecurityConfiguration().getIdGenerator() == null) {
            this.log.info("Invalid proxy-granting ticket configuration: SecurityConfiguration#idGenerator undefined");
            return ProtocolError.IllegalState.event(this);
        }
        if (apply.getPGTIOUGenerator() == null) {
            this.log.info("Invalid proxy-granting ticket configuration: PGTIOUGenerator undefined");
            return ProtocolError.IllegalState.event(this);
        }
        ProxyIdentifiers proxyIdentifiers = new ProxyIdentifiers(apply.getSecurityConfiguration().getIdGenerator().generateIdentifier(), apply.getPGTIOUGenerator().generateIdentifier());
        try {
            URI build = new URIBuilder(cASRequest.getPgtUrl()).addParameter(ProtocolParam.PgtId.id(), proxyIdentifiers.getPgtId()).addParameter(ProtocolParam.PgtIou.id(), proxyIdentifiers.getPgtIou()).build();
            try {
                this.log.debug("Attempting proxy authentication to {}", build);
                if (apply.getSecurityConfiguration().getClientTLSValidationConfiguration() != null) {
                    trustEngine = apply.getSecurityConfiguration().getClientTLSValidationConfiguration().getX509TrustEngine();
                } else {
                    this.log.debug("Proxy-granting ticket configuration does not define ClientTLSValidationConfiguration");
                    trustEngine = null;
                }
                this.proxyAuthenticator.authenticate(build, trustEngine);
                Instant instant = DateTime.now().plus(apply.getTicketValidityPeriod()).toInstant();
                if (cASTicket instanceof ServiceTicket) {
                    this.ticketService.createProxyGrantingTicket(proxyIdentifiers.getPgtId(), instant, cASTicket);
                } else {
                    this.ticketService.createProxyGrantingTicket(proxyIdentifiers.getPgtId(), instant, (ProxyTicket) cASTicket);
                }
                cASResponse.setPgtIou(proxyIdentifiers.getPgtIou());
                return Events.Success.event(this);
            } catch (Exception e) {
                this.log.info("Proxy authentication failed for " + cASRequest.getPgtUrl() + ": " + e);
                return ProtocolError.ProxyCallbackAuthenticationFailure.event(this);
            }
        } catch (URISyntaxException e2) {
            throw new RuntimeException("Error creating proxy callback URL", e2);
        }
    }
}
