package net.shibboleth.idp.cas.flow.impl;

import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import net.shibboleth.idp.cas.config.ConfigLookupFunction;
import net.shibboleth.idp.cas.config.ProxyConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolError;
import net.shibboleth.idp.cas.protocol.ProxyTicketRequest;
import net.shibboleth.idp.cas.protocol.ProxyTicketResponse;
import net.shibboleth.idp.cas.ticket.ProxyGrantingTicket;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.SessionException;
import net.shibboleth.idp.session.SessionResolver;
import net.shibboleth.idp.session.criterion.SessionIdCriterion;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.config.SecurityConfiguration;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/cas/flow/impl/GrantProxyTicketAction.class */
public class GrantProxyTicketAction extends AbstractCASProtocolAction<ProxyTicketRequest, ProxyTicketResponse> {

    @Nonnull
    private final TicketService casTicketService;

    @Nonnull
    private final SessionResolver sessionResolver;

    @NonnullBeforeExec
    private ProxyConfiguration proxyConfig;

    @NonnullBeforeExec
    private SecurityConfiguration securityConfig;

    @NonnullBeforeExec
    private ProxyGrantingTicket proxyGrantingTicket;

    @NonnullBeforeExec
    private ProxyTicketRequest request;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(GrantProxyTicketAction.class);

    @Nonnull
    private Predicate<ProfileRequestContext> validateIdPSessionPredicate = PredicateSupport.alwaysFalse();

    @Nonnull
    private final ConfigLookupFunction<ProxyConfiguration> configLookupFunction = new ConfigLookupFunction<>(ProxyConfiguration.class);

    public GrantProxyTicketAction(@Nonnull TicketService ticketService, @Nonnull SessionResolver sessionResolver) {
        this.casTicketService = (TicketService) Constraint.isNotNull(ticketService, "TicketService cannot be null");
        this.sessionResolver = (SessionResolver) Constraint.isNotNull(sessionResolver, "SessionResolver cannot be null");
    }

    public void setValidateIdPSessionPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.validateIdPSessionPredicate = (Predicate) Constraint.isNotNull(predicate, "Session validation condition cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        ProxyConfiguration apply = this.configLookupFunction.apply(profileRequestContext);
        this.proxyConfig = apply;
        if (apply == null) {
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        this.securityConfig = apply.getSecurityConfiguration(profileRequestContext);
        if (this.securityConfig == null) {
            ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
            return false;
        }
        try {
            this.request = getCASRequest(profileRequestContext);
            this.proxyGrantingTicket = getCASTicket(profileRequestContext);
            return true;
        } catch (EventException e) {
            ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            return false;
        }
    }

    @Nonnull
    private ProxyGrantingTicket getProxyGrantingTicket() {
        if ($assertionsDisabled || isPreExecuteCalled()) {
            return this.proxyGrantingTicket;
        }
        throw new AssertionError();
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.proxyGrantingTicket.getExpirationInstant().isBefore(Instant.now())) {
            ActionSupport.buildEvent(profileRequestContext, ProtocolError.TicketExpired.event(this));
            return;
        }
        if (this.validateIdPSessionPredicate.test(profileRequestContext)) {
            String sessionId = this.proxyGrantingTicket.getSessionId();
            if (sessionId != null) {
                try {
                    this.log.debug("{} Attempting to retrieve session {}", getLogPrefix(), sessionId);
                    IdPSession idPSession = (IdPSession) this.sessionResolver.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(sessionId)}));
                    if (idPSession == null) {
                        this.log.info("{} IdPSession {} not found", getLogPrefix(), sessionId);
                        ActionSupport.buildEvent(profileRequestContext, ProtocolError.SessionExpired.event(this));
                        return;
                    }
                    boolean z = true;
                    try {
                        z = !idPSession.checkTimeout();
                        this.log.debug("{} IdPSession {} expired={}", new Object[]{getLogPrefix(), sessionId, Boolean.valueOf(z)});
                    } catch (SessionException e) {
                        this.log.warn("{} Error performing session timeout check: {}. Assuming session has expired.", getLogPrefix(), e);
                    }
                    if (z) {
                        ActionSupport.buildEvent(profileRequestContext, ProtocolError.SessionExpired.event(this));
                        return;
                    }
                } catch (ResolverException e2) {
                    this.log.info("{} Failed resolving IdP session {}: {}", new Object[]{getLogPrefix(), sessionId, e2.getMessage()});
                    ActionSupport.buildEvent(profileRequestContext, ProtocolError.SessionExpired.event(this));
                    return;
                }
            } else {
                this.log.warn("{} Cannot validate session because the PGT is not bound to a session. This is likely a sign of a configuration problem. The validateIdPSessionPredicate is configured to return true, but the session storage mechanism is configured such that IdP sessions are not available to CAS tickets.", getLogPrefix());
            }
        }
        try {
            this.log.debug("{} Granting proxy ticket for {}", getLogPrefix(), this.request.getTargetService());
            Instant plus = Instant.now().plus((TemporalAmount) this.proxyConfig.getTicketValidityPeriod(profileRequestContext));
            if (!$assertionsDisabled && plus == null) {
                throw new AssertionError();
            }
            try {
                setCASResponse(profileRequestContext, new ProxyTicketResponse(this.casTicketService.createProxyTicket(this.securityConfig.getIdGenerator().generateIdentifier(), plus, getProxyGrantingTicket(), this.request.getTargetService()).getId()));
                this.log.info("{} Granted proxy ticket for {}", getLogPrefix(), this.request.getTargetService());
            } catch (EventException e3) {
                ActionSupport.buildEvent(profileRequestContext, e3.getEventID());
            }
        } catch (RuntimeException e4) {
            this.log.error("Failed granting proxy ticket due to error.", e4);
            ActionSupport.buildEvent(profileRequestContext, ProtocolError.TicketCreationError.event(this));
        }
    }

    static {
        $assertionsDisabled = !GrantProxyTicketAction.class.desiredAssertionStatus();
    }
}
