package org.apereo.cas.support.saml.web.idp.profile;

import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator;
import org.jasig.cas.client.util.CommonUtils;
import org.joda.time.DateTime;
import org.joda.time.chrono.ISOChronology;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/IdPInitiatedProfileHandlerController.class */
public class IdPInitiatedProfileHandlerController extends AbstractSamlProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(IdPInitiatedProfileHandlerController.class);

    public IdPInitiatedProfileHandlerController(SamlIdPObjectSigner samlIdPObjectSigner, ParserPool parserPool, AuthenticationSystemSupport authenticationSystemSupport, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver, OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<Response> samlProfileObjectBuilder, CasConfigurationProperties casConfigurationProperties, SamlObjectSignatureValidator samlObjectSignatureValidator, Service service) {
        super(samlIdPObjectSigner, parserPool, authenticationSystemSupport, servicesManager, serviceFactory, samlRegisteredServiceCachingMetadataResolver, openSamlConfigBean, samlProfileObjectBuilder, casConfigurationProperties, samlObjectSignatureValidator, service);
    }

    @GetMapping(path = {"/idp/profile/SAML2/Unsolicited/SSO"})
    protected void handleIdPInitiatedSsoRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        String safeGetParameter = CommonUtils.safeGetParameter(httpServletRequest, "providerId");
        if (StringUtils.isBlank(safeGetParameter)) {
            LOGGER.warn("No providerId parameter given in unsolicited SSO authentication request.");
            throw new MessageDecodingException("No providerId parameter given in unsolicited SSO authentication request.");
        }
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(safeGetParameter);
        Optional<SamlRegisteredServiceServiceProviderMetadataFacade> samlMetadataFacadeFor = getSamlMetadataFacadeFor(verifySamlRegisteredService, safeGetParameter);
        if (!samlMetadataFacadeFor.isPresent()) {
            throw new UnauthorizedServiceException("screen.service.error.message", "Cannot find metadata linked to " + safeGetParameter);
        }
        String safeGetParameter2 = CommonUtils.safeGetParameter(httpServletRequest, "shire");
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = samlMetadataFacadeFor.get();
        if (StringUtils.isBlank(safeGetParameter2)) {
            LOGGER.warn("Resolving service provider assertion consumer service URL for [{}] and binding [{}]", safeGetParameter, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
            safeGetParameter2 = samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerService("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST").getLocation();
        }
        if (StringUtils.isBlank(safeGetParameter2)) {
            LOGGER.warn("Unable to resolve service provider assertion consumer service URL for AuthnRequest construction for entityID: [{}]", safeGetParameter);
            throw new MessageDecodingException("Unable to resolve SP ACS URL for AuthnRequest construction");
        }
        String safeGetParameter3 = CommonUtils.safeGetParameter(httpServletRequest, "target");
        String safeGetParameter4 = CommonUtils.safeGetParameter(httpServletRequest, "time");
        AuthnRequest buildObject = this.configBean.getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setAssertionConsumerServiceURL(safeGetParameter2);
        Issuer buildObject2 = this.configBean.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject2.setValue(safeGetParameter);
        buildObject.setIssuer(buildObject2);
        buildObject.setProtocolBinding("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        NameIDPolicy buildObject3 = this.configBean.getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject3.setAllowCreate(Boolean.TRUE);
        buildObject.setNameIDPolicy(buildObject3);
        if (NumberUtils.isCreatable(safeGetParameter4)) {
            buildObject.setIssueInstant(new DateTime(TimeUnit.SECONDS.convert(Long.parseLong(safeGetParameter4), TimeUnit.MILLISECONDS), ISOChronology.getInstanceUTC()));
        } else {
            buildObject.setIssueInstant(new DateTime(DateTime.now(), ISOChronology.getInstanceUTC()));
        }
        buildObject.setForceAuthn(Boolean.FALSE);
        if (StringUtils.isNotBlank(safeGetParameter3)) {
            httpServletRequest.setAttribute("RelayState", safeGetParameter3);
        }
        MessageContext messageContext = new MessageContext();
        messageContext.setAutoCreateSubcontexts(true);
        if (samlRegisteredServiceServiceProviderMetadataFacade.isAuthnRequestsSigned()) {
            this.samlObjectSigner.encode(buildObject, verifySamlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, httpServletResponse, httpServletRequest, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST");
        }
        messageContext.setMessage(buildObject);
        messageContext.getSubcontext(SAMLBindingContext.class, true).setHasBindingSignature(false);
        initiateAuthenticationRequest(Pair.of(buildObject, messageContext), httpServletResponse, httpServletRequest);
    }
}
