package org.apereo.cas.support.saml.web.idp.profile.ecp;

import java.util.LinkedHashMap;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import net.shibboleth.utilities.java.support.xml.ParserPool;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.web.idp.profile.AbstractSamlProfileHandlerController;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlObjectSignatureValidator;
import org.apereo.cas.util.Pac4jUtils;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.ecp.Response;
import org.opensaml.soap.messaging.context.SOAP11Context;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/ecp/ECPProfileHandlerController.class */
public class ECPProfileHandlerController extends AbstractSamlProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(ECPProfileHandlerController.class);
    private final SamlProfileObjectBuilder<? extends SAMLObject> samlEcpFaultResponseBuilder;

    public ECPProfileHandlerController(SamlIdPObjectSigner samlIdPObjectSigner, ParserPool parserPool, AuthenticationSystemSupport authenticationSystemSupport, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver, OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<Response> samlProfileObjectBuilder, SamlProfileObjectBuilder<? extends SAMLObject> samlProfileObjectBuilder2, CasConfigurationProperties casConfigurationProperties, SamlObjectSignatureValidator samlObjectSignatureValidator, Service service) {
        super(samlIdPObjectSigner, parserPool, authenticationSystemSupport, servicesManager, serviceFactory, samlRegisteredServiceCachingMetadataResolver, openSamlConfigBean, samlProfileObjectBuilder, casConfigurationProperties, samlObjectSignatureValidator, service);
        this.samlEcpFaultResponseBuilder = samlProfileObjectBuilder2;
    }

    @PostMapping(path = {"/idp/profile/SAML2/SOAP/ECP"}, consumes = {"text/xml", "application/vnd.paos+xml"}, produces = {"text/xml", "application/vnd.paos+xml"})
    public void handleEcpRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) {
        MessageContext decodeSoapRequest = decodeSoapRequest(httpServletRequest);
        Credential extractBasicAuthenticationCredential = extractBasicAuthenticationCredential(httpServletRequest, httpServletResponse);
        if (extractBasicAuthenticationCredential == null) {
            LOGGER.error("Credentials could not be extracted from the SAML ECP request");
        } else if (decodeSoapRequest == null) {
            LOGGER.error("SAML ECP request could not be determined from the authentication request");
        } else {
            handleEcpRequest(httpServletResponse, httpServletRequest, decodeSoapRequest, extractBasicAuthenticationCredential, "urn:oasis:names:tc:SAML:2.0:bindings:PAOS");
        }
    }

    protected void handleEcpRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, MessageContext messageContext, Credential credential, String str) {
        LOGGER.debug("Handling ECP request for SOAP context [{}]", messageContext);
        SamlUtils.logSamlObject(this.configBean, messageContext.getSubcontext(SOAP11Context.class).getEnvelope());
        AuthnRequest authnRequest = (AuthnRequest) messageContext.getMessage();
        Pair<? extends SignableSAMLObject, MessageContext> of = Pair.of(authnRequest, messageContext);
        try {
            LOGGER.debug("Verifying ECP authentication request [{}]", authnRequest);
            Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest = verifySamlAuthenticationRequest(of, httpServletRequest);
            LOGGER.debug("Attempting to authenticate ECP request for credential id [{}]", credential.getId());
            Authentication authenticateEcpRequest = authenticateEcpRequest(credential, of);
            LOGGER.debug("Authenticated [{}] successfully with authenticated principal [{}]", credential.getId(), authenticateEcpRequest.getPrincipal());
            LOGGER.debug("Building ECP SAML response for [{}]", credential.getId());
            Assertion buildCasAssertion = buildCasAssertion(authenticateEcpRequest, this.webApplicationServiceFactory.createService(SamlIdPUtils.getIssuerFromSamlRequest(authnRequest)), (RegisteredService) verifySamlAuthenticationRequest.getKey(), new LinkedHashMap());
            LOGGER.debug("CAS assertion to use for building ECP SAML response is [{}]", buildCasAssertion);
            buildSamlResponse(httpServletResponse, httpServletRequest, of, buildCasAssertion, str);
        } catch (AuthenticationException e) {
            LOGGER.error(e.getMessage(), e);
            buildEcpFaultResponse(httpServletResponse, httpServletRequest, Pair.of(authnRequest, (String) e.getHandlerErrors().values().stream().map((v0) -> {
                return v0.getMessage();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.joining(","))));
        } catch (Exception e2) {
            LOGGER.error(e2.getMessage(), e2);
            buildEcpFaultResponse(httpServletResponse, httpServletRequest, Pair.of(authnRequest, e2.getMessage()));
        }
    }

    protected void buildEcpFaultResponse(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<RequestAbstractType, String> pair) {
        httpServletRequest.setAttribute("samlError", pair.getValue());
        this.samlEcpFaultResponseBuilder.mo32build((RequestAbstractType) pair.getKey(), httpServletRequest, httpServletResponse, null, null, null, "urn:oasis:names:tc:SAML:2.0:bindings:PAOS", null);
    }

    protected Authentication authenticateEcpRequest(Credential credential, Pair<AuthnRequest, MessageContext> pair) {
        String issuerFromSamlRequest = SamlIdPUtils.getIssuerFromSamlRequest((RequestAbstractType) pair.getKey());
        LOGGER.debug("Located issuer [{}] from request prior to authenticating [{}]", issuerFromSamlRequest, credential.getId());
        Service createService = this.webApplicationServiceFactory.createService(issuerFromSamlRequest);
        LOGGER.debug("Executing authentication request for service [{}] on behalf of credential id [{}]", createService, credential.getId());
        return this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(createService, new Credential[]{credential}).getAuthentication();
    }

    private Credential extractBasicAuthenticationCredential(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            UsernamePasswordCredentials extract = new BasicAuthExtractor().extract(Pac4jUtils.getPac4jJ2EContext(httpServletRequest, httpServletResponse));
            if (extract == null) {
                return null;
            }
            LOGGER.debug("Received basic authentication ECP request from credentials [{}]", extract);
            return new UsernamePasswordCredential(extract.getUsername(), extract.getPassword());
        } catch (Exception e) {
            LOGGER.warn(e.getMessage(), e);
            return null;
        }
    }
}
