package org.apereo.cas.support.saml.web.idp.profile;

import com.google.common.base.Splitter;
import java.io.ByteArrayInputStream;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.TreeMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import net.shibboleth.utilities.java.support.net.URLBuilder;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlException;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.services.idp.metadata.cache.SamlRegisteredServiceCachingMetadataResolver;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.SamlIdPObjectSigner;
import org.apereo.cas.support.saml.web.idp.profile.builders.enc.validate.SamlObjectSignatureValidator;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.web.support.WebUtils;
import org.jasig.cas.client.authentication.AttributePrincipalImpl;
import org.jasig.cas.client.authentication.DefaultAuthenticationRedirectStrategy;
import org.jasig.cas.client.util.CommonUtils;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.AssertionImpl;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.common.binding.BindingDescriptor;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.saml2.binding.decoding.impl.HTTPSOAP11Decoder;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.servlet.ModelAndView;

@Controller
/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/AbstractSamlProfileHandlerController.class */
public abstract class AbstractSamlProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSamlProfileHandlerController.class);
    protected final SamlIdPObjectSigner samlObjectSigner;
    protected final AuthenticationSystemSupport authenticationSystemSupport;
    protected final ServicesManager servicesManager;
    protected final ServiceFactory<WebApplicationService> webApplicationServiceFactory;
    protected final SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver;
    protected final OpenSamlConfigBean configBean;
    protected final SamlProfileObjectBuilder<? extends SAMLObject> responseBuilder;
    protected final CasConfigurationProperties casProperties;
    protected final SamlObjectSignatureValidator samlObjectSignatureValidator;
    protected final Service callbackService;

    /* JADX INFO: Access modifiers changed from: protected */
    public Optional<SamlRegisteredServiceServiceProviderMetadataFacade> getSamlMetadataFacadeFor(SamlRegisteredService samlRegisteredService, RequestAbstractType requestAbstractType) {
        return SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, requestAbstractType);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Optional<SamlRegisteredServiceServiceProviderMetadataFacade> getSamlMetadataFacadeFor(SamlRegisteredService samlRegisteredService, String str) {
        return SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, samlRegisteredService, str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SamlRegisteredService verifySamlRegisteredService(String str) {
        if (StringUtils.isBlank(str)) {
            throw new UnauthorizedServiceException("screen.service.error.message", "Could not verify/locate SAML registered service since no serviceId is provided");
        }
        LOGGER.debug("Checking service access in CAS service registry for [{}]", str);
        SamlRegisteredService findServiceBy = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(str));
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.warn("[{}] is not found in the registry or service access is denied. Ensure service is registered in service registry", str);
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        if (!(findServiceBy instanceof SamlRegisteredService)) {
            LOGGER.error("CAS has found a match for service [{}] in registry but the match is not defined as a SAML service", str);
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        SamlRegisteredService samlRegisteredService = findServiceBy;
        LOGGER.debug("Located SAML service in the registry as [{}] with the metadata location of [{}]", samlRegisteredService.getServiceId(), samlRegisteredService.getMetadataLocation());
        return samlRegisteredService;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthnRequest retrieveSamlAuthenticationRequestFromHttpRequest(HttpServletRequest httpServletRequest) throws Exception {
        LOGGER.debug("Retrieving authentication request from scope");
        String parameter = httpServletRequest.getParameter("SAMLRequest");
        if (StringUtils.isBlank(parameter)) {
            throw new IllegalArgumentException("SAML request could not be determined from the authentication request");
        }
        return XMLObjectSupport.unmarshallFromInputStream(this.configBean.getParserPool(), new ByteArrayInputStream(EncodingUtils.decodeBase64(parameter.getBytes(StandardCharsets.UTF_8))));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Assertion buildCasAssertion(Authentication authentication, Service service, RegisteredService registeredService, Map<String, Object> map) {
        AttributePrincipalImpl attributePrincipalImpl = new AttributePrincipalImpl(registeredService.getUsernameAttributeProvider().resolveUsername(authentication.getPrincipal(), service, registeredService), registeredService.getAttributeReleasePolicy().getAttributes(authentication.getPrincipal(), service, registeredService));
        LinkedHashMap linkedHashMap = new LinkedHashMap(authentication.getAttributes());
        linkedHashMap.putAll(map);
        return new AssertionImpl(attributePrincipalImpl, DateTimeUtils.dateOf(authentication.getAuthenticationDate()), (Date) null, DateTimeUtils.dateOf(authentication.getAuthenticationDate()), linkedHashMap);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Assertion buildCasAssertion(String str, RegisteredService registeredService, Map<String, Object> map) {
        return new AssertionImpl(new AttributePrincipalImpl(str, map), DateTimeUtils.dateOf(ZonedDateTime.now()), (Date) null, DateTimeUtils.dateOf(ZonedDateTime.now()), map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void logCasValidationAssertion(Assertion assertion) {
        LOGGER.debug("CAS Assertion Valid: [{}]", Boolean.valueOf(assertion.isValid()));
        LOGGER.debug("CAS Assertion Principal: [{}]", assertion.getPrincipal().getName());
        LOGGER.debug("CAS Assertion authentication Date: [{}]", assertion.getAuthenticationDate());
        LOGGER.debug("CAS Assertion ValidFrom Date: [{}]", assertion.getValidFromDate());
        LOGGER.debug("CAS Assertion ValidUntil Date: [{}]", assertion.getValidUntilDate());
        LOGGER.debug("CAS Assertion Attributes: [{}]", assertion.getAttributes());
        LOGGER.debug("CAS Assertion Principal Attributes: [{}]", assertion.getPrincipal().getAttributes());
    }

    protected void issueAuthenticationRequestRedirect(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getLeft();
        String constructServiceUrl = constructServiceUrl(httpServletRequest, httpServletResponse, pair);
        LOGGER.debug("Created service url [{}]", DigestUtils.abbreviate(constructServiceUrl));
        String buildRedirectUrlByRequestedAuthnContext = buildRedirectUrlByRequestedAuthnContext(CommonUtils.constructRedirectUrl(this.casProperties.getServer().getLoginUrl(), "service", constructServiceUrl, authnRequest.isForceAuthn().booleanValue(), authnRequest.isPassive().booleanValue()), authnRequest, httpServletRequest);
        LOGGER.debug("Redirecting SAML authN request to [{}]", buildRedirectUrlByRequestedAuthnContext);
        new DefaultAuthenticationRedirectStrategy().redirect(httpServletRequest, httpServletResponse, buildRedirectUrlByRequestedAuthnContext);
    }

    protected Map<String, String> getAuthenticationContextMappings() {
        TreeMap treeMap = new TreeMap();
        this.casProperties.getAuthn().getSamlIdp().getAuthenticationContextClassMappings().stream().map(str -> {
            List splitToList = Splitter.on("->").splitToList(str);
            return Pair.of((String) splitToList.get(0), (String) splitToList.get(1));
        }).forEach(pair -> {
            treeMap.put((String) pair.getKey(), (String) pair.getValue());
        });
        return treeMap;
    }

    protected String buildRedirectUrlByRequestedAuthnContext(String str, AuthnRequest authnRequest, HttpServletRequest httpServletRequest) {
        List authenticationContextClassMappings = this.casProperties.getAuthn().getSamlIdp().getAuthenticationContextClassMappings();
        if (authnRequest.getRequestedAuthnContext() == null || authenticationContextClassMappings == null || authenticationContextClassMappings.isEmpty()) {
            return str;
        }
        Map<String, String> authenticationContextMappings = getAuthenticationContextMappings();
        Optional findFirst = authnRequest.getRequestedAuthnContext().getAuthnContextClassRefs().stream().filter(authnContextClassRef -> {
            return authenticationContextMappings.containsKey(authnContextClassRef.getAuthnContextClassRef());
        }).findFirst();
        if (!findFirst.isPresent()) {
            return str;
        }
        return str + "&" + this.casProperties.getAuthn().getMfa().getRequestParameter() + "=" + authenticationContextMappings.get(((AuthnContextClassRef) findFirst.get()).getAuthnContextClassRef());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String constructServiceUrl(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Pair<? extends SignableSAMLObject, MessageContext> pair) throws SamlException {
        AuthnRequest authnRequest = (AuthnRequest) pair.getLeft();
        MessageContext messageContext = (MessageContext) pair.getRight();
        StringWriter transformSamlObject = SamlUtils.transformSamlObject(this.configBean, authnRequest);
        try {
            URLBuilder uRLBuilder = new URLBuilder(this.callbackService.getId());
            uRLBuilder.getQueryParams().add(new net.shibboleth.utilities.java.support.collection.Pair("entityId", SamlIdPUtils.getIssuerFromSamlObject(authnRequest)));
            uRLBuilder.getQueryParams().add(new net.shibboleth.utilities.java.support.collection.Pair("SAMLRequest", EncodingUtils.encodeBase64(transformSamlObject.toString().getBytes(StandardCharsets.UTF_8))));
            uRLBuilder.getQueryParams().add(new net.shibboleth.utilities.java.support.collection.Pair("RelayState", SAMLBindingSupport.getRelayState(messageContext)));
            String buildURL = uRLBuilder.buildURL();
            LOGGER.trace("Built service callback url [{}]", buildURL);
            String constructServiceUrl = CommonUtils.constructServiceUrl(httpServletRequest, httpServletResponse, buildURL, this.casProperties.getServer().getName(), "service", "ticket", false);
            if (transformSamlObject != null) {
                transformSamlObject.close();
            }
            return constructServiceUrl;
        } finally {
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initiateAuthenticationRequest(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        verifySamlAuthenticationRequest(pair, httpServletRequest);
        issueAuthenticationRequestRedirect(pair, httpServletRequest, httpServletResponse);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletRequest httpServletRequest) throws Exception {
        AuthnRequest authnRequest = (AuthnRequest) pair.getKey();
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
        LOGGER.debug("Located issuer [{}] from authentication request", issuerFromSamlObject);
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(issuerFromSamlObject);
        LOGGER.debug("Fetching saml metadata adaptor for [{}]", issuerFromSamlObject);
        Optional optional = SamlRegisteredServiceServiceProviderMetadataFacade.get(this.samlRegisteredServiceCachingMetadataResolver, verifySamlRegisteredService, authnRequest);
        if (optional.isEmpty()) {
            LOGGER.warn("No metadata could be found for [{}]", issuerFromSamlObject);
            throw new UnauthorizedServiceException("screen.service.error.message", "Cannot find metadata linked to " + issuerFromSamlObject);
        }
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = (SamlRegisteredServiceServiceProviderMetadataFacade) optional.get();
        verifyAuthenticationContextSignature(pair, httpServletRequest, (RequestAbstractType) authnRequest, samlRegisteredServiceServiceProviderMetadataFacade);
        SamlUtils.logSamlObject(this.configBean, authnRequest);
        return Pair.of(verifySamlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade);
    }

    protected void verifyAuthenticationContextSignature(Pair<? extends SignableSAMLObject, MessageContext> pair, HttpServletRequest httpServletRequest, RequestAbstractType requestAbstractType, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws Exception {
        verifyAuthenticationContextSignature((MessageContext) pair.getValue(), httpServletRequest, requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyAuthenticationContextSignature(MessageContext messageContext, HttpServletRequest httpServletRequest, RequestAbstractType requestAbstractType, SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade) throws Exception {
        if (SAMLBindingSupport.isMessageSigned(messageContext)) {
            LOGGER.debug("The authentication context is signed; Proceeding to validate signatures...");
            this.samlObjectSignatureValidator.verifySamlProfileRequestIfNeeded(requestAbstractType, samlRegisteredServiceServiceProviderMetadataFacade, httpServletRequest, messageContext);
            return;
        }
        LOGGER.debug("The authentication context is not signed");
        if (samlRegisteredServiceServiceProviderMetadataFacade.isAuthnRequestsSigned()) {
            LOGGER.error("Metadata for [{}] says authentication requests are signed, yet authentication request is not", samlRegisteredServiceServiceProviderMetadataFacade.getEntityId());
            throw new SAMLException("AuthN request is not signed but should be");
        }
        LOGGER.debug("Authentication request is not signed, so there is no need to verify its signature.");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void buildSamlResponse(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<AuthnRequest, MessageContext> pair, Assertion assertion, String str) {
        AuthnRequest authnRequest = (AuthnRequest) pair.getKey();
        Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> registeredServiceAndFacade = getRegisteredServiceAndFacade(authnRequest);
        String entityId = ((SamlRegisteredServiceServiceProviderMetadataFacade) registeredServiceAndFacade.getValue()).getEntityId();
        LOGGER.debug("Preparing SAML response for [{}]", entityId);
        this.responseBuilder.mo19build(authnRequest, httpServletRequest, httpServletResponse, assertion, (SamlRegisteredService) registeredServiceAndFacade.getKey(), (SamlRegisteredServiceServiceProviderMetadataFacade) registeredServiceAndFacade.getValue(), str, (MessageContext) pair.getValue());
        LOGGER.info("Built the SAML response for [{}]", entityId);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> getRegisteredServiceAndFacade(AuthnRequest authnRequest) {
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject(authnRequest);
        LOGGER.debug("Located issuer [{}] from authentication context", issuerFromSamlObject);
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(issuerFromSamlObject);
        LOGGER.debug("Located SAML metadata for [{}]", verifySamlRegisteredService.getServiceId());
        Optional<SamlRegisteredServiceServiceProviderMetadataFacade> samlMetadataFacadeFor = getSamlMetadataFacadeFor(verifySamlRegisteredService, (RequestAbstractType) authnRequest);
        if (samlMetadataFacadeFor.isEmpty()) {
            throw new UnauthorizedServiceException("screen.service.error.message", "Cannot find metadata linked to " + issuerFromSamlObject);
        }
        return Pair.of(verifySamlRegisteredService, samlMetadataFacadeFor.get());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public MessageContext decodeSoapRequest(HttpServletRequest httpServletRequest) {
        try {
            HTTPSOAP11Decoder hTTPSOAP11Decoder = new HTTPSOAP11Decoder();
            hTTPSOAP11Decoder.setParserPool(this.configBean.getParserPool());
            hTTPSOAP11Decoder.setHttpServletRequest(httpServletRequest);
            BindingDescriptor bindingDescriptor = new BindingDescriptor();
            bindingDescriptor.setId(getClass().getName());
            bindingDescriptor.setShortName(getClass().getName());
            bindingDescriptor.setSignatureCapable(true);
            bindingDescriptor.setSynchronous(true);
            hTTPSOAP11Decoder.setBindingDescriptor(bindingDescriptor);
            hTTPSOAP11Decoder.initialize();
            hTTPSOAP11Decoder.decode();
            return hTTPSOAP11Decoder.getMessageContext();
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            return null;
        }
    }

    @ExceptionHandler({UnauthorizedServiceException.class})
    public ModelAndView handleUnauthorizedServiceException(HttpServletRequest httpServletRequest, Exception exc) {
        return WebUtils.produceUnauthorizedErrorView();
    }

    @Generated
    public AbstractSamlProfileHandlerController(SamlIdPObjectSigner samlIdPObjectSigner, AuthenticationSystemSupport authenticationSystemSupport, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, SamlRegisteredServiceCachingMetadataResolver samlRegisteredServiceCachingMetadataResolver, OpenSamlConfigBean openSamlConfigBean, SamlProfileObjectBuilder<? extends SAMLObject> samlProfileObjectBuilder, CasConfigurationProperties casConfigurationProperties, SamlObjectSignatureValidator samlObjectSignatureValidator, Service service) {
        this.samlObjectSigner = samlIdPObjectSigner;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.servicesManager = servicesManager;
        this.webApplicationServiceFactory = serviceFactory;
        this.samlRegisteredServiceCachingMetadataResolver = samlRegisteredServiceCachingMetadataResolver;
        this.configBean = openSamlConfigBean;
        this.responseBuilder = samlProfileObjectBuilder;
        this.casProperties = casConfigurationProperties;
        this.samlObjectSignatureValidator = samlObjectSignatureValidator;
        this.callbackService = service;
    }
}
