package org.apereo.cas.support.saml.web.idp.profile.ecp;

import java.util.LinkedHashMap;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.SamlUtils;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.apereo.cas.support.saml.web.idp.profile.AbstractSamlIdPProfileHandlerController;
import org.apereo.cas.support.saml.web.idp.profile.SamlProfileHandlerConfigurationContext;
import org.apereo.cas.util.LoggingUtils;
import org.jasig.cas.client.validation.Assertion;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SignableSAMLObject;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.soap.messaging.context.SOAP11Context;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.JEESessionStore;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.extractor.BasicAuthExtractor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/ecp/ECPSamlIdPProfileHandlerController.class */
public class ECPSamlIdPProfileHandlerController extends AbstractSamlIdPProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(ECPSamlIdPProfileHandlerController.class);

    public ECPSamlIdPProfileHandlerController(SamlProfileHandlerConfigurationContext samlProfileHandlerConfigurationContext) {
        super(samlProfileHandlerConfigurationContext);
    }

    private static Credential extractBasicAuthenticationCredential(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            Optional extract = new BasicAuthExtractor().extract(new JEEContext(httpServletRequest, httpServletResponse), JEESessionStore.INSTANCE);
            if (!extract.isPresent()) {
                return null;
            }
            UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) extract.get();
            LOGGER.debug("Received basic authentication ECP request from credentials [{}]", usernamePasswordCredentials);
            return new UsernamePasswordCredential(usernamePasswordCredentials.getUsername(), usernamePasswordCredentials.getPassword());
        } catch (Exception e) {
            LoggingUtils.warn(LOGGER, e);
            return null;
        }
    }

    @PostMapping(path = {"/idp/profile/SAML2/SOAP/ECP"}, consumes = {"text/xml", "application/vnd.paos+xml"}, produces = {"text/xml", "application/vnd.paos+xml"})
    public void handleEcpRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) {
        MessageContext decodeSoapRequest = decodeSoapRequest(httpServletRequest);
        Credential extractBasicAuthenticationCredential = extractBasicAuthenticationCredential(httpServletRequest, httpServletResponse);
        if (extractBasicAuthenticationCredential == null) {
            LOGGER.error("Credentials could not be extracted from the SAML ECP request");
            httpServletResponse.setStatus(401);
        } else if (decodeSoapRequest == null) {
            LOGGER.error("SAML ECP request could not be determined from the authentication request");
        } else {
            handleEcpRequest(httpServletResponse, httpServletRequest, decodeSoapRequest, extractBasicAuthenticationCredential, "urn:oasis:names:tc:SAML:2.0:bindings:PAOS");
        }
    }

    protected void handleEcpRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, MessageContext messageContext, Credential credential, String str) {
        LOGGER.debug("Handling ECP request for SOAP context [{}]", messageContext);
        SamlUtils.logSamlObject(getSamlProfileHandlerConfigurationContext().getOpenSamlConfigBean(), messageContext.getSubcontext(SOAP11Context.class).getEnvelope());
        AuthnRequest authnRequest = (AuthnRequest) messageContext.getMessage();
        Pair<? extends SignableSAMLObject, MessageContext> of = Pair.of(authnRequest, messageContext);
        try {
            LOGGER.trace("Verifying ECP authentication request [{}]", authnRequest);
            Pair<SamlRegisteredService, SamlRegisteredServiceServiceProviderMetadataFacade> verifySamlAuthenticationRequest = verifySamlAuthenticationRequest(of, httpServletRequest);
            LOGGER.trace("Attempting to authenticate ECP request for credential id [{}]", credential.getId());
            Authentication authenticateEcpRequest = authenticateEcpRequest(credential, of);
            LOGGER.debug("Authenticated [{}] successfully with authenticated principal [{}]", credential.getId(), authenticateEcpRequest.getPrincipal());
            LOGGER.trace("Building ECP SAML response for [{}]", credential.getId());
            Assertion buildCasAssertion = buildCasAssertion(authenticateEcpRequest, getSamlProfileHandlerConfigurationContext().getWebApplicationServiceFactory().createService(SamlIdPUtils.getIssuerFromSamlObject(authnRequest)), (RegisteredService) verifySamlAuthenticationRequest.getKey(), new LinkedHashMap(0));
            LOGGER.trace("CAS assertion to use for building ECP SAML response is [{}]", buildCasAssertion);
            buildSamlResponse(httpServletResponse, httpServletRequest, of, buildCasAssertion, str);
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            buildEcpFaultResponse(httpServletResponse, httpServletRequest, Pair.of(authnRequest, e.getMessage()), messageContext);
        } catch (AuthenticationException e2) {
            LoggingUtils.error(LOGGER, e2);
            buildEcpFaultResponse(httpServletResponse, httpServletRequest, Pair.of(authnRequest, (String) e2.getHandlerErrors().values().stream().map((v0) -> {
                return v0.getMessage();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.joining(","))), messageContext);
        }
    }

    protected void buildEcpFaultResponse(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest, Pair<RequestAbstractType, String> pair, MessageContext messageContext) {
        httpServletRequest.setAttribute("samlError", pair.getValue());
        getSamlProfileHandlerConfigurationContext().getSamlFaultResponseBuilder().mo21build((RequestAbstractType) pair.getKey(), httpServletRequest, httpServletResponse, null, null, null, "urn:oasis:names:tc:SAML:2.0:bindings:PAOS", messageContext);
    }

    protected Authentication authenticateEcpRequest(Credential credential, Pair<AuthnRequest, MessageContext> pair) {
        String issuerFromSamlObject = SamlIdPUtils.getIssuerFromSamlObject((SAMLObject) pair.getKey());
        LOGGER.debug("Located issuer [{}] from request prior to authenticating [{}]", issuerFromSamlObject, credential.getId());
        WebApplicationService createService = getSamlProfileHandlerConfigurationContext().getWebApplicationServiceFactory().createService(issuerFromSamlObject);
        LOGGER.debug("Executing authentication request for service [{}] on behalf of credential id [{}]", createService, credential.getId());
        return getSamlProfileHandlerConfigurationContext().getAuthenticationSystemSupport().handleAndFinalizeSingleAuthenticationTransaction(createService, new Credential[]{credential}).getAuthentication();
    }
}
