package org.apereo.cas.support.openid.authentication.principal;

import java.util.HashMap;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.AbstractWebApplicationServiceResponseBuilder;
import org.apereo.cas.authentication.principal.Response;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.support.openid.OpenIdProtocolConstants;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.web.support.WebUtils;
import org.openid4java.association.Association;
import org.openid4java.message.AuthRequest;
import org.openid4java.message.MessageException;
import org.openid4java.message.ParameterList;
import org.openid4java.server.ServerManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/openid/authentication/principal/OpenIdServiceResponseBuilder.class */
public class OpenIdServiceResponseBuilder extends AbstractWebApplicationServiceResponseBuilder {
    private static final Logger LOGGER = LoggerFactory.getLogger(OpenIdServiceResponseBuilder.class);
    private static final long serialVersionUID = -4581238964007702423L;
    private final ServerManager serverManager;
    private final CentralAuthenticationService centralAuthenticationService;
    private final String openIdPrefixUrl;

    public OpenIdServiceResponseBuilder(String str, ServerManager serverManager, CentralAuthenticationService centralAuthenticationService) {
        this.openIdPrefixUrl = str;
        this.serverManager = serverManager;
        this.centralAuthenticationService = centralAuthenticationService;
    }

    public Response build(WebApplicationService webApplicationService, String str, Authentication authentication) {
        OpenIdService openIdService = (OpenIdService) webApplicationService;
        ParameterList parameterList = new ParameterList(WebUtils.getHttpServletRequestFromRequestAttributes().getParameterMap());
        HashMap hashMap = new HashMap();
        if (StringUtils.isBlank(str)) {
            hashMap.put(OpenIdProtocolConstants.OPENID_MODE, OpenIdProtocolConstants.CANCEL);
            return buildRedirect(openIdService, hashMap);
        }
        Association association = getAssociation(this.serverManager, parameterList);
        boolean z = association != null;
        boolean isAssociationValid = isAssociationValid(association);
        boolean z2 = true;
        Assertion assertion = null;
        try {
            if (z && isAssociationValid) {
                assertion = this.centralAuthenticationService.validateServiceTicket(str, openIdService);
                LOGGER.debug("Validated openid ticket [{}] for [{}]", str, openIdService);
            } else if (z) {
                LOGGER.warn("Association does not exist or is not valid");
                z2 = false;
            } else {
                LOGGER.debug("Responding to non-associated mode. Service ticket [{}] must be validated by the RP", str);
            }
        } catch (AbstractTicketException e) {
            LOGGER.error("Could not validate ticket : [{}]", e.getMessage(), e);
            z2 = false;
        }
        return buildAuthenticationResponse(openIdService, hashMap, z2, determineIdentity(openIdService, assertion), parameterList);
    }

    protected String determineIdentity(OpenIdService openIdService, Assertion assertion) {
        return (assertion == null || !OpenIdProtocolConstants.OPENID_IDENTIFIERSELECT.equals(openIdService.getIdentity())) ? openIdService.getIdentity() : this.openIdPrefixUrl + '/' + assertion.getPrimaryAuthentication().getPrincipal().getId();
    }

    protected Response buildAuthenticationResponse(OpenIdService openIdService, Map<String, String> map, boolean z, String str, ParameterList parameterList) {
        map.putAll(this.serverManager.authResponse(parameterList, str, str, z, true).getParameterMap());
        LOGGER.debug("Parameters passed for the OpenID response are [{}]", map.keySet());
        return buildRedirect(openIdService, map);
    }

    protected Association getAssociation(ServerManager serverManager, ParameterList parameterList) {
        String str;
        try {
            Map parameterMap = AuthRequest.createAuthRequest(parameterList, serverManager.getRealmVerifier()).getParameterMap();
            if (parameterMap == null || parameterMap.isEmpty() || (str = (String) parameterMap.get(OpenIdProtocolConstants.OPENID_ASSOCHANDLE)) == null) {
                return null;
            }
            return serverManager.getSharedAssociations().load(str);
        } catch (MessageException e) {
            LOGGER.error("Message exception : [{}]", e.getMessage(), e);
            return null;
        }
    }

    public boolean supports(WebApplicationService webApplicationService) {
        return webApplicationService instanceof OpenIdService;
    }

    protected boolean isAssociationValid(Association association) {
        return (association == null || association.hasExpired()) ? false : true;
    }
}
