package org.jasig.cas.support.wsfederation.web.flow;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang.StringUtils;
import org.jasig.cas.CentralAuthenticationService;
import org.jasig.cas.authentication.AuthenticationSystemSupport;
import org.jasig.cas.authentication.AuthenticationTransaction;
import org.jasig.cas.authentication.Credential;
import org.jasig.cas.authentication.DefaultAuthenticationContextBuilder;
import org.jasig.cas.authentication.DefaultAuthenticationSystemSupport;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.support.wsfederation.WsFederationConfiguration;
import org.jasig.cas.support.wsfederation.WsFederationHelper;
import org.jasig.cas.support.wsfederation.authentication.principal.WsFederationCredential;
import org.jasig.cas.ticket.AbstractTicketException;
import org.jasig.cas.web.support.WebUtils;
import org.opensaml.saml.saml1.core.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import org.springframework.webflow.action.AbstractAction;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

@Component("wsFederationAction")
/* loaded from: input_file:org/jasig/cas/support/wsfederation/web/flow/WsFederationAction.class */
public final class WsFederationAction extends AbstractAction {
    private static final String LOCALE = "locale";
    private static final String METHOD = "method";
    private static final String PROVIDERURL = "WsFederationIdentityProviderUrl";
    private static final String QUERYSTRING = "?wa=wsignin1.0&wtrealm=";
    private static final String SERVICE = "service";
    private static final String THEME = "theme";
    private static final String WA = "wa";
    private static final String WRESULT = "wresult";
    private static final String WSIGNIN = "wsignin1.0";

    @NotNull
    @Autowired
    @Qualifier("wsFederationHelper")
    private WsFederationHelper wsFederationHelper;

    @NotNull
    @Autowired
    @Qualifier("wsFedConfig")
    private WsFederationConfiguration configuration;

    @NotNull
    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService centralAuthenticationService;
    private final transient Logger logger = LoggerFactory.getLogger(WsFederationAction.class);

    @NotNull
    @Autowired(required = false)
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport = new DefaultAuthenticationSystemSupport();

    protected Event doExecute(RequestContext requestContext) throws Exception {
        try {
            HttpServletRequest httpServletRequest = WebUtils.getHttpServletRequest(requestContext);
            HttpSession session = httpServletRequest.getSession();
            String parameter = httpServletRequest.getParameter(WA);
            if (!StringUtils.isNotBlank(parameter) || !parameter.equalsIgnoreCase(WSIGNIN)) {
                Service service = (Service) requestContext.getFlowScope().get(SERVICE);
                if (service != null) {
                    session.setAttribute(SERVICE, service);
                }
                saveRequestParameter(httpServletRequest, session, THEME);
                saveRequestParameter(httpServletRequest, session, LOCALE);
                saveRequestParameter(httpServletRequest, session, METHOD);
                String str = String.valueOf(this.configuration.getIdentityProviderUrl()) + QUERYSTRING + this.configuration.getRelyingPartyIdentifier();
                this.logger.info("Preparing to redirect to the IdP {}", str);
                requestContext.getFlowScope().put(PROVIDERURL, str);
                this.logger.debug("Redirecting to the IdP");
                return error();
            }
            String parameter2 = httpServletRequest.getParameter(WRESULT);
            this.logger.debug("Parameter [{}] received: {}", WRESULT, parameter2);
            if (StringUtils.isBlank(parameter2)) {
                this.logger.error("No {} parameter is found", WRESULT);
                return error();
            }
            Assertion parseTokenFromString = this.wsFederationHelper.parseTokenFromString(parameter2);
            if (parseTokenFromString == null) {
                this.logger.error("Could not validate assertion via parsing the token from {}", WRESULT);
                return error();
            }
            if (!this.wsFederationHelper.validateSignature(parseTokenFromString, this.configuration)) {
                this.logger.error("WS Requested Security Token is blank or the signature is not valid.");
                return error();
            }
            try {
                WsFederationCredential createCredentialFromToken = this.wsFederationHelper.createCredentialFromToken(parseTokenFromString);
                if (createCredentialFromToken == null || !createCredentialFromToken.isValid(this.configuration.getRelyingPartyIdentifier(), this.configuration.getIdentityProviderIdentifier(), this.configuration.getTolerance())) {
                    this.logger.warn("SAML assertions are blank or no longer valid.");
                    return error();
                }
                if (this.configuration.getAttributeMutator() != null) {
                    this.configuration.getAttributeMutator().modifyAttributes(createCredentialFromToken.getAttributes());
                }
                Service service2 = (Service) session.getAttribute(SERVICE);
                requestContext.getFlowScope().put(SERVICE, service2);
                restoreRequestAttribute(httpServletRequest, session, THEME);
                restoreRequestAttribute(httpServletRequest, session, LOCALE);
                restoreRequestAttribute(httpServletRequest, session, METHOD);
                DefaultAuthenticationContextBuilder defaultAuthenticationContextBuilder = new DefaultAuthenticationContextBuilder(this.authenticationSystemSupport.getPrincipalElectionStrategy());
                this.authenticationSystemSupport.getAuthenticationTransactionManager().handle(AuthenticationTransaction.wrap(new Credential[]{createCredentialFromToken}), defaultAuthenticationContextBuilder);
                WebUtils.putTicketGrantingTicketInScopes(requestContext, this.centralAuthenticationService.createTicketGrantingTicket(defaultAuthenticationContextBuilder.build(service2)));
                this.logger.info("Token validated and new {} created: {}", createCredentialFromToken.getClass().getName(), createCredentialFromToken);
                return success();
            } catch (AbstractTicketException e) {
                this.logger.error(e.getMessage(), e);
                return error();
            }
        } catch (Exception e2) {
            this.logger.error(e2.getMessage(), e2);
            return error();
        }
    }

    private void restoreRequestAttribute(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        httpServletRequest.setAttribute(str, (String) httpSession.getAttribute(str));
    }

    private void saveRequestParameter(HttpServletRequest httpServletRequest, HttpSession httpSession, String str) {
        String parameter = httpServletRequest.getParameter(str);
        if (parameter != null) {
            httpSession.setAttribute(str, parameter);
        }
    }

    public void setCentralAuthenticationService(CentralAuthenticationService centralAuthenticationService) {
        this.centralAuthenticationService = centralAuthenticationService;
    }

    public void setConfiguration(WsFederationConfiguration wsFederationConfiguration) {
        this.configuration = wsFederationConfiguration;
    }
}
