package org.apereo.cas.web.flow;

import java.util.Collection;
import java.util.Map;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.support.wsfederation.WsFederationConfiguration;
import org.apereo.cas.support.wsfederation.WsFederationHelper;
import org.apereo.cas.support.wsfederation.web.WsFederationCookieManager;
import org.apereo.cas.web.support.WebUtils;
import org.opensaml.saml.saml1.core.Assertion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/WsFederationResponseValidator.class */
public class WsFederationResponseValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(WsFederationResponseValidator.class);
    private static final String WRESULT = "wresult";
    private final WsFederationHelper wsFederationHelper;
    private final Collection<WsFederationConfiguration> configurations;
    private final AuthenticationSystemSupport authenticationSystemSupport;
    private final WsFederationCookieManager wsFederationCookieManager;

    public void validateWsFederationAuthenticationRequest(RequestContext requestContext) {
        Service retrieve = this.wsFederationCookieManager.retrieve(requestContext);
        LOGGER.debug("Retrieved service [{}] from the session cookie", retrieve);
        String parameter = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext).getParameter(WRESULT);
        LOGGER.debug("Parameter [{}] received: [{}]", WRESULT, parameter);
        if (StringUtils.isBlank(parameter)) {
            LOGGER.error("No [{}] parameter is found", WRESULT);
            throw new IllegalArgumentException("Missing parameter wresult");
        }
        LOGGER.debug("Attempting to create an assertion from the token parameter");
        Pair<Assertion, WsFederationConfiguration> buildAndVerifyAssertion = this.wsFederationHelper.buildAndVerifyAssertion(this.wsFederationHelper.getRequestSecurityTokenFromResult(parameter), this.configurations);
        if (buildAndVerifyAssertion == null) {
            LOGGER.error("Could not validate assertion via parsing the token from [{}]", WRESULT);
            throw new IllegalArgumentException("Could not validate assertion via the provided token");
        }
        LOGGER.debug("Attempting to validate the signature on the assertion");
        if (this.wsFederationHelper.validateSignature(buildAndVerifyAssertion)) {
            buildCredentialsFromAssertion(requestContext, buildAndVerifyAssertion, retrieve);
        } else {
            LOGGER.error("WS Requested Security Token is blank or the signature is not valid.");
            throw new IllegalArgumentException("WS Requested Security Token is blank or the signature is not valid.");
        }
    }

    private void buildCredentialsFromAssertion(RequestContext requestContext, Pair<Assertion, WsFederationConfiguration> pair, Service service) {
        try {
            LOGGER.debug("Creating credential based on the provided assertion");
            Credential createCredentialFromToken = this.wsFederationHelper.createCredentialFromToken((Assertion) pair.getKey());
            WsFederationConfiguration wsFederationConfiguration = (WsFederationConfiguration) pair.getValue();
            String relyingPartyIdentifier = this.wsFederationHelper.getRelyingPartyIdentifier(service, wsFederationConfiguration);
            if (createCredentialFromToken == null) {
                LOGGER.error("No credential could be extracted from [{}] based on relying party identifier [{}] and identity provider identifier [{}]", new Object[]{pair.getKey(), relyingPartyIdentifier, wsFederationConfiguration.getIdentityProviderIdentifier()});
                throw new IllegalArgumentException("Could not extract and identify credentials");
            }
            if (createCredentialFromToken == null || !createCredentialFromToken.isValid(relyingPartyIdentifier, wsFederationConfiguration.getIdentityProviderIdentifier(), wsFederationConfiguration.getTolerance())) {
                LOGGER.error("SAML assertions are blank or no longer valid based on RP identifier [{}] and identity provider identifier [{}]", relyingPartyIdentifier, wsFederationConfiguration.getIdentityProviderIdentifier());
                throw new IllegalArgumentException("Could not validate the provided assertion");
            }
            Map attributes = createCredentialFromToken.getAttributes();
            LOGGER.debug("Validated assertion for the created credential successfully and located attributes [{}]", attributes);
            if (wsFederationConfiguration.getAttributeMutator() != null) {
                LOGGER.debug("Modifying credential attributes based on [{}]", wsFederationConfiguration.getAttributeMutator().getClass().getSimpleName());
                Map modifyAttributes = wsFederationConfiguration.getAttributeMutator().modifyAttributes(attributes);
                LOGGER.debug("Finalized credential attributes are [{}]", modifyAttributes);
                createCredentialFromToken.setAttributes(modifyAttributes);
            }
            requestContext.getFlowScope().put("service", service);
            LOGGER.debug("Creating final authentication result based on the given credential");
            AuthenticationResult handleAndFinalizeSingleAuthenticationTransaction = this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, new Credential[]{createCredentialFromToken});
            WebUtils.putAuthenticationResult(handleAndFinalizeSingleAuthenticationTransaction, requestContext);
            WebUtils.putAuthentication(handleAndFinalizeSingleAuthenticationTransaction.getAuthentication(), requestContext);
            WebUtils.putCredential(requestContext, createCredentialFromToken);
            WebUtils.putServiceIntoFlowScope(requestContext, service);
            LOGGER.info("Token validated and new [{}] created: [{}]", createCredentialFromToken.getClass().getName(), createCredentialFromToken);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            throw e;
        }
    }

    @Generated
    public WsFederationResponseValidator(WsFederationHelper wsFederationHelper, Collection<WsFederationConfiguration> collection, AuthenticationSystemSupport authenticationSystemSupport, WsFederationCookieManager wsFederationCookieManager) {
        this.wsFederationHelper = wsFederationHelper;
        this.configurations = collection;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.wsFederationCookieManager = wsFederationCookieManager;
    }
}
