package org.jasig.cas.web;

import java.net.URL;
import java.util.Collections;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang3.StringEscapeUtils;
import org.jasig.cas.CentralAuthenticationService;
import org.jasig.cas.authentication.AuthenticationException;
import org.jasig.cas.authentication.AuthenticationSystemSupport;
import org.jasig.cas.authentication.AuthenticationTransaction;
import org.jasig.cas.authentication.Credential;
import org.jasig.cas.authentication.DefaultAuthenticationContextBuilder;
import org.jasig.cas.authentication.DefaultAuthenticationSystemSupport;
import org.jasig.cas.authentication.HttpBasedServiceCredential;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.authentication.principal.WebApplicationService;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.services.UnauthorizedProxyingException;
import org.jasig.cas.services.UnauthorizedServiceException;
import org.jasig.cas.ticket.AbstractTicketException;
import org.jasig.cas.ticket.AbstractTicketValidationException;
import org.jasig.cas.ticket.ServiceTicket;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.proxy.ProxyHandler;
import org.jasig.cas.validation.Assertion;
import org.jasig.cas.validation.Cas20ProtocolValidationSpecification;
import org.jasig.cas.validation.ValidationResponseType;
import org.jasig.cas.validation.ValidationSpecification;
import org.jasig.cas.web.support.ArgumentExtractor;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.ApplicationContext;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.servlet.ModelAndView;

@Component("serviceValidateController")
/* loaded from: input_file:org/jasig/cas/web/AbstractServiceValidateController.class */
public abstract class AbstractServiceValidateController extends AbstractDelegateController {
    public static final String DEFAULT_SERVICE_FAILURE_VIEW_NAME = "cas2ServiceFailureView";
    public static final String DEFAULT_SERVICE_SUCCESS_VIEW_NAME = "cas2ServiceSuccessView";
    public static final String DEFAULT_SERVICE_VIEW_NAME_JSON = "cas3ServiceJsonView";

    @Autowired
    private ApplicationContext context;

    @NotNull
    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @NotNull
    @Autowired
    @Qualifier("centralAuthenticationService")
    private CentralAuthenticationService centralAuthenticationService;

    @NotNull
    private ProxyHandler proxyHandler;

    @NotNull
    @Autowired
    @Qualifier("defaultArgumentExtractor")
    private ArgumentExtractor argumentExtractor;

    @NotNull
    @Autowired(required = false)
    @Qualifier("defaultAuthenticationSystemSupport")
    private AuthenticationSystemSupport authenticationSystemSupport = new DefaultAuthenticationSystemSupport();

    @NotNull
    private Class<?> validationSpecificationClass = Cas20ProtocolValidationSpecification.class;

    @NotNull
    private String successView = DEFAULT_SERVICE_SUCCESS_VIEW_NAME;

    @NotNull
    private String failureView = DEFAULT_SERVICE_FAILURE_VIEW_NAME;

    protected Credential getServiceCredentialsFromRequest(WebApplicationService webApplicationService, HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("pgtUrl");
        if (!StringUtils.hasText(parameter)) {
            return null;
        }
        try {
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(webApplicationService);
            verifyRegisteredServiceProperties(findServiceBy, webApplicationService);
            return new HttpBasedServiceCredential(new URL(parameter), findServiceBy);
        } catch (Exception e) {
            this.logger.error("Error constructing pgtUrl", e);
            return null;
        }
    }

    protected void initBinder(HttpServletRequest httpServletRequest, ServletRequestDataBinder servletRequestDataBinder) {
        servletRequestDataBinder.setRequiredFields(new String[]{"renew"});
    }

    private TicketGrantingTicket handleProxyGrantingTicketDelivery(String str, Credential credential) {
        TicketGrantingTicket ticketGrantingTicket = null;
        try {
            ServiceTicket ticket = this.centralAuthenticationService.getTicket(str, ServiceTicket.class);
            DefaultAuthenticationContextBuilder defaultAuthenticationContextBuilder = new DefaultAuthenticationContextBuilder(this.authenticationSystemSupport.getPrincipalElectionStrategy());
            this.authenticationSystemSupport.getAuthenticationTransactionManager().handle(AuthenticationTransaction.wrap(new Credential[]{credential}), defaultAuthenticationContextBuilder);
            ticketGrantingTicket = this.centralAuthenticationService.createProxyGrantingTicket(str, defaultAuthenticationContextBuilder.build(ticket.getService()));
            this.logger.debug("Generated proxy-granting ticket [{}] off of service ticket [{}] and credential [{}]", new Object[]{ticketGrantingTicket.getId(), str, credential});
        } catch (AuthenticationException unused) {
            this.logger.warn("Failed to authenticate service credential {}", credential);
        } catch (AbstractTicketException e) {
            this.logger.error("Failed to create proxy granting ticket for {}", credential, e);
        }
        return ticketGrantingTicket;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        WebApplicationService extractService = this.argumentExtractor.extractService(httpServletRequest);
        String artifactId = extractService != null ? extractService.getArtifactId() : null;
        if (extractService == null || artifactId == null) {
            this.logger.debug("Could not identify service and/or service ticket for service: [{}]", extractService);
            return generateErrorView("INVALID_REQUEST", "INVALID_REQUEST", null, httpServletRequest, extractService);
        }
        try {
            TicketGrantingTicket ticketGrantingTicket = null;
            Credential serviceCredentialsFromRequest = getServiceCredentialsFromRequest(extractService, httpServletRequest);
            if (serviceCredentialsFromRequest != null) {
                ticketGrantingTicket = handleProxyGrantingTicketDelivery(artifactId, serviceCredentialsFromRequest);
                if (ticketGrantingTicket == null) {
                    return generateErrorView("INVALID_PROXY_CALLBACK", "INVALID_PROXY_CALLBACK", new Object[]{serviceCredentialsFromRequest.getId()}, httpServletRequest, extractService);
                }
            }
            Assertion validateServiceTicket = this.centralAuthenticationService.validateServiceTicket(artifactId, extractService);
            if (!validateAssertion(httpServletRequest, artifactId, validateServiceTicket)) {
                return generateErrorView("INVALID_TICKET", "INVALID_TICKET", null, httpServletRequest, extractService);
            }
            String str = null;
            if (serviceCredentialsFromRequest != null && this.proxyHandler.canHandle(serviceCredentialsFromRequest)) {
                str = this.proxyHandler.handle(serviceCredentialsFromRequest, ticketGrantingTicket);
                if (StringUtils.isEmpty(str)) {
                    return generateErrorView("INVALID_PROXY_CALLBACK", "INVALID_PROXY_CALLBACK", new Object[]{serviceCredentialsFromRequest.getId()}, httpServletRequest, extractService);
                }
            }
            onSuccessfulValidation(artifactId, validateServiceTicket);
            this.logger.debug("Successfully validated service ticket {} for service [{}]", artifactId, extractService.getId());
            return generateSuccessView(validateServiceTicket, str, extractService, ticketGrantingTicket);
        } catch (UnauthorizedProxyingException e) {
            return generateErrorView(e.getCode(), "INVALID_REQUEST_PROXY", new Object[]{extractService.getId()}, httpServletRequest, extractService);
        } catch (AbstractTicketValidationException e2) {
            return generateErrorView(e2.getCode(), "INVALID_TICKET", new Object[]{artifactId, e2.getOriginalService().getId(), extractService.getId()}, httpServletRequest, extractService);
        } catch (UnauthorizedServiceException e3) {
            return generateErrorView(e3.getCode(), "UNAUTHORIZED_SERVICE", null, httpServletRequest, extractService);
        } catch (AbstractTicketException e4) {
            return generateErrorView(e4.getCode(), "INVALID_TICKET", new Object[]{artifactId}, httpServletRequest, extractService);
        }
    }

    private boolean validateAssertion(HttpServletRequest httpServletRequest, String str, Assertion assertion) {
        ValidationSpecification commandClass = getCommandClass();
        ServletRequestDataBinder servletRequestDataBinder = new ServletRequestDataBinder(commandClass, "validationSpecification");
        initBinder(httpServletRequest, servletRequestDataBinder);
        servletRequestDataBinder.bind(httpServletRequest);
        if (commandClass.isSatisfiedBy(assertion)) {
            return true;
        }
        this.logger.debug("Service ticket [{}] does not satisfy validation specification.", str);
        return false;
    }

    protected void onSuccessfulValidation(String str, Assertion assertion) {
    }

    private ModelAndView generateErrorView(String str, String str2, Object[] objArr, HttpServletRequest httpServletRequest, WebApplicationService webApplicationService) {
        ModelAndView modelAndView = getModelAndView(false, webApplicationService);
        String message = this.context.getMessage(str, objArr, str, httpServletRequest.getLocale());
        modelAndView.addObject("code", StringEscapeUtils.escapeHtml4(str2));
        modelAndView.addObject("description", StringEscapeUtils.escapeHtml4(message));
        return modelAndView;
    }

    private ModelAndView getModelAndView(boolean z, WebApplicationService webApplicationService) {
        if (webApplicationService == null || webApplicationService.getFormat() != ValidationResponseType.JSON) {
            return new ModelAndView(z ? this.successView : this.failureView);
        }
        return new ModelAndView(DEFAULT_SERVICE_VIEW_NAME_JSON);
    }

    private ModelAndView generateSuccessView(Assertion assertion, String str, WebApplicationService webApplicationService, TicketGrantingTicket ticketGrantingTicket) {
        ModelAndView modelAndView = getModelAndView(true, webApplicationService);
        modelAndView.addObject("assertion", assertion);
        modelAndView.addObject("service", webApplicationService);
        modelAndView.addObject("pgtIou", str);
        if (ticketGrantingTicket != null) {
            modelAndView.addObject("proxyGrantingTicket", ticketGrantingTicket.getId());
        }
        Map<String, ?> augmentSuccessViewModelObjects = augmentSuccessViewModelObjects(assertion);
        if (augmentSuccessViewModelObjects != null) {
            modelAndView.addAllObjects(augmentSuccessViewModelObjects);
        }
        return modelAndView;
    }

    protected Map<String, ?> augmentSuccessViewModelObjects(Assertion assertion) {
        return Collections.emptyMap();
    }

    private ValidationSpecification getCommandClass() {
        try {
            return (ValidationSpecification) this.validationSpecificationClass.newInstance();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public boolean canHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return true;
    }

    public final void setCentralAuthenticationService(CentralAuthenticationService centralAuthenticationService) {
        this.centralAuthenticationService = centralAuthenticationService;
    }

    public final void setArgumentExtractor(ArgumentExtractor argumentExtractor) {
        this.argumentExtractor = argumentExtractor;
    }

    public void setValidationSpecificationClass(Class<?> cls) {
        this.validationSpecificationClass = cls;
    }

    public void setFailureView(String str) {
        this.failureView = str;
    }

    public void setSuccessView(String str) {
        this.successView = str;
    }

    public void setProxyHandler(ProxyHandler proxyHandler) {
        this.proxyHandler = proxyHandler;
    }

    public final void setServicesManager(ServicesManager servicesManager) {
        this.servicesManager = servicesManager;
    }

    private void verifyRegisteredServiceProperties(RegisteredService registeredService, Service service) {
        if (registeredService == null) {
            String format = String.format("ServiceManagement: Unauthorized Service Access. Service [%s] is not found in service registry.", service.getId());
            this.logger.warn(format);
            throw new UnauthorizedServiceException("screen.service.error.message", format);
        }
        if (registeredService.getAccessStrategy().isServiceAccessAllowed()) {
            return;
        }
        String format2 = String.format("ServiceManagement: Unauthorized Service Access. Service [%s] is not enabled in service registry.", service.getId());
        this.logger.warn(format2);
        throw new UnauthorizedServiceException("screen.service.error.message", format2);
    }

    public void setAuthenticationSystemSupport(AuthenticationSystemSupport authenticationSystemSupport) {
        this.authenticationSystemSupport = authenticationSystemSupport;
    }

    public void setApplicationContext(ApplicationContext applicationContext) {
        this.context = applicationContext;
    }
}
