package org.apereo.cas.web;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.net.URI;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apereo.cas.CasProtocolConstants;
import org.apereo.cas.CasViewConstants;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.credential.HttpBasedServiceCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.CasModelRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.UnauthorizedProxyingException;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.AbstractTicketValidationException;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.UnsatisfiedAuthenticationContextTicketValidationException;
import org.apereo.cas.ticket.proxy.ProxyGrantingTicket;
import org.apereo.cas.ticket.proxy.ProxyHandler;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.AuthenticationContextValidationResult;
import org.apereo.cas.validation.CasProtocolValidationSpecification;
import org.apereo.cas.validation.ServiceTicketValidationAuthorizer;
import org.apereo.cas.validation.UnauthorizedServiceTicketValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.servlet.ModelAndView;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-validation-core-7.0.0-RC8.jar:org/apereo/cas/web/AbstractServiceValidateController.class */
public abstract class AbstractServiceValidateController extends AbstractDelegateController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) AbstractServiceValidateController.class);
    private final ServiceValidateConfigurationContext serviceValidateConfigurationContext;

    private static void verifyRegisteredServiceProperties(RegisteredService registeredService, Service service) {
        if (registeredService == null) {
            String format = String.format("Service [%s] is not found in service registry.", service.getId());
            LOGGER.warn(format);
            throw UnauthorizedServiceException.denied(format);
        }
        if (registeredService.getAccessStrategy().isServiceAccessAllowed(registeredService, service)) {
            return;
        }
        String format2 = String.format("ServiceManagement: Unauthorized Service Access. Service [%s] is not enabled in the CAS service registry.", service.getId());
        LOGGER.warn(format2);
        throw UnauthorizedServiceException.denied(format2);
    }

    public ProxyGrantingTicket handleProxyGrantingTicketDelivery(String str, Credential credential) throws Throwable {
        ProxyGrantingTicket createProxyGrantingTicket = this.serviceValidateConfigurationContext.getCentralAuthenticationService().createProxyGrantingTicket(str, this.serviceValidateConfigurationContext.getAuthenticationSystemSupport().finalizeAuthenticationTransaction(((ServiceTicket) this.serviceValidateConfigurationContext.getTicketRegistry().getTicket(str, ServiceTicket.class)).getService(), credential));
        LOGGER.debug("Generated proxy-granting ticket [{}] off of service ticket [{}] and credential [{}]", createProxyGrantingTicket.getId(), str, credential);
        return createProxyGrantingTicket;
    }

    @Override // org.apereo.cas.web.AbstractDelegateController
    public ModelAndView handleRequestInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        WebApplicationService extractService = this.serviceValidateConfigurationContext.getArgumentExtractor().extractService(httpServletRequest);
        String str = (String) Optional.ofNullable(extractService).map((v0) -> {
            return v0.getArtifactId();
        }).orElse(null);
        if (extractService == null || StringUtils.isBlank(str)) {
            LOGGER.warn("Could not identify service and/or service ticket for service: [{}]", extractService);
            return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_REQUEST, "", httpServletRequest, extractService);
        }
        try {
            prepareForTicketValidation(httpServletRequest, extractService, str);
            return handleTicketValidation(httpServletRequest, httpServletResponse, extractService, str);
        } catch (PrincipalException | UnauthorizedServiceException e) {
            return generateErrorView(CasProtocolConstants.ERROR_CODE_UNAUTHORIZED_SERVICE, null, httpServletRequest, extractService);
        } catch (UnauthorizedProxyingException e2) {
            return generateErrorView("UNAUTHORIZED_SERVICE_PROXY", getTicketValidationErrorDescription("UNAUTHORIZED_SERVICE_PROXY", new Object[]{extractService.getId()}, httpServletRequest), httpServletRequest, extractService);
        } catch (AbstractTicketValidationException e3) {
            String code = e3.getCode();
            return generateErrorView(code, getTicketValidationErrorDescription(code, new Object[]{str, e3.getService().getId(), extractService.getId()}, httpServletRequest), httpServletRequest, extractService);
        } catch (AbstractTicketException e4) {
            return generateErrorView(e4.getCode(), getTicketValidationErrorDescription(e4.getCode(), new Object[]{str}, httpServletRequest), httpServletRequest, extractService);
        } catch (Throwable th) {
            LoggingUtils.warn(LOGGER, th);
            return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_REQUEST, "", httpServletRequest, extractService);
        }
    }

    @Override // org.apereo.cas.web.AbstractDelegateController
    public boolean canHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return true;
    }

    public void addValidationSpecification(CasProtocolValidationSpecification casProtocolValidationSpecification) {
        this.serviceValidateConfigurationContext.getValidationSpecifications().add(casProtocolValidationSpecification);
    }

    protected Credential getServiceCredentialsFromRequest(WebApplicationService webApplicationService, HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("pgtUrl");
        if (!StringUtils.isNotBlank(parameter)) {
            return null;
        }
        try {
            CasModelRegisteredService casModelRegisteredService = (CasModelRegisteredService) this.serviceValidateConfigurationContext.getServicesManager().findServiceBy(webApplicationService, CasModelRegisteredService.class);
            verifyRegisteredServiceProperties(casModelRegisteredService, webApplicationService);
            return new HttpBasedServiceCredential(new URI(parameter).toURL(), casModelRegisteredService);
        } catch (Exception e) {
            LOGGER.error("Error constructing [{}]", "pgtUrl");
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    protected void initBinder(HttpServletRequest httpServletRequest, ServletRequestDataBinder servletRequestDataBinder) {
        if (this.serviceValidateConfigurationContext.getCasProperties().getSso().isRenewAuthnEnabled()) {
            servletRequestDataBinder.setRequiredFields("renew");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void prepareForTicketValidation(HttpServletRequest httpServletRequest, WebApplicationService webApplicationService, String str) {
    }

    protected ModelAndView handleTicketValidation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebApplicationService webApplicationService, String str) throws Throwable {
        ProxyGrantingTicket proxyGrantingTicket = (ProxyGrantingTicket) null;
        Credential serviceCredentialsFromRequest = getServiceCredentialsFromRequest(webApplicationService, httpServletRequest);
        if (serviceCredentialsFromRequest != null) {
            try {
                proxyGrantingTicket = handleProxyGrantingTicketDelivery(str, serviceCredentialsFromRequest);
            } catch (AuthenticationException e) {
                LOGGER.warn("Failed to authenticate service credential [{}]", serviceCredentialsFromRequest);
                return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, getTicketValidationErrorDescription(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, new Object[]{serviceCredentialsFromRequest.getId()}, httpServletRequest), httpServletRequest, webApplicationService);
            } catch (InvalidTicketException e2) {
                LOGGER.error("Failed to create proxy granting ticket due to an invalid ticket for [{}]", serviceCredentialsFromRequest);
                LoggingUtils.error(LOGGER, e2);
                return generateErrorView(e2.getCode(), getTicketValidationErrorDescription(e2.getCode(), new Object[]{str}, httpServletRequest), httpServletRequest, webApplicationService);
            } catch (AbstractTicketException e3) {
                LOGGER.error("Failed to create proxy granting ticket for [{}]", serviceCredentialsFromRequest);
                LoggingUtils.error(LOGGER, e3);
                return generateErrorView(e3.getCode(), getTicketValidationErrorDescription(e3.getCode(), new Object[]{serviceCredentialsFromRequest.getId()}, httpServletRequest), httpServletRequest, webApplicationService);
            }
        }
        Assertion validateServiceTicket = validateServiceTicket(webApplicationService, str);
        if (!validateAssertion(httpServletRequest, str, validateServiceTicket, webApplicationService)) {
            return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_TICKET, getTicketValidationErrorDescription(CasProtocolConstants.ERROR_CODE_INVALID_TICKET, new Object[]{str}, httpServletRequest), httpServletRequest, webApplicationService);
        }
        AuthenticationContextValidationResult validateAuthenticationContext = this.serviceValidateConfigurationContext.getRequestedContextValidator().validateAuthenticationContext(validateServiceTicket, httpServletRequest, httpServletResponse);
        if (!validateAuthenticationContext.isSuccess()) {
            throw new UnsatisfiedAuthenticationContextTicketValidationException(validateServiceTicket.getService());
        }
        String str2 = "";
        ProxyHandler proxyHandler = this.serviceValidateConfigurationContext.getProxyHandler();
        if (serviceCredentialsFromRequest == null || proxyHandler == null || !proxyHandler.canHandle(serviceCredentialsFromRequest)) {
            LOGGER.debug("No service credentials specified, and/or the proxy handler [{}] cannot handle credentials", proxyHandler);
        } else {
            CasModelRegisteredService service = ((HttpBasedServiceCredential) serviceCredentialsFromRequest).getService();
            if (service.getAttributeReleasePolicy().isAuthorizedToReleaseProxyGrantingTicket()) {
                LOGGER.debug("Service [{}] is authorized to release the PGT directly, skip the proxy callback", service);
            } else {
                LOGGER.debug("Service [{}] is not authorized to release the PGT directly, make a proxy callback", service);
                str2 = handleProxyIouDelivery(serviceCredentialsFromRequest, proxyGrantingTicket);
                if (StringUtils.isEmpty(str2)) {
                    return generateErrorView(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, getTicketValidationErrorDescription(CasProtocolConstants.ERROR_CODE_INVALID_PROXY_CALLBACK, new Object[]{serviceCredentialsFromRequest.getId()}, httpServletRequest), httpServletRequest, webApplicationService);
                }
            }
        }
        onSuccessfulValidation(str, validateServiceTicket);
        LOGGER.debug("Successfully validated service ticket [{}] for service [{}]", str, webApplicationService.getId());
        return generateSuccessView(validateServiceTicket, str2, webApplicationService, httpServletRequest, validateAuthenticationContext.getContextId(), proxyGrantingTicket);
    }

    protected Assertion validateServiceTicket(WebApplicationService webApplicationService, String str) throws Throwable {
        return this.serviceValidateConfigurationContext.getCentralAuthenticationService().validateServiceTicket(str, webApplicationService);
    }

    protected void onSuccessfulValidation(String str, Assertion assertion) {
    }

    protected void enforceTicketValidationAuthorizationFor(HttpServletRequest httpServletRequest, Service service, Assertion assertion) {
        Iterator<ServiceTicketValidationAuthorizer> it = this.serviceValidateConfigurationContext.getValidationAuthorizers().getAuthorizers().iterator();
        while (it.hasNext()) {
            try {
                it.next().authorize(httpServletRequest, service, assertion);
            } catch (Exception e) {
                throw new UnauthorizedServiceTicketValidationException(service);
            }
        }
    }

    protected Map<String, ?> augmentSuccessViewModelObjects(Assertion assertion) {
        return new HashMap(0);
    }

    private String handleProxyIouDelivery(Credential credential, TicketGrantingTicket ticketGrantingTicket) throws Throwable {
        return this.serviceValidateConfigurationContext.getProxyHandler().handle(credential, ticketGrantingTicket);
    }

    private boolean validateAssertion(HttpServletRequest httpServletRequest, String str, Assertion assertion, Service service) {
        for (CasProtocolValidationSpecification casProtocolValidationSpecification : this.serviceValidateConfigurationContext.getValidationSpecifications()) {
            casProtocolValidationSpecification.reset();
            ServletRequestDataBinder servletRequestDataBinder = new ServletRequestDataBinder(casProtocolValidationSpecification, "validationSpecification");
            initBinder(httpServletRequest, servletRequestDataBinder);
            servletRequestDataBinder.bind(httpServletRequest);
            if (!casProtocolValidationSpecification.isSatisfiedBy(assertion, httpServletRequest)) {
                LOGGER.warn("Service ticket [{}] does not satisfy validation specification.", str);
                return false;
            }
        }
        enforceTicketValidationAuthorizationFor(httpServletRequest, service, assertion);
        return true;
    }

    private ModelAndView generateErrorView(String str, String str2, HttpServletRequest httpServletRequest, WebApplicationService webApplicationService) {
        ModelAndView modelAndView = this.serviceValidateConfigurationContext.getValidationViewFactory().getModelAndView(httpServletRequest, false, webApplicationService, getClass());
        modelAndView.addObject("code", StringEscapeUtils.escapeHtml4(str));
        modelAndView.addObject("description", StringEscapeUtils.escapeHtml4(str2));
        return modelAndView;
    }

    private String getTicketValidationErrorDescription(String str, Object[] objArr, HttpServletRequest httpServletRequest) {
        return this.applicationContext.getMessage(str, objArr, str, httpServletRequest.getLocale());
    }

    private ModelAndView generateSuccessView(Assertion assertion, String str, WebApplicationService webApplicationService, HttpServletRequest httpServletRequest, Optional<String> optional, TicketGrantingTicket ticketGrantingTicket) {
        ModelAndView modelAndView = this.serviceValidateConfigurationContext.getValidationViewFactory().getModelAndView(httpServletRequest, true, webApplicationService, getClass());
        modelAndView.addObject(CasViewConstants.MODEL_ATTRIBUTE_NAME_ASSERTION, assertion);
        modelAndView.addObject("service", webApplicationService);
        if (StringUtils.isNotBlank(str)) {
            modelAndView.addObject("pgtIou", str);
        }
        if (ticketGrantingTicket != null) {
            modelAndView.addObject("proxyGrantingTicket", ticketGrantingTicket.getId());
        }
        optional.ifPresent(str2 -> {
            org.springframework.util.StringUtils.commaDelimitedListToSet(this.serviceValidateConfigurationContext.getCasProperties().getAuthn().getMfa().getCore().getAuthenticationContextAttribute()).forEach(str2 -> {
                modelAndView.addObject(str2, str2);
            });
        });
        modelAndView.addAllObjects(augmentSuccessViewModelObjects(assertion));
        return modelAndView;
    }

    @Generated
    public ServiceValidateConfigurationContext getServiceValidateConfigurationContext() {
        return this.serviceValidateConfigurationContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Generated
    public AbstractServiceValidateController(ServiceValidateConfigurationContext serviceValidateConfigurationContext) {
        this.serviceValidateConfigurationContext = serviceValidateConfigurationContext;
    }
}
