package net.shibboleth.idp.cas.flow.impl;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import javax.annotation.Nonnull;
import net.shibboleth.idp.cas.config.impl.ConfigLookupFunction;
import net.shibboleth.idp.cas.config.impl.ProxyConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolError;
import net.shibboleth.idp.cas.protocol.ProxyTicketRequest;
import net.shibboleth.idp.cas.protocol.ProxyTicketResponse;
import net.shibboleth.idp.cas.ticket.ProxyGrantingTicket;
import net.shibboleth.idp.cas.ticket.ProxyTicket;
import net.shibboleth.idp.cas.ticket.TicketServiceEx;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.SessionException;
import net.shibboleth.idp.session.SessionResolver;
import net.shibboleth.idp.session.criterion.SessionIdCriterion;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.joda.time.DateTime;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:net/shibboleth/idp/cas/flow/impl/GrantProxyTicketAction.class */
public class GrantProxyTicketAction extends AbstractCASProtocolAction<ProxyTicketRequest, ProxyTicketResponse> {

    @Nonnull
    private final TicketServiceEx casTicketService;

    @Nonnull
    private final SessionResolver sessionResolver;
    private final Logger log = LoggerFactory.getLogger(GrantProxyTicketAction.class);
    private final ConfigLookupFunction<ProxyConfiguration> configLookupFunction = new ConfigLookupFunction<>(ProxyConfiguration.class);
    private Predicate<ProfileRequestContext> validateIdPSessionPredicate = Predicates.alwaysFalse();

    public GrantProxyTicketAction(@Nonnull TicketServiceEx ticketServiceEx, @Nonnull SessionResolver sessionResolver) {
        this.casTicketService = (TicketServiceEx) Constraint.isNotNull(ticketServiceEx, "TicketService cannot be null");
        this.sessionResolver = (SessionResolver) Constraint.isNotNull(sessionResolver, "SessionResolver cannot be null");
    }

    public void setValidateIdPSessionPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.validateIdPSessionPredicate = predicate;
    }

    @Nonnull
    protected Event doExecute(@Nonnull RequestContext requestContext, @Nonnull ProfileRequestContext profileRequestContext) {
        ProxyGrantingTicket cASTicket = getCASTicket(profileRequestContext);
        if (cASTicket == null || cASTicket.getExpirationInstant().isBeforeNow()) {
            return ProtocolError.TicketExpired.event(this);
        }
        ProxyConfiguration apply = this.configLookupFunction.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("Proxy ticket configuration undefined");
            return ProtocolError.IllegalState.event(this);
        }
        if (apply.getSecurityConfiguration() == null || apply.getSecurityConfiguration().getIdGenerator() == null) {
            this.log.warn("Invalid proxy ticket configuration: SecurityConfiguration#idGenerator undefined");
            return ProtocolError.IllegalState.event(this);
        }
        if (this.validateIdPSessionPredicate.apply(profileRequestContext)) {
            IdPSession idPSession = null;
            try {
                this.log.debug("Attempting to retrieve session {}", cASTicket.getSessionId());
                idPSession = (IdPSession) this.sessionResolver.resolveSingle(new CriteriaSet(new Criterion[]{new SessionIdCriterion(cASTicket.getSessionId())}));
            } catch (ResolverException e) {
                this.log.warn("IdPSession resolution error: {}", e);
            }
            boolean z = true;
            if (idPSession == null) {
                this.log.info("IdPSession {} not found", cASTicket.getSessionId());
            } else {
                try {
                    z = !idPSession.checkTimeout();
                    this.log.debug("Session {} expired={}", cASTicket.getSessionId(), Boolean.valueOf(z));
                } catch (SessionException e2) {
                    this.log.warn("Error performing session timeout check: {}. Assuming session has expired.", e2);
                }
            }
            if (z) {
                return ProtocolError.SessionExpired.event(this);
            }
        }
        ProxyTicketRequest cASRequest = getCASRequest(profileRequestContext);
        try {
            this.log.debug("Granting proxy ticket for {}", cASRequest.getTargetService());
            ProxyTicket createProxyTicket = this.casTicketService.createProxyTicket(apply.getSecurityConfiguration().getIdGenerator().generateIdentifier(), DateTime.now().plus(apply.getTicketValidityPeriod()).toInstant(), cASTicket, cASRequest.getTargetService());
            this.log.info("Granted proxy ticket for {}", cASRequest.getTargetService());
            setCASResponse(profileRequestContext, new ProxyTicketResponse(createProxyTicket.getId()));
            return null;
        } catch (RuntimeException e3) {
            this.log.error("Failed granting proxy ticket due to error.", e3);
            return ProtocolError.TicketCreationError.event(this);
        }
    }
}
