package net.shibboleth.idp.cas.flow.impl;

import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.authn.context.navigate.SubjectContextPrincipalLookupFunction;
import net.shibboleth.idp.cas.config.ConfigLookupFunction;
import net.shibboleth.idp.cas.config.LoginConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolError;
import net.shibboleth.idp.cas.protocol.ServiceTicketRequest;
import net.shibboleth.idp.cas.protocol.ServiceTicketResponse;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.idp.cas.ticket.TicketState;
import net.shibboleth.idp.profile.config.SecurityConfiguration;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.session.IdPSession;
import net.shibboleth.idp.session.context.SessionContext;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/cas/flow/impl/GrantServiceTicketAction.class */
public class GrantServiceTicketAction extends AbstractCASProtocolAction<ServiceTicketRequest, ServiceTicketResponse> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(GrantServiceTicketAction.class);

    @Nonnull
    private final ConfigLookupFunction<LoginConfiguration> configLookupFunction = new ConfigLookupFunction<>(LoginConfiguration.class);

    @Nonnull
    private final Function<ProfileRequestContext, SessionContext> sessionContextFunction = new ChildContextLookup(SessionContext.class);

    @Nonnull
    private final Function<ProfileRequestContext, AuthenticationContext> authnCtxLookupFunction = new ChildContextLookup(AuthenticationContext.class);

    @Nonnull
    private final Function<ProfileRequestContext, String> principalLookupFunction = new SubjectContextPrincipalLookupFunction().compose(new ChildContextLookup(SubjectContext.class));

    @Nonnull
    private Function<ProfileRequestContext, AttributeContext> attributeContextLookupStrategy = new ChildContextLookup(AttributeContext.class).compose(new ChildContextLookup(RelyingPartyContext.class));

    @Nonnull
    private final TicketService casTicketService;

    @Nullable
    private LoginConfiguration loginConfig;

    @Nullable
    private SecurityConfiguration securityConfig;

    @Nullable
    private IdPSession session;

    @Nullable
    private AuthenticationResult authnResult;
    private boolean storeConsent;

    @Nullable
    private AttributeContext attributeCtx;

    @Nullable
    private ServiceTicketRequest request;

    public GrantServiceTicketAction(@Nonnull TicketService ticketService) {
        this.casTicketService = (TicketService) Constraint.isNotNull(ticketService, "TicketService cannot be null");
    }

    public void setAttributeContextLookupStrategy(@Nonnull Function<ProfileRequestContext, AttributeContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.attributeContextLookupStrategy = (Function) Constraint.isNotNull(function, "AttributeContext lookup strategy cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.loginConfig = this.configLookupFunction.apply(profileRequestContext);
        if (this.loginConfig == null) {
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        this.securityConfig = this.loginConfig.getSecurityConfiguration(profileRequestContext);
        if (this.securityConfig == null) {
            ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
            return false;
        }
        try {
            this.request = getCASRequest(profileRequestContext);
            this.session = getIdPSession(profileRequestContext);
            if (this.session == null) {
                this.log.warn("{} No IdP session found", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
                return false;
            }
            AuthenticationContext apply = this.authnCtxLookupFunction.apply(profileRequestContext);
            if (apply != null) {
                this.authnResult = apply.getAuthenticationResult();
            } else {
                this.authnResult = getLatestAuthenticationResult();
            }
            if (this.authnResult == null) {
                this.log.warn("{} No AuthenticationResult found", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
                return false;
            }
            if (!this.loginConfig.getPostAuthenticationFlows(profileRequestContext).contains("attribute-release")) {
                return true;
            }
            this.attributeCtx = this.attributeContextLookupStrategy.apply(profileRequestContext);
            if (this.attributeCtx == null) {
                return true;
            }
            this.storeConsent = this.attributeCtx.isConsented() || this.loginConfig.isStoreConsentInTickets(profileRequestContext);
            if (!this.storeConsent) {
                return true;
            }
            this.log.debug("{} Storing consented attribute IDs into ticket: {}", getLogPrefix(), this.attributeCtx.getIdPAttributes().keySet());
            return true;
        } catch (EventException e) {
            ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            return false;
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        try {
            this.log.debug("{} Granting service ticket for {}", getLogPrefix(), this.request.getService());
            TicketState ticketState = new TicketState(this.session.getId(), getPrincipalName(profileRequestContext), this.authnResult.getAuthenticationInstant(), this.authnResult.getAuthenticationFlowId());
            if (this.storeConsent) {
                ticketState.setConsentedAttributeIds(this.attributeCtx.getIdPAttributes().keySet());
            }
            ServiceTicketResponse serviceTicketResponse = new ServiceTicketResponse(this.request.getService(), this.casTicketService.createServiceTicket(this.securityConfig.getIdGenerator().generateIdentifier(), Instant.now().plus((TemporalAmount) this.loginConfig.getTicketValidityPeriod(profileRequestContext)), this.request.getService(), ticketState, this.request.isRenew()).getId());
            if (this.request.isSAML()) {
                serviceTicketResponse.setSaml(true);
            }
            try {
                setCASResponse(profileRequestContext, serviceTicketResponse);
                this.log.info("{} Granted service ticket for {}", getLogPrefix(), this.request.getService());
            } catch (EventException e) {
                ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            }
        } catch (RuntimeException e2) {
            this.log.error("{} Failed granting service ticket due to error.", getLogPrefix(), e2);
            ActionSupport.buildEvent(profileRequestContext, ProtocolError.TicketCreationError.event(this));
        }
    }

    @Nullable
    private IdPSession getIdPSession(ProfileRequestContext profileRequestContext) {
        SessionContext apply = this.sessionContextFunction.apply(profileRequestContext);
        if (apply != null) {
            return apply.getIdPSession();
        }
        return null;
    }

    @Nonnull
    private String getPrincipalName(ProfileRequestContext profileRequestContext) {
        String apply = this.principalLookupFunction.apply(profileRequestContext);
        if (apply == null) {
            throw new IllegalStateException("Cannot determine IdP subject principal name.");
        }
        return apply;
    }

    @Nullable
    private AuthenticationResult getLatestAuthenticationResult() {
        AuthenticationResult authenticationResult = null;
        for (AuthenticationResult authenticationResult2 : this.session.getAuthenticationResults()) {
            if (authenticationResult == null || authenticationResult2.getAuthenticationInstant().isAfter(authenticationResult.getAuthenticationInstant())) {
                authenticationResult = authenticationResult2;
            }
        }
        return authenticationResult;
    }
}
