package net.shibboleth.idp.cas.flow.impl;

import java.time.Instant;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.cas.config.ConfigLookupFunction;
import net.shibboleth.idp.cas.config.ValidateConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolError;
import net.shibboleth.idp.cas.protocol.TicketValidationRequest;
import net.shibboleth.idp.cas.protocol.TicketValidationResponse;
import net.shibboleth.idp.cas.ticket.ProxyTicket;
import net.shibboleth.idp.cas.ticket.Ticket;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.idp.profile.IdPEventIds;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-cas-impl-4.3.2.jar:net/shibboleth/idp/cas/flow/impl/ValidateTicketAction.class */
public class ValidateTicketAction extends AbstractCASProtocolAction<TicketValidationRequest, TicketValidationResponse> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ValidateTicketAction.class);

    @Nonnull
    private final ConfigLookupFunction<ValidateConfiguration> configLookupFunction = new ConfigLookupFunction<>(ValidateConfiguration.class);

    @Nonnull
    private final TicketService casTicketService;

    @Nullable
    private ValidateConfiguration validateConfig;

    @Nullable
    private TicketValidationRequest request;

    public ValidateTicketAction(@Nonnull TicketService ticketService) {
        this.casTicketService = (TicketService) Constraint.isNotNull(ticketService, "TicketService cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.validateConfig = this.configLookupFunction.apply(profileRequestContext);
        if (this.validateConfig == null) {
            ActionSupport.buildEvent(profileRequestContext, IdPEventIds.INVALID_PROFILE_CONFIG);
            return false;
        }
        try {
            this.request = getCASRequest(profileRequestContext);
            return true;
        } catch (EventException e) {
            ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            return false;
        }
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        Ticket removeProxyTicket;
        try {
            String ticket = this.request.getTicket();
            this.log.debug("Attempting to validate {}", ticket);
            if (ticket.startsWith("ST")) {
                removeProxyTicket = this.casTicketService.removeServiceTicket(this.request.getTicket());
            } else {
                if (!ticket.startsWith("PT")) {
                    ActionSupport.buildEvent(profileRequestContext, ProtocolError.InvalidTicketFormat.event(this));
                    return;
                }
                removeProxyTicket = this.casTicketService.removeProxyTicket(ticket);
            }
            if (removeProxyTicket != null) {
                this.log.debug("{} Found and removed {}/{} from ticket store", getLogPrefix(), removeProxyTicket, removeProxyTicket.getSessionId());
            }
            if (removeProxyTicket == null || Instant.now().isAfter(removeProxyTicket.getExpirationInstant())) {
                ActionSupport.buildEvent(profileRequestContext, ProtocolError.TicketExpired.event(this));
                return;
            }
            if (this.validateConfig.getServiceComparator(profileRequestContext).compare(removeProxyTicket.getService(), this.request.getService()) != 0) {
                this.log.debug("{} Service issued for {} does not match {}", getLogPrefix(), removeProxyTicket.getService(), this.request.getService());
                ActionSupport.buildEvent(profileRequestContext, ProtocolError.ServiceMismatch.event(this));
                return;
            }
            try {
                setCASResponse(profileRequestContext, new TicketValidationResponse());
                setCASTicket(profileRequestContext, removeProxyTicket);
                this.log.info("{} Successfully validated {} for {}", getLogPrefix(), this.request.getTicket(), this.request.getService());
                if (removeProxyTicket instanceof ProxyTicket) {
                    ActionSupport.buildEvent(profileRequestContext, Events.ProxyTicketValidated.event(this));
                } else {
                    ActionSupport.buildEvent(profileRequestContext, Events.ServiceTicketValidated.event(this));
                }
            } catch (EventException e) {
                ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            }
        } catch (RuntimeException e2) {
            this.log.debug("{} CAS ticket retrieval failed with error: {}", getLogPrefix(), e2);
            ActionSupport.buildEvent(profileRequestContext, ProtocolError.TicketRetrievalError.event(this));
        }
    }
}
