package net.shibboleth.idp.cas.flow.impl;

import java.net.URI;
import java.net.URISyntaxException;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import javax.annotation.Nonnull;
import net.shibboleth.idp.cas.config.ConfigLookupFunction;
import net.shibboleth.idp.cas.config.ValidateConfiguration;
import net.shibboleth.idp.cas.protocol.ProtocolError;
import net.shibboleth.idp.cas.protocol.ProtocolParam;
import net.shibboleth.idp.cas.protocol.TicketValidationRequest;
import net.shibboleth.idp.cas.protocol.TicketValidationResponse;
import net.shibboleth.idp.cas.proxy.ProxyIdentifiers;
import net.shibboleth.idp.cas.proxy.ProxyValidator;
import net.shibboleth.idp.cas.ticket.ProxyGrantingTicket;
import net.shibboleth.idp.cas.ticket.ProxyTicket;
import net.shibboleth.idp.cas.ticket.ServiceTicket;
import net.shibboleth.idp.cas.ticket.Ticket;
import net.shibboleth.idp.cas.ticket.TicketService;
import net.shibboleth.idp.profile.IdPEventIds;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.security.IdentifierGenerationStrategy;
import org.apache.hc.core5.net.URIBuilder;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventException;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.config.SecurityConfiguration;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-cas-impl-5.1.3.jar:net/shibboleth/idp/cas/flow/impl/ValidateProxyCallbackAction.class */
public class ValidateProxyCallbackAction extends AbstractCASProtocolAction<TicketValidationRequest, TicketValidationResponse> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ValidateProxyCallbackAction.class);

    @Nonnull
    private final ConfigLookupFunction<ValidateConfiguration> configLookupFunction = new ConfigLookupFunction<>(ValidateConfiguration.class);

    @Nonnull
    private final ProxyValidator proxyValidator;

    @Nonnull
    private final TicketService casTicketService;

    @NonnullBeforeExec
    private ValidateConfiguration validateConfig;

    @NonnullBeforeExec
    private SecurityConfiguration securityConfig;

    @NonnullBeforeExec
    private Ticket ticket;

    @NonnullBeforeExec
    private TicketValidationRequest request;

    @NonnullBeforeExec
    private TicketValidationResponse response;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ValidateProxyCallbackAction(@Nonnull ProxyValidator proxyValidator, @Nonnull TicketService ticketService) {
        this.proxyValidator = (ProxyValidator) Constraint.isNotNull(proxyValidator, "ProxyValidator cannot be null");
        this.casTicketService = (TicketService) Constraint.isNotNull(ticketService, "TicketService cannot be null");
    }

    @Nonnull
    private Ticket getTicket() {
        if ($assertionsDisabled || isPreExecuteCalled()) {
            return this.ticket;
        }
        throw new AssertionError();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.validateConfig = this.configLookupFunction.apply(profileRequestContext);
        if (this.validateConfig == null) {
            ActionSupport.buildEvent(profileRequestContext, IdPEventIds.INVALID_PROFILE_CONFIG);
            return false;
        }
        this.securityConfig = this.validateConfig.getSecurityConfiguration(profileRequestContext);
        if (this.securityConfig == null) {
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_SEC_CFG);
            return false;
        }
        try {
            this.ticket = getCASTicket(profileRequestContext);
            this.request = getCASRequest(profileRequestContext);
            this.response = getCASResponse(profileRequestContext);
            return true;
        } catch (EventException e) {
            ActionSupport.buildEvent(profileRequestContext, e.getEventID());
            return false;
        }
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        IdentifierGenerationStrategy idGenerator = this.securityConfig.getIdGenerator();
        IdentifierGenerationStrategy pGTIOUGenerator = this.validateConfig.getPGTIOUGenerator(profileRequestContext);
        Instant plus = Instant.now().plus((TemporalAmount) this.validateConfig.getTicketValidityPeriod(profileRequestContext));
        if (!$assertionsDisabled && plus == null) {
            throw new AssertionError();
        }
        String generateIdentifier = idGenerator.generateIdentifier();
        String pgtUrl = this.request.getPgtUrl();
        if (!$assertionsDisabled && pgtUrl == null) {
            throw new AssertionError();
        }
        ProxyGrantingTicket createProxyGrantingTicket = getTicket() instanceof ServiceTicket ? this.casTicketService.createProxyGrantingTicket(generateIdentifier, plus, (ServiceTicket) getTicket(), pgtUrl) : this.casTicketService.createProxyGrantingTicket(generateIdentifier, plus, (ProxyTicket) getTicket(), pgtUrl);
        ProxyIdentifiers proxyIdentifiers = new ProxyIdentifiers(createProxyGrantingTicket.getId(), pGTIOUGenerator.generateIdentifier());
        try {
            URI build = new URIBuilder(this.request.getPgtUrl()).addParameter(ProtocolParam.PgtId.id(), proxyIdentifiers.getPgtId()).addParameter(ProtocolParam.PgtIou.id(), proxyIdentifiers.getPgtIou()).build();
            if (!$assertionsDisabled && build == null) {
                throw new AssertionError();
            }
            try {
                this.log.debug("{} Attempting proxy authentication to {}", getLogPrefix(), build);
                this.proxyValidator.validate(profileRequestContext, build);
                this.response.setPgtIou(proxyIdentifiers.getPgtIou());
            } catch (Exception e) {
                this.log.warn("{} Proxy authentication failed for {}", getLogPrefix(), this.request.getPgtUrl(), e);
                this.casTicketService.removeProxyGrantingTicket(createProxyGrantingTicket.getId());
                ActionSupport.buildEvent(profileRequestContext, ProtocolError.ProxyCallbackAuthenticationFailure.event(this));
            }
        } catch (URISyntaxException e2) {
            this.log.warn("{} Error creating proxy callback URL", getLogPrefix(), e2);
            ActionSupport.buildEvent(profileRequestContext, EventIds.RUNTIME_EXCEPTION);
        }
    }

    static {
        $assertionsDisabled = !ValidateProxyCallbackAction.class.desiredAssertionStatus();
    }
}
