package org.apereo.cas.support.saml.web.idp.profile;

import java.time.Instant;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.Enumeration;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.math.NumberUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.http.client.utils.URIBuilder;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.saml.SamlIdPConstants;
import org.apereo.cas.support.saml.services.SamlRegisteredService;
import org.apereo.cas.support.saml.services.idp.metadata.SamlRegisteredServiceServiceProviderMetadataFacade;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.decoder.MessageDecodingException;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.common.binding.SAMLBindingSupport;
import org.opensaml.saml.common.messaging.context.SAMLBindingContext;
import org.opensaml.saml.common.xml.SAMLConstants;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.view.RedirectView;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-web-6.5.4.jar:org/apereo/cas/support/saml/web/idp/profile/SamlIdPInitiatedProfileHandlerController.class */
public class SamlIdPInitiatedProfileHandlerController extends AbstractSamlIdPProfileHandlerController {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlIdPInitiatedProfileHandlerController.class);

    public SamlIdPInitiatedProfileHandlerController(SamlProfileHandlerConfigurationContext samlProfileHandlerConfigurationContext) {
        super(samlProfileHandlerConfigurationContext);
    }

    @GetMapping(path = {SamlIdPConstants.ENDPOINT_SAML2_IDP_INIT_PROFILE_SSO})
    protected ModelAndView handleIdPInitiatedSsoRequest(HttpServletResponse httpServletResponse, HttpServletRequest httpServletRequest) throws Exception {
        String parameter = httpServletRequest.getParameter(SamlIdPConstants.PROVIDER_ID);
        if (StringUtils.isBlank(parameter)) {
            LOGGER.warn("No providerId parameter given in unsolicited SSO authentication request.");
            throw new MessageDecodingException("Missing providerId");
        }
        SamlRegisteredService verifySamlRegisteredService = verifySamlRegisteredService(parameter);
        Optional<SamlRegisteredServiceServiceProviderMetadataFacade> samlMetadataFacadeFor = getSamlMetadataFacadeFor(verifySamlRegisteredService, parameter);
        if (samlMetadataFacadeFor.isEmpty()) {
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Cannot find metadata linked to " + parameter);
        }
        String parameter2 = httpServletRequest.getParameter(SamlIdPConstants.SHIRE);
        SamlRegisteredServiceServiceProviderMetadataFacade samlRegisteredServiceServiceProviderMetadataFacade = samlMetadataFacadeFor.get();
        if (StringUtils.isBlank(parameter2)) {
            LOGGER.info("Resolving service provider assertion consumer service URL for [{}] and binding [{}]", parameter, SAMLConstants.SAML2_POST_BINDING_URI);
            AssertionConsumerService assertionConsumerService = samlRegisteredServiceServiceProviderMetadataFacade.getAssertionConsumerService(SAMLConstants.SAML2_POST_BINDING_URI);
            parameter2 = assertionConsumerService != null ? StringUtils.isBlank(assertionConsumerService.getResponseLocation()) ? assertionConsumerService.getLocation() : assertionConsumerService.getResponseLocation() : null;
        }
        if (StringUtils.isBlank(parameter2)) {
            LOGGER.warn("Unable to resolve service provider assertion consumer service URL for AuthnRequest construction for entityID: [{}]", parameter);
            throw new MessageDecodingException("Unable to resolve SP ACS URL for AuthnRequest construction");
        }
        String parameter3 = httpServletRequest.getParameter("target");
        String parameter4 = httpServletRequest.getParameter("time");
        AuthnRequest authnRequest = (AuthnRequest) ((SAMLObjectBuilder) getConfigurationContext().getOpenSamlConfigBean().getBuilderFactory().getBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME)).mo9176buildObject();
        authnRequest.setAssertionConsumerServiceURL(parameter2);
        Issuer issuer = (Issuer) ((SAMLObjectBuilder) getConfigurationContext().getOpenSamlConfigBean().getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME)).mo9176buildObject();
        issuer.setValue(parameter);
        authnRequest.setIssuer(issuer);
        authnRequest.setProtocolBinding(SAMLConstants.SAML2_POST_BINDING_URI);
        NameIDPolicy nameIDPolicy = (NameIDPolicy) ((SAMLObjectBuilder) getConfigurationContext().getOpenSamlConfigBean().getBuilderFactory().getBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME)).mo9176buildObject();
        nameIDPolicy.setAllowCreate(Boolean.TRUE);
        authnRequest.setNameIDPolicy(nameIDPolicy);
        if (NumberUtils.isCreatable(parameter4)) {
            authnRequest.setIssueInstant(Instant.ofEpochMilli(Long.parseLong(parameter4)));
        } else {
            authnRequest.setIssueInstant(ZonedDateTime.now(ZoneOffset.UTC).toInstant());
        }
        authnRequest.setForceAuthn(Boolean.FALSE);
        if (StringUtils.isNotBlank(parameter3)) {
            httpServletRequest.setAttribute("RelayState", parameter3);
        }
        MessageContext messageContext = new MessageContext();
        if (samlRegisteredServiceServiceProviderMetadataFacade.isAuthnRequestsSigned() || verifySamlRegisteredService.isSignUnsolicitedAuthnRequest()) {
            getConfigurationContext().getSamlObjectSigner().encode(authnRequest, verifySamlRegisteredService, samlRegisteredServiceServiceProviderMetadataFacade, httpServletResponse, httpServletRequest, SAMLConstants.SAML2_POST_BINDING_URI, authnRequest, messageContext);
        }
        messageContext.setMessage(authnRequest);
        ((SAMLBindingContext) Objects.requireNonNull((SAMLBindingContext) messageContext.getSubcontext(SAMLBindingContext.class, true))).setHasBindingSignature(false);
        SAMLBindingSupport.setRelayState(messageContext, parameter3);
        ModelAndView initiateAuthenticationRequest = initiateAuthenticationRequest(Pair.of(authnRequest, messageContext), httpServletResponse, httpServletRequest);
        if (initiateAuthenticationRequest != null) {
            RedirectView redirectView = (RedirectView) initiateAuthenticationRequest.getView();
            URIBuilder uRIBuilder = new URIBuilder(((RedirectView) Objects.requireNonNull(redirectView)).getUrl());
            Enumeration<String> parameterNames = httpServletRequest.getParameterNames();
            while (parameterNames.hasMoreElements()) {
                String nextElement = parameterNames.nextElement();
                if (!nextElement.equalsIgnoreCase("target") && !nextElement.equalsIgnoreCase("time") && !nextElement.equalsIgnoreCase(SamlIdPConstants.SHIRE) && !nextElement.equalsIgnoreCase(SamlIdPConstants.PROVIDER_ID)) {
                    uRIBuilder.addParameter(nextElement, httpServletRequest.getParameter(nextElement));
                }
            }
            redirectView.setUrl(uRIBuilder.build().toString());
        }
        return initiateAuthenticationRequest;
    }
}
