package org.jasig.cas;

import com.codahale.metrics.annotation.Counted;
import com.codahale.metrics.annotation.Metered;
import com.codahale.metrics.annotation.Timed;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.validation.constraints.NotNull;
import org.apache.commons.collections4.Predicate;
import org.jasig.cas.authentication.AcceptAnyAuthenticationPolicyFactory;
import org.jasig.cas.authentication.Authentication;
import org.jasig.cas.authentication.AuthenticationBuilder;
import org.jasig.cas.authentication.AuthenticationException;
import org.jasig.cas.authentication.AuthenticationManager;
import org.jasig.cas.authentication.ContextualAuthenticationPolicy;
import org.jasig.cas.authentication.ContextualAuthenticationPolicyFactory;
import org.jasig.cas.authentication.Credential;
import org.jasig.cas.authentication.DefaultAuthenticationBuilder;
import org.jasig.cas.authentication.MixedPrincipalException;
import org.jasig.cas.authentication.principal.DefaultPrincipalFactory;
import org.jasig.cas.authentication.principal.PersistentIdGenerator;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.authentication.principal.PrincipalFactory;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.logout.LogoutManager;
import org.jasig.cas.logout.LogoutRequest;
import org.jasig.cas.services.AttributeReleasePolicy;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.ServiceContext;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.services.UnauthorizedProxyingException;
import org.jasig.cas.services.UnauthorizedServiceException;
import org.jasig.cas.services.UnauthorizedServiceForPrincipalException;
import org.jasig.cas.services.UnauthorizedSsoServiceException;
import org.jasig.cas.ticket.ExpirationPolicy;
import org.jasig.cas.ticket.InvalidTicketException;
import org.jasig.cas.ticket.ServiceTicket;
import org.jasig.cas.ticket.Ticket;
import org.jasig.cas.ticket.TicketCreationException;
import org.jasig.cas.ticket.TicketException;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.TicketGrantingTicketImpl;
import org.jasig.cas.ticket.UnrecognizableServiceForServiceTicketValidationException;
import org.jasig.cas.ticket.UnsatisfiedAuthenticationPolicyException;
import org.jasig.cas.ticket.registry.TicketRegistry;
import org.jasig.cas.util.DefaultUniqueTicketIdGenerator;
import org.jasig.cas.util.UniqueTicketIdGenerator;
import org.jasig.cas.validation.Assertion;
import org.jasig.cas.validation.ImmutableAssertion;
import org.jasig.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-4.1.4.jar:org/jasig/cas/CentralAuthenticationServiceImpl.class */
public final class CentralAuthenticationServiceImpl implements CentralAuthenticationService {

    @NotNull
    private final TicketRegistry ticketRegistry;

    @NotNull
    private final AuthenticationManager authenticationManager;

    @NotNull
    private final UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator;

    @NotNull
    private final Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService;

    @NotNull
    private final ServicesManager servicesManager;

    @NotNull
    private final LogoutManager logoutManager;

    @NotNull
    private ExpirationPolicy ticketGrantingTicketExpirationPolicy;

    @NotNull
    private ExpirationPolicy serviceTicketExpirationPolicy;
    private final Logger logger = LoggerFactory.getLogger(getClass());

    @NotNull
    private ContextualAuthenticationPolicyFactory<ServiceContext> serviceContextAuthenticationPolicyFactory = new AcceptAnyAuthenticationPolicyFactory();

    @NotNull
    private PrincipalFactory principalFactory = new DefaultPrincipalFactory();

    @NotNull
    private final UniqueTicketIdGenerator defaultServiceTicketIdGenerator = new DefaultUniqueTicketIdGenerator();

    public CentralAuthenticationServiceImpl(TicketRegistry ticketRegistry, AuthenticationManager authenticationManager, UniqueTicketIdGenerator uniqueTicketIdGenerator, Map<String, UniqueTicketIdGenerator> map, ExpirationPolicy expirationPolicy, ExpirationPolicy expirationPolicy2, ServicesManager servicesManager, LogoutManager logoutManager) {
        this.ticketRegistry = ticketRegistry;
        this.authenticationManager = authenticationManager;
        this.ticketGrantingTicketUniqueTicketIdGenerator = uniqueTicketIdGenerator;
        this.uniqueTicketIdGeneratorsForService = map;
        this.ticketGrantingTicketExpirationPolicy = expirationPolicy;
        this.serviceTicketExpirationPolicy = expirationPolicy2;
        this.servicesManager = servicesManager;
        this.logoutManager = logoutManager;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
    @Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
    @Audit(action = "TICKET_GRANTING_TICKET_DESTROYED", actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull String str) {
        try {
            this.logger.debug("Removing ticket [{}] from registry...", str);
            TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) getTicket(str, TicketGrantingTicket.class);
            this.logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
            List<LogoutRequest> performLogout = this.logoutManager.performLogout(ticketGrantingTicket);
            this.ticketRegistry.deleteTicket(str);
            return performLogout;
        } catch (InvalidTicketException e) {
            this.logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", str);
            return Collections.emptyList();
        }
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "GRANT_SERVICE_TICKET_TIMER")
    @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public ServiceTicket grantServiceTicket(String str, Service service, Credential... credentialArr) throws AuthenticationException, TicketException {
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) getTicket(str, TicketGrantingTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, service);
        Set<Credential> sanitizeCredentials = sanitizeCredentials(credentialArr);
        Authentication authentication = null;
        if (sanitizeCredentials.size() > 0) {
            authentication = this.authenticationManager.authenticate((Credential[]) sanitizeCredentials.toArray(new Credential[0]));
            Authentication authentication2 = ticketGrantingTicket.getAuthentication();
            if (!authentication.getPrincipal().equals(authentication2.getPrincipal())) {
                throw new MixedPrincipalException(authentication, authentication.getPrincipal(), authentication2.getPrincipal());
            }
            ticketGrantingTicket.getSupplementalAuthentications().add(authentication);
        }
        if (authentication == null && !findServiceBy.getAccessStrategy().isServiceAccessAllowedForSso()) {
            this.logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
            throw new UnauthorizedSsoServiceException();
        }
        Service proxiedBy = ticketGrantingTicket.getProxiedBy();
        if (proxiedBy != null) {
            this.logger.debug("TGT is proxied by [{}]. Locating proxy service in registry...", proxiedBy.getId());
            RegisteredService findServiceBy2 = this.servicesManager.findServiceBy(proxiedBy);
            if (findServiceBy2 == null) {
                this.logger.warn("No proxying service found. Proxy attempt by service [{}] (registered service [{}]) is not allowed.", service.getId(), Long.valueOf(findServiceBy.getId()));
                throw new UnauthorizedProxyingException("Proxying is not allowed for registered service " + findServiceBy.getId());
            }
            this.logger.debug("Located proxying service [{}] in the service registry", findServiceBy2);
            if (!findServiceBy2.getProxyPolicy().isAllowedToProxy()) {
                this.logger.warn("Found proxying service {}, but it is not authorized to fulfill the proxy attempt made by {}", Long.valueOf(findServiceBy2.getId()), service.getId());
                throw new UnauthorizedProxyingException("Proxying is not allowed for registered service " + findServiceBy.getId());
            }
        } else {
            this.logger.trace("TGT is not proxied by another service");
        }
        getAuthenticationSatisfiedByPolicy(ticketGrantingTicket, new ServiceContext(service, findServiceBy));
        List<Authentication> chainedAuthentications = ticketGrantingTicket.getChainedAuthentications();
        Principal principal = chainedAuthentications.get(chainedAuthentications.size() - 1).getPrincipal();
        if (!findServiceBy.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(findServiceBy.getAttributeReleasePolicy().getAttributes(principal))) {
            this.logger.warn("ServiceManagement: Cannot grant service ticket because Service [{}] is not authorized for use by [{}].", service.getId(), principal);
            throw new UnauthorizedServiceForPrincipalException();
        }
        String name = service.getClass().getName();
        this.logger.debug("Looking up service ticket id generator for [{}]", name);
        UniqueTicketIdGenerator uniqueTicketIdGenerator = this.uniqueTicketIdGeneratorsForService.get(name);
        if (uniqueTicketIdGenerator == null) {
            uniqueTicketIdGenerator = this.defaultServiceTicketIdGenerator;
            this.logger.debug("Service ticket id generator not found for [{}]. Using the default generator...", name);
        }
        ServiceTicket grantServiceTicket = ticketGrantingTicket.grantServiceTicket(uniqueTicketIdGenerator.getNewTicketId(chainedAuthentications.size() == 1 ? ServiceTicket.PREFIX : ServiceTicket.PROXY_TICKET_PREFIX), service, this.serviceTicketExpirationPolicy, authentication != null);
        this.ticketRegistry.addTicket(grantServiceTicket);
        this.logger.info("Granted ticket [{}] for service [{}] for user [{}]", grantServiceTicket.getId(), service.getId(), principal.getId());
        return grantServiceTicket;
    }

    private static Set<Credential> sanitizeCredentials(Credential[] credentialArr) {
        if (credentialArr == null || credentialArr.length <= 0) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(Arrays.asList(credentialArr));
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (it.next() == null) {
                it.remove();
            }
        }
        return hashSet;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "GRANT_SERVICE_TICKET_TIMER")
    @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public ServiceTicket grantServiceTicket(String str, Service service) throws TicketException {
        try {
            return grantServiceTicket(str, service, (Credential[]) null);
        } catch (AuthenticationException e) {
            throw new IllegalStateException("Unexpected authentication exception", e);
        }
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "GRANT_PROXY_GRANTING_TICKET_TIMER")
    @Counted(name = "GRANT_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_PROXY_GRANTING_TICKET_METER")
    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    public TicketGrantingTicket delegateTicketGrantingTicket(String str, Credential... credentialArr) throws AuthenticationException, TicketException {
        ServiceTicket serviceTicket = (ServiceTicket) this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (serviceTicket == null || serviceTicket.isExpired()) {
            this.logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(serviceTicket.getService());
        verifyRegisteredServiceProperties(findServiceBy, serviceTicket.getService());
        if (!findServiceBy.getProxyPolicy().isAllowedToProxy()) {
            this.logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
            throw new UnauthorizedProxyingException();
        }
        TicketGrantingTicket grantTicketGrantingTicket = serviceTicket.grantTicketGrantingTicket(this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(TicketGrantingTicket.PROXY_GRANTING_TICKET_PREFIX), this.authenticationManager.authenticate(credentialArr), this.ticketGrantingTicketExpirationPolicy);
        this.logger.debug("Generated proxy granting ticket [{}] based off of [{}]", grantTicketGrantingTicket, str);
        this.ticketRegistry.addTicket(grantTicketGrantingTicket);
        return grantTicketGrantingTicket;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
    @Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "VALIDATE_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Assertion validateServiceTicket(String str, Service service) throws TicketException {
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, service);
        ServiceTicket serviceTicket = (ServiceTicket) this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (serviceTicket == null) {
            this.logger.info("Service ticket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        try {
            synchronized (serviceTicket) {
                if (serviceTicket.isExpired()) {
                    this.logger.info("ServiceTicket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!serviceTicket.isValidFor(service)) {
                    this.logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", str, serviceTicket.getService().getId(), service);
                    throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
                }
            }
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(serviceTicket.getGrantingTicket().getRoot(), new ServiceContext(serviceTicket.getService(), findServiceBy));
            Principal principal = authenticationSatisfiedByPolicy.getPrincipal();
            AttributeReleasePolicy attributeReleasePolicy = findServiceBy.getAttributeReleasePolicy();
            this.logger.debug("Attribute policy [{}] is associated with service [{}]", attributeReleasePolicy, findServiceBy);
            Principal createPrincipal = this.principalFactory.createPrincipal(findServiceBy.getUsernameAttributeProvider().resolveUsername(principal, service), attributeReleasePolicy != null ? attributeReleasePolicy.getAttributes(principal) : Collections.EMPTY_MAP);
            AuthenticationBuilder newInstance = DefaultAuthenticationBuilder.newInstance(authenticationSatisfiedByPolicy);
            newInstance.setPrincipal(createPrincipal);
            ImmutableAssertion immutableAssertion = new ImmutableAssertion(newInstance.build(), serviceTicket.getGrantingTicket().getChainedAuthentications(), serviceTicket.getService(), serviceTicket.isFromNewLogin());
            if (serviceTicket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
            }
            return immutableAssertion;
        } catch (Throwable th) {
            if (serviceTicket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
            }
            throw th;
        }
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "CREATE_TICKET_GRANTING_TICKET_TIMER")
    @Counted(name = "CREATE_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "CREATE_TICKET_GRANTING_TICKET_METER")
    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public TicketGrantingTicket createTicketGrantingTicket(Credential... credentialArr) throws AuthenticationException, TicketException {
        if (sanitizeCredentials(credentialArr).isEmpty()) {
            this.logger.warn("No credentials were specified in the request for creating a new ticket-granting ticket");
            throw new TicketCreationException(new IllegalArgumentException("No credentials were specified in the request for creating a new ticket-granting ticket"));
        }
        TicketGrantingTicketImpl ticketGrantingTicketImpl = new TicketGrantingTicketImpl(this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(TicketGrantingTicket.PREFIX), this.authenticationManager.authenticate(credentialArr), this.ticketGrantingTicketExpirationPolicy);
        this.ticketRegistry.addTicket(ticketGrantingTicketImpl);
        return ticketGrantingTicketImpl;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "GET_TICKET_TIMER")
    @Counted(name = "GET_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GET_TICKET_METER")
    public <T extends Ticket> T getTicket(String str, Class<? extends Ticket> cls) throws InvalidTicketException {
        Assert.notNull(str, "ticketId cannot be null");
        T t = (T) this.ticketRegistry.getTicket(str, cls);
        if (t == null) {
            this.logger.debug("Ticket [{}] by type [{}] cannot be found in the ticket registry.", str, cls.getSimpleName());
            throw new InvalidTicketException(str);
        }
        if (t instanceof TicketGrantingTicket) {
            synchronized (t) {
                if (t.isExpired()) {
                    this.ticketRegistry.deleteTicket(str);
                    this.logger.debug("Ticket [{}] has expired and is now deleted from the ticket registry.", str);
                    throw new InvalidTicketException(str);
                }
            }
        }
        return t;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Timed(name = "GET_TICKETS_TIMER")
    @Counted(name = "GET_TICKETS_COUNTER", monotonic = true)
    @Metered(name = "GET_TICKETS_METER")
    public Collection<Ticket> getTickets(Predicate predicate) {
        HashSet hashSet = new HashSet(this.ticketRegistry.getTickets());
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            if (!predicate.evaluate(it.next())) {
                it.remove();
            }
        }
        return hashSet;
    }

    public void setServiceContextAuthenticationPolicyFactory(ContextualAuthenticationPolicyFactory<ServiceContext> contextualAuthenticationPolicyFactory) {
        this.serviceContextAuthenticationPolicyFactory = contextualAuthenticationPolicyFactory;
    }

    public void setTicketGrantingTicketExpirationPolicy(ExpirationPolicy expirationPolicy) {
        this.ticketGrantingTicketExpirationPolicy = expirationPolicy;
    }

    public void setServiceTicketExpirationPolicy(ExpirationPolicy expirationPolicy) {
        this.serviceTicketExpirationPolicy = expirationPolicy;
    }

    @Deprecated
    public void setPersistentIdGenerator(PersistentIdGenerator persistentIdGenerator) {
        this.logger.warn("setPersistentIdGenerator() is deprecated and no longer available. Consider configuring the an attribute provider for service definitions.");
    }

    public void setPrincipalFactory(PrincipalFactory principalFactory) {
        this.principalFactory = principalFactory;
    }

    private Authentication getAuthenticationSatisfiedByPolicy(TicketGrantingTicket ticketGrantingTicket, ServiceContext serviceContext) throws TicketException {
        ContextualAuthenticationPolicy<ServiceContext> createPolicy = this.serviceContextAuthenticationPolicyFactory.createPolicy(serviceContext);
        if (createPolicy.isSatisfiedBy(ticketGrantingTicket.getAuthentication())) {
            return ticketGrantingTicket.getAuthentication();
        }
        for (Authentication authentication : ticketGrantingTicket.getSupplementalAuthentications()) {
            if (createPolicy.isSatisfiedBy(authentication)) {
                return authentication;
            }
        }
        throw new UnsatisfiedAuthenticationPolicyException(createPolicy);
    }

    private void verifyRegisteredServiceProperties(RegisteredService registeredService, Service service) {
        if (registeredService == null) {
            String format = String.format("ServiceManagement: Unauthorized Service Access. Service [%s] is not found in service registry.", service.getId());
            this.logger.warn(format);
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, format);
        }
        if (registeredService.getAccessStrategy().isServiceAccessAllowed()) {
            return;
        }
        String format2 = String.format("ServiceManagement: Unauthorized Service Access. Service [%s] is not enabled in service registry.", service.getId());
        this.logger.warn(format2);
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, format2);
    }
}
