package org.apereo.cas.services;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonInclude;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.persistence.PostLoad;
import lombok.Generated;
import org.apache.commons.lang3.ObjectUtils;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.RegexUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@JsonInclude(JsonInclude.Include.NON_NULL)
/* loaded from: input_file:org/apereo/cas/services/DefaultRegisteredServiceAccessStrategy.class */
public class DefaultRegisteredServiceAccessStrategy implements RegisteredServiceAccessStrategy {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultRegisteredServiceAccessStrategy.class);
    private static final long serialVersionUID = 1245279151345635245L;
    protected int order;
    protected boolean enabled;
    protected boolean ssoEnabled;
    protected URI unauthorizedRedirectUrl;
    protected RegisteredServiceDelegatedAuthenticationPolicy delegatedAuthenticationPolicy;
    protected boolean requireAllAttributes;
    protected Map<String, Set<String>> requiredAttributes;
    protected Map<String, Set<String>> rejectedAttributes;
    protected boolean caseInsensitive;

    public DefaultRegisteredServiceAccessStrategy() {
        this(true, true);
    }

    public DefaultRegisteredServiceAccessStrategy(boolean z, boolean z2) {
        this.enabled = true;
        this.ssoEnabled = true;
        this.delegatedAuthenticationPolicy = new DefaultRegisteredServiceDelegatedAuthenticationPolicy();
        this.requireAllAttributes = true;
        this.requiredAttributes = new HashMap(0);
        this.rejectedAttributes = new HashMap(0);
        this.enabled = z;
        this.ssoEnabled = z2;
    }

    public DefaultRegisteredServiceAccessStrategy(Map<String, Set<String>> map, Map<String, Set<String>> map2) {
        this();
        this.requiredAttributes = (Map) ObjectUtils.defaultIfNull(map, new HashMap(0));
        this.rejectedAttributes = (Map) ObjectUtils.defaultIfNull(map2, new HashMap(0));
    }

    public DefaultRegisteredServiceAccessStrategy(Map<String, Set<String>> map) {
        this();
        this.requiredAttributes = (Map) ObjectUtils.defaultIfNull(map, new HashMap(0));
    }

    @PostLoad
    public void postLoad() {
        this.delegatedAuthenticationPolicy = (RegisteredServiceDelegatedAuthenticationPolicy) ObjectUtils.defaultIfNull(this.delegatedAuthenticationPolicy, new DefaultRegisteredServiceDelegatedAuthenticationPolicy());
        this.requiredAttributes = (Map) ObjectUtils.defaultIfNull(this.requiredAttributes, new HashMap(0));
        this.rejectedAttributes = (Map) ObjectUtils.defaultIfNull(this.rejectedAttributes, new HashMap(0));
    }

    public Map<String, Set<String>> getRequiredAttributes() {
        return this.requiredAttributes;
    }

    @JsonIgnore
    public boolean isServiceAccessAllowedForSso() {
        if (this.ssoEnabled) {
            return true;
        }
        LOGGER.trace("Service is not authorized to participate in SSO.");
        return false;
    }

    @JsonIgnore
    public boolean isServiceAccessAllowed() {
        if (this.enabled) {
            return true;
        }
        LOGGER.trace("Service is not enabled in service registry.");
        return false;
    }

    @JsonIgnore
    public void setServiceAccessAllowed(boolean z) {
        this.enabled = z;
    }

    public boolean doPrincipalAttributesAllowServiceAccess(String str, Map<String, Object> map) {
        if ((this.rejectedAttributes == null || this.rejectedAttributes.isEmpty()) && (this.requiredAttributes == null || this.requiredAttributes.isEmpty())) {
            LOGGER.trace("Skipping access strategy policy, since no attributes rules are defined");
            return true;
        }
        if (!enoughAttributesAvailableToProcess(str, map)) {
            LOGGER.debug("Access is denied. There are not enough attributes available to satisfy requirements");
            return false;
        }
        if (doRejectedAttributesRefusePrincipalAccess(map)) {
            LOGGER.debug("Access is denied. The principal carries attributes that would reject service access");
            return false;
        }
        if (doRequiredAttributesAllowPrincipalAccess(map, this.requiredAttributes)) {
            return true;
        }
        LOGGER.debug("Access is denied. The principal does not have the required attributes [{}] specified by this strategy", this.requiredAttributes);
        return false;
    }

    protected boolean doRequiredAttributesAllowPrincipalAccess(Map<String, Object> map, Map<String, Set<String>> map2) {
        LOGGER.debug("These required attributes [{}] are examined against [{}] before service can proceed.", map2, map);
        return map2.isEmpty() || requiredAttributesFoundInMap(map, map2);
    }

    protected boolean doRejectedAttributesRefusePrincipalAccess(Map<String, Object> map) {
        LOGGER.debug("These rejected attributes [{}] are examined against [{}] before service can proceed.", this.rejectedAttributes, map);
        return !this.rejectedAttributes.isEmpty() && requiredAttributesFoundInMap(map, this.rejectedAttributes);
    }

    protected boolean enoughAttributesAvailableToProcess(String str, Map<String, Object> map) {
        if (!enoughRequiredAttributesAvailableToProcess(map, this.requiredAttributes)) {
            return false;
        }
        if (map.size() >= this.rejectedAttributes.size()) {
            return true;
        }
        LOGGER.debug("The size of the principal attributes that are [{}] does not match defined rejected attributes, which means the principal is not carrying enough data to grant authorization", map);
        return false;
    }

    protected boolean enoughRequiredAttributesAvailableToProcess(Map<String, Object> map, Map<String, Set<String>> map2) {
        if (map.isEmpty() && !map2.isEmpty()) {
            LOGGER.debug("No principal attributes are found to satisfy defined attribute requirements");
            return false;
        }
        if (map.size() >= map2.size()) {
            return true;
        }
        LOGGER.debug("The size of the principal attributes that are [{}] does not match defined required attributes, which indicates the principal is not carrying enough data to grant authorization", map);
        return false;
    }

    protected boolean requiredAttributesFoundInMap(Map<String, Object> map, Map<String, Set<String>> map2) {
        Set set = (Set) map2.keySet().stream().filter(str -> {
            return map.keySet().contains(str);
        }).collect(Collectors.toSet());
        LOGGER.debug("Difference of checking required attributes: [{}]", set);
        if (!this.requireAllAttributes || set.size() >= map2.size()) {
            return this.requireAllAttributes ? set.stream().allMatch(str2 -> {
                return requiredAttributeFound(str2, map, map2);
            }) : set.stream().anyMatch(str3 -> {
                return requiredAttributeFound(str3, map, map2);
            });
        }
        return false;
    }

    private boolean requiredAttributeFound(String str, Map<String, Object> map, Map<String, Set<String>> map2) {
        Set<String> set = map2.get(str);
        Set collection = CollectionUtils.toCollection(map.get(str));
        Pattern concatenate = RegexUtils.concatenate(set, this.caseInsensitive);
        LOGGER.debug("Checking [{}] against [{}] with pattern [{}] for attribute [{}]", new Object[]{set, collection, concatenate, str});
        if (!concatenate.equals(RegexUtils.MATCH_NOTHING_PATTERN)) {
            return collection.stream().map((v0) -> {
                return v0.toString();
            }).anyMatch(concatenate.asPredicate());
        }
        Stream stream = collection.stream();
        Objects.requireNonNull(set);
        return stream.anyMatch(set::contains);
    }

    @Generated
    public String toString() {
        return "DefaultRegisteredServiceAccessStrategy(order=" + this.order + ", enabled=" + this.enabled + ", ssoEnabled=" + this.ssoEnabled + ", unauthorizedRedirectUrl=" + this.unauthorizedRedirectUrl + ", delegatedAuthenticationPolicy=" + this.delegatedAuthenticationPolicy + ", requireAllAttributes=" + this.requireAllAttributes + ", requiredAttributes=" + this.requiredAttributes + ", rejectedAttributes=" + this.rejectedAttributes + ", caseInsensitive=" + this.caseInsensitive + ")";
    }

    @Generated
    public int getOrder() {
        return this.order;
    }

    @Generated
    public boolean isEnabled() {
        return this.enabled;
    }

    @Generated
    public boolean isSsoEnabled() {
        return this.ssoEnabled;
    }

    @Generated
    public URI getUnauthorizedRedirectUrl() {
        return this.unauthorizedRedirectUrl;
    }

    @Generated
    public RegisteredServiceDelegatedAuthenticationPolicy getDelegatedAuthenticationPolicy() {
        return this.delegatedAuthenticationPolicy;
    }

    @Generated
    public boolean isRequireAllAttributes() {
        return this.requireAllAttributes;
    }

    @Generated
    public Map<String, Set<String>> getRejectedAttributes() {
        return this.rejectedAttributes;
    }

    @Generated
    public boolean isCaseInsensitive() {
        return this.caseInsensitive;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof DefaultRegisteredServiceAccessStrategy)) {
            return false;
        }
        DefaultRegisteredServiceAccessStrategy defaultRegisteredServiceAccessStrategy = (DefaultRegisteredServiceAccessStrategy) obj;
        if (!defaultRegisteredServiceAccessStrategy.canEqual(this) || this.order != defaultRegisteredServiceAccessStrategy.order || this.enabled != defaultRegisteredServiceAccessStrategy.enabled || this.ssoEnabled != defaultRegisteredServiceAccessStrategy.ssoEnabled) {
            return false;
        }
        URI uri = this.unauthorizedRedirectUrl;
        URI uri2 = defaultRegisteredServiceAccessStrategy.unauthorizedRedirectUrl;
        if (uri == null) {
            if (uri2 != null) {
                return false;
            }
        } else if (!uri.equals(uri2)) {
            return false;
        }
        RegisteredServiceDelegatedAuthenticationPolicy registeredServiceDelegatedAuthenticationPolicy = this.delegatedAuthenticationPolicy;
        RegisteredServiceDelegatedAuthenticationPolicy registeredServiceDelegatedAuthenticationPolicy2 = defaultRegisteredServiceAccessStrategy.delegatedAuthenticationPolicy;
        if (registeredServiceDelegatedAuthenticationPolicy == null) {
            if (registeredServiceDelegatedAuthenticationPolicy2 != null) {
                return false;
            }
        } else if (!registeredServiceDelegatedAuthenticationPolicy.equals(registeredServiceDelegatedAuthenticationPolicy2)) {
            return false;
        }
        if (this.requireAllAttributes != defaultRegisteredServiceAccessStrategy.requireAllAttributes) {
            return false;
        }
        Map<String, Set<String>> map = this.requiredAttributes;
        Map<String, Set<String>> map2 = defaultRegisteredServiceAccessStrategy.requiredAttributes;
        if (map == null) {
            if (map2 != null) {
                return false;
            }
        } else if (!map.equals(map2)) {
            return false;
        }
        Map<String, Set<String>> map3 = this.rejectedAttributes;
        Map<String, Set<String>> map4 = defaultRegisteredServiceAccessStrategy.rejectedAttributes;
        if (map3 == null) {
            if (map4 != null) {
                return false;
            }
        } else if (!map3.equals(map4)) {
            return false;
        }
        return this.caseInsensitive == defaultRegisteredServiceAccessStrategy.caseInsensitive;
    }

    @Generated
    protected boolean canEqual(Object obj) {
        return obj instanceof DefaultRegisteredServiceAccessStrategy;
    }

    @Generated
    public int hashCode() {
        int i = (((((1 * 59) + this.order) * 59) + (this.enabled ? 79 : 97)) * 59) + (this.ssoEnabled ? 79 : 97);
        URI uri = this.unauthorizedRedirectUrl;
        int hashCode = (i * 59) + (uri == null ? 43 : uri.hashCode());
        RegisteredServiceDelegatedAuthenticationPolicy registeredServiceDelegatedAuthenticationPolicy = this.delegatedAuthenticationPolicy;
        int hashCode2 = (((hashCode * 59) + (registeredServiceDelegatedAuthenticationPolicy == null ? 43 : registeredServiceDelegatedAuthenticationPolicy.hashCode())) * 59) + (this.requireAllAttributes ? 79 : 97);
        Map<String, Set<String>> map = this.requiredAttributes;
        int hashCode3 = (hashCode2 * 59) + (map == null ? 43 : map.hashCode());
        Map<String, Set<String>> map2 = this.rejectedAttributes;
        return (((hashCode3 * 59) + (map2 == null ? 43 : map2.hashCode())) * 59) + (this.caseInsensitive ? 79 : 97);
    }

    @Generated
    public void setOrder(int i) {
        this.order = i;
    }

    @Generated
    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    @Generated
    public void setSsoEnabled(boolean z) {
        this.ssoEnabled = z;
    }

    @Generated
    public void setUnauthorizedRedirectUrl(URI uri) {
        this.unauthorizedRedirectUrl = uri;
    }

    @Generated
    public void setDelegatedAuthenticationPolicy(RegisteredServiceDelegatedAuthenticationPolicy registeredServiceDelegatedAuthenticationPolicy) {
        this.delegatedAuthenticationPolicy = registeredServiceDelegatedAuthenticationPolicy;
    }

    @Generated
    public void setRequireAllAttributes(boolean z) {
        this.requireAllAttributes = z;
    }

    @Generated
    public void setRequiredAttributes(Map<String, Set<String>> map) {
        this.requiredAttributes = map;
    }

    @Generated
    public void setRejectedAttributes(Map<String, Set<String>> map) {
        this.rejectedAttributes = map;
    }

    @Generated
    public void setCaseInsensitive(boolean z) {
        this.caseInsensitive = z;
    }
}
