package org.apereo.cas.web.flow.resolver.impl;

import com.google.common.base.Throwables;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.HandlerResult;
import org.apereo.cas.authentication.MessageDescriptor;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.MultifactorAuthenticationProvider;
import org.apereo.cas.services.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceMultifactorPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.validation.AuthenticationRequestServiceSelectionStrategy;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.binding.message.MessageBuilder;
import org.springframework.binding.message.MessageContext;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.definition.TransitionDefinition;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/resolver/impl/AbstractCasWebflowEventResolver.class */
public abstract class AbstractCasWebflowEventResolver implements CasWebflowEventResolver {
    private static final String SUCCESS_WITH_WARNINGS = "successWithWarnings";
    private static final String RESOLVED_AUTHENTICATION_EVENTS = "resolvedAuthenticationEvents";
    protected transient Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    protected ApplicationEventPublisher eventPublisher;

    @Autowired
    protected ConfigurableApplicationContext applicationContext;
    protected final AuthenticationSystemSupport authenticationSystemSupport;
    protected final TicketRegistrySupport ticketRegistrySupport;
    protected final ServicesManager servicesManager;
    protected final CentralAuthenticationService centralAuthenticationService;
    protected final CookieGenerator warnCookieGenerator;
    protected final MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector;
    protected final List<AuthenticationRequestServiceSelectionStrategy> authenticationRequestServiceSelectionStrategies;

    public AbstractCasWebflowEventResolver(AuthenticationSystemSupport authenticationSystemSupport, CentralAuthenticationService centralAuthenticationService, ServicesManager servicesManager, TicketRegistrySupport ticketRegistrySupport, CookieGenerator cookieGenerator, List<AuthenticationRequestServiceSelectionStrategy> list, MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector) {
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.centralAuthenticationService = centralAuthenticationService;
        this.servicesManager = servicesManager;
        this.ticketRegistrySupport = ticketRegistrySupport;
        this.warnCookieGenerator = cookieGenerator;
        this.authenticationRequestServiceSelectionStrategies = list;
        this.multifactorAuthenticationProviderSelector = multifactorAuthenticationProviderSelector;
    }

    protected static void addMessageDescriptorToMessageContext(MessageContext messageContext, MessageDescriptor messageDescriptor) {
        messageContext.addMessage(new MessageBuilder().warning().code(messageDescriptor.getCode()).defaultText(messageDescriptor.getDefaultMessage()).args(messageDescriptor.getParams()).build());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Event newEvent(String str) {
        return new Event(this, str);
    }

    private static boolean addWarningMessagesToMessageContextIfNeeded(TicketGrantingTicket ticketGrantingTicket, MessageContext messageContext) {
        boolean z = false;
        Iterator it = ticketGrantingTicket.getAuthentication().getSuccesses().entrySet().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((HandlerResult) ((Map.Entry) it.next()).getValue()).getWarnings().iterator();
            while (it2.hasNext()) {
                addMessageDescriptorToMessageContext(messageContext, (MessageDescriptor) it2.next());
                z = true;
            }
        }
        return z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Event newEvent(String str, Exception exc) {
        return new Event(this, str, new LocalAttributeMap("error", exc));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Credential getCredentialFromContext(RequestContext requestContext) {
        return WebUtils.getCredential(requestContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Event grantTicketGrantingTicketToAuthenticationResult(RequestContext requestContext, AuthenticationResultBuilder authenticationResultBuilder, Service service) throws Exception {
        TicketGrantingTicket ticket;
        this.logger.debug("Finalizing authentication transactions and issuing ticket-granting ticket");
        AuthenticationResult finalizeAllAuthenticationTransactions = this.authenticationSystemSupport.finalizeAllAuthenticationTransactions(authenticationResultBuilder, service);
        boolean z = true;
        Authentication authentication = finalizeAllAuthenticationTransactions.getAuthentication();
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isNotBlank(ticketGrantingTicketId)) {
            this.logger.debug("Located ticket-granting ticket in the context. Retrieving associated authentication");
            Authentication authenticationFrom = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicketId);
            if (authenticationFrom == null) {
                this.logger.debug("Authentication session associated with {} is no longer valid", ticketGrantingTicketId);
                this.centralAuthenticationService.destroyTicketGrantingTicket(ticketGrantingTicketId);
            } else if (authentication.getPrincipal().equals(authenticationFrom.getPrincipal())) {
                this.logger.debug("Resulting authentication matches the authentication from context");
                z = false;
            } else {
                this.logger.debug("Resulting authentication is different from the context");
            }
        }
        if (z) {
            ticket = this.centralAuthenticationService.createTicketGrantingTicket(finalizeAllAuthenticationTransactions);
        } else {
            ticket = this.centralAuthenticationService.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
            ticket.getAuthentication().update(authentication);
            this.centralAuthenticationService.updateTicket(ticket);
        }
        WebUtils.putTicketGrantingTicketInScopes(requestContext, ticket);
        WebUtils.putAuthenticationResult(finalizeAllAuthenticationTransactions, requestContext);
        WebUtils.putAuthentication(ticket.getAuthentication(), requestContext);
        return addWarningMessagesToMessageContextIfNeeded(ticket, requestContext.getMessageContext()) ? newEvent(SUCCESS_WITH_WARNINGS) : newEvent("success");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Collection<MultifactorAuthenticationProvider> getAuthenticationProviderForService(RegisteredService registeredService) {
        RegisteredServiceMultifactorPolicy multifactorPolicy = registeredService.getMultifactorPolicy();
        if (multifactorPolicy != null) {
            return (Collection) multifactorPolicy.getMultifactorAuthenticationProviders().stream().map(this::getMultifactorAuthenticationProviderFromApplicationContext).filter((v0) -> {
                return v0.isPresent();
            }).map((v0) -> {
                return v0.get();
            }).collect(Collectors.toSet());
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Event validateEventIdForMatchingTransitionInContext(String str, RequestContext requestContext, Map<String, Object> map) {
        try {
            Event event = new Event(this, str, new LocalAttributeMap(map));
            this.logger.debug("Resulting event id is [{}]. Locating transitions in the context for that event id...", event.getId());
            TransitionDefinition matchingTransition = requestContext.getMatchingTransition(event.getId());
            if (matchingTransition == null) {
                this.logger.warn("Transition definition cannot be found for event [{}]", event.getId());
                throw new AuthenticationException();
            }
            this.logger.debug("Found matching transition [{}] with target [{}] for event [{}] with attributes {}.", new Object[]{matchingTransition.getId(), matchingTransition.getTargetStateId(), event.getId(), event.getAttributes()});
            return event;
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Map<String, Object> buildEventAttributeMap(Principal principal, RegisteredService registeredService, MultifactorAuthenticationProvider multifactorAuthenticationProvider) {
        HashMap hashMap = new HashMap();
        hashMap.put(Principal.class.getName(), principal);
        hashMap.put(RegisteredService.class.getName(), registeredService);
        hashMap.put(MultifactorAuthenticationProvider.class.getName(), multifactorAuthenticationProvider);
        return hashMap;
    }

    private Set<Event> resolveEventViaMultivaluedPrincipalAttribute(Principal principal, Object obj, RegisteredService registeredService, RequestContext requestContext, MultifactorAuthenticationProvider multifactorAuthenticationProvider, Predicate<String> predicate) {
        HashSet hashSet = new HashSet();
        if (!(obj instanceof Collection)) {
            this.logger.debug("Attribute value {} of type {} is not a multi-valued attribute", obj, obj.getClass());
            return null;
        }
        this.logger.debug("Attribute value {} is a multi-valued attribute", obj);
        for (String str : (Collection) obj) {
            try {
                if (predicate.test(str)) {
                    this.logger.debug("Attribute value predicate {} has successfully matched the [{}]", predicate, str);
                    this.logger.debug("Attempting to verify multifactor authentication provider {} for {}", multifactorAuthenticationProvider, registeredService);
                    if (multifactorAuthenticationProvider.isAvailable(registeredService)) {
                        this.logger.debug("Provider {} is successfully verified", multifactorAuthenticationProvider);
                        hashSet.add(validateEventIdForMatchingTransitionInContext(multifactorAuthenticationProvider.getId(), requestContext, buildEventAttributeMap(principal, registeredService, multifactorAuthenticationProvider)));
                    }
                } else {
                    this.logger.debug("Attribute value predicate {} could not match the [{}]", predicate, str);
                }
            } catch (Exception e) {
                this.logger.debug("Ignoring {} since no matching transition could be found", str);
            }
        }
        return hashSet;
    }

    private Set<Event> resolveEventViaSinglePrincipalAttribute(Principal principal, Object obj, RegisteredService registeredService, RequestContext requestContext, MultifactorAuthenticationProvider multifactorAuthenticationProvider, Predicate<String> predicate) {
        try {
            if (obj instanceof String) {
                this.logger.debug("Attribute value {} is a single-valued attribute", obj);
                if (predicate.test((String) obj)) {
                    this.logger.debug("Attribute value predicate {} has matched the [{}]", predicate, obj);
                    this.logger.debug("Attempting to isAvailable multifactor authentication provider {} for {}", multifactorAuthenticationProvider, registeredService);
                    if (multifactorAuthenticationProvider.isAvailable(registeredService)) {
                        this.logger.debug("Provider {} is successfully verified", multifactorAuthenticationProvider);
                        return Collections.singleton(validateEventIdForMatchingTransitionInContext(multifactorAuthenticationProvider.getId(), requestContext, buildEventAttributeMap(principal, registeredService, multifactorAuthenticationProvider)));
                    }
                    this.logger.debug("Provider {} could not be verified", multifactorAuthenticationProvider);
                } else {
                    this.logger.debug("Attribute value predicate {} could not match the [{}]", predicate, obj);
                }
            }
            this.logger.debug("Attribute value {} is not a single-valued attribute", obj);
            return null;
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<Event> resolveEventViaPrincipalAttribute(Principal principal, Collection<String> collection, RegisteredService registeredService, RequestContext requestContext, Collection<MultifactorAuthenticationProvider> collection2, Predicate<String> predicate) {
        if (collection2 == null || collection2.isEmpty()) {
            this.logger.debug("No authentication provider is associated with this service");
            return null;
        }
        this.logger.debug("Locating principal attribute value for attribute(s): {}", collection);
        for (String str : collection) {
            Object obj = principal.getAttributes().get(str);
            if (obj == null) {
                this.logger.debug("Attribute value for {} to determine event is not configured for {}", str, principal.getId());
            } else {
                this.logger.debug("Selecting a multifactor authentication provider out of {} for {} and service {}", new Object[]{collection2, principal.getId(), registeredService});
                MultifactorAuthenticationProvider resolve = this.multifactorAuthenticationProviderSelector.resolve(collection2, registeredService, principal);
                this.logger.debug("Located principal attribute value {} for {}", obj, collection);
                Set<Event> resolveEventViaSinglePrincipalAttribute = resolveEventViaSinglePrincipalAttribute(principal, obj, registeredService, requestContext, resolve, predicate);
                if (resolveEventViaSinglePrincipalAttribute == null || resolveEventViaSinglePrincipalAttribute.isEmpty()) {
                    resolveEventViaSinglePrincipalAttribute = resolveEventViaMultivaluedPrincipalAttribute(principal, obj, registeredService, requestContext, resolve, predicate);
                }
                if (resolveEventViaSinglePrincipalAttribute != null && !resolveEventViaSinglePrincipalAttribute.isEmpty()) {
                    this.logger.debug("Resolved set of events based the principal attribute {} are {}", str, resolveEventViaSinglePrincipalAttribute);
                    return resolveEventViaSinglePrincipalAttribute;
                }
            }
        }
        this.logger.debug("No set of events based the principal attribute(s) {} could be matched", collection);
        return null;
    }

    @Override // org.apereo.cas.web.flow.resolver.CasWebflowEventResolver
    public Set<Event> resolve(RequestContext requestContext) {
        WebUtils.putWarnCookieIfRequestParameterPresent(this.warnCookieGenerator, requestContext);
        WebUtils.putPublicWorkstationToFlowIfRequestParameterPresent(requestContext);
        return resolveInternal(requestContext);
    }

    @Override // org.apereo.cas.web.flow.resolver.CasWebflowEventResolver
    public Event resolveSingle(RequestContext requestContext) {
        Set<Event> resolve = resolve(requestContext);
        if (resolve == null || resolve.isEmpty()) {
            return null;
        }
        Event next = resolve.iterator().next();
        this.logger.debug("Resolved single event [{}] via [{}] for this context", next.getId(), next.getSource().getClass().getName());
        return next;
    }

    protected Optional<MultifactorAuthenticationProvider> getMultifactorAuthenticationProviderFromApplicationContext(String str) {
        try {
            this.logger.debug("Locating bean definition for {}", str);
            return this.applicationContext.getBeansOfType(MultifactorAuthenticationProvider.class, false, true).values().stream().filter(multifactorAuthenticationProvider -> {
                return multifactorAuthenticationProvider.matches(str);
            }).findFirst();
        } catch (Exception e) {
            this.logger.debug("Could not locate [{}] bean id in the application context as an authentication provider.", str);
            return Optional.empty();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void putResolvedEventsAsAttribute(RequestContext requestContext, Set<Event> set) {
        requestContext.getAttributes().put(RESOLVED_AUTHENTICATION_EVENTS, set);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Service resolveServiceFromAuthenticationRequest(Service service) {
        return this.authenticationRequestServiceSelectionStrategies.stream().sorted().filter(authenticationRequestServiceSelectionStrategy -> {
            return authenticationRequestServiceSelectionStrategy.supports(service);
        }).findFirst().get().resolveServiceFrom(service);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<Event> getResolvedEventsAsAttribute(RequestContext requestContext) {
        return (Set) requestContext.getAttributes().get(RESOLVED_AUTHENTICATION_EVENTS, Set.class);
    }

    protected Set<Event> handleAuthenticationTransactionAndGrantTicketGrantingTicket(RequestContext requestContext) {
        try {
            Credential credentialFromContext = getCredentialFromContext(requestContext);
            AuthenticationResultBuilder authenticationResultBuilder = WebUtils.getAuthenticationResultBuilder(requestContext);
            this.logger.debug("Handling authentication transaction for credential {}", credentialFromContext);
            AuthenticationResultBuilder handleAuthenticationTransaction = this.authenticationSystemSupport.handleAuthenticationTransaction(authenticationResultBuilder, new Credential[]{credentialFromContext});
            WebApplicationService service = WebUtils.getService(requestContext);
            this.logger.debug("Issuing ticket-granting tickets for service {}", service);
            return Collections.singleton(grantTicketGrantingTicketToAuthenticationResult(requestContext, handleAuthenticationTransaction, service));
        } catch (Exception e) {
            this.logger.error(e.getMessage(), e);
            return Collections.singleton(new Event(this, "error"));
        }
    }
}
