package org.apereo.cas;

import java.util.HashMap;
import java.util.Map;
import lombok.Generated;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.ContextualAuthenticationPolicyFactory;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.exceptions.MixedPrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceMatchingStrategy;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
import org.apereo.cas.services.ServiceContext;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedProxyingException;
import org.apereo.cas.services.UnauthorizedSsoServiceException;
import org.apereo.cas.support.events.ticket.CasProxyGrantingTicketCreatedEvent;
import org.apereo.cas.support.events.ticket.CasProxyTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent;
import org.apereo.cas.support.events.ticket.CasTicketGrantingTicketCreatedEvent;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.TicketState;
import org.apereo.cas.ticket.UnrecognizableServiceForServiceTicketValidationException;
import org.apereo.cas.ticket.proxy.ProxyGrantingTicket;
import org.apereo.cas.ticket.proxy.ProxyTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.DefaultAssertionBuilder;
import org.apereo.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.transaction.annotation.Transactional;

@Transactional(transactionManager = "ticketTransactionManager")
/* loaded from: input_file:org/apereo/cas/DefaultCentralAuthenticationService.class */
public class DefaultCentralAuthenticationService extends AbstractCentralAuthenticationService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultCentralAuthenticationService.class);
    private static final long serialVersionUID = -8943828074939533986L;
    private final transient Object serviceTicketValidationLock;

    public DefaultCentralAuthenticationService(ApplicationEventPublisher applicationEventPublisher, TicketRegistry ticketRegistry, ServicesManager servicesManager, TicketFactory ticketFactory, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, ContextualAuthenticationPolicyFactory<ServiceContext> contextualAuthenticationPolicyFactory, PrincipalFactory principalFactory, CipherExecutor<String, String> cipherExecutor, AuditableExecution auditableExecution, ServiceMatchingStrategy serviceMatchingStrategy) {
        super(applicationEventPublisher, ticketRegistry, servicesManager, ticketFactory, authenticationServiceSelectionPlan, contextualAuthenticationPolicyFactory, principalFactory, cipherExecutor, auditableExecution, serviceMatchingStrategy);
        this.serviceTicketValidationLock = new Object();
    }

    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public ServiceTicket grantServiceTicket(String str, Service service, AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        boolean z = authenticationResult != null && authenticationResult.isCredentialProvided();
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) getTicket(str, TicketGrantingTicket.class);
        Service resolveServiceFromAuthenticationRequest = resolveServiceFromAuthenticationRequest(service);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(resolveServiceFromAuthenticationRequest);
        enforceRegisteredServiceAccess(resolveServiceFromAuthenticationRequest, ticketGrantingTicket, findServiceBy);
        Authentication evaluatePossibilityOfMixedPrincipals = evaluatePossibilityOfMixedPrincipals(authenticationResult, ticketGrantingTicket);
        RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, resolveServiceFromAuthenticationRequest, ticketGrantingTicket, z);
        evaluateProxiedServiceIfNeeded(resolveServiceFromAuthenticationRequest, ticketGrantingTicket, findServiceBy);
        getAuthenticationSatisfiedByPolicy(evaluatePossibilityOfMixedPrincipals, new ServiceContext(resolveServiceFromAuthenticationRequest, findServiceBy));
        Authentication authentication = ticketGrantingTicket.getRoot().getAuthentication();
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
        Principal principal = authentication.getPrincipal();
        ServiceTicket create = this.ticketFactory.get(ServiceTicket.class).create(ticketGrantingTicket, resolveServiceFromAuthenticationRequest, z, ServiceTicket.class);
        this.ticketRegistry.updateTicket(ticketGrantingTicket);
        this.ticketRegistry.addTicket(create);
        LOGGER.info("Granted service ticket [{}] for service [{}] and principal [{}]", new Object[]{create.getId(), DigestUtils.abbreviate(resolveServiceFromAuthenticationRequest.getId()), principal.getId()});
        doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, create));
        return create;
    }

    @Audit(action = "PROXY_TICKET", actionResolverName = "GRANT_PROXY_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_TICKET_RESOURCE_RESOLVER")
    public ProxyTicket grantProxyTicket(String str, Service service) throws AbstractTicketException {
        ProxyGrantingTicket ticket = getTicket(str, ProxyGrantingTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        try {
            enforceRegisteredServiceAccess(service, (TicketGrantingTicket) ticket, findServiceBy);
            RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, service, ticket);
            evaluateProxiedServiceIfNeeded(service, ticket, findServiceBy);
            getAuthenticationSatisfiedByPolicy(ticket.getRoot().getAuthentication(), new ServiceContext(service, findServiceBy));
            Authentication authentication = ticket.getRoot().getAuthentication();
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
            Principal principal = authentication.getPrincipal();
            ProxyTicket create = this.ticketFactory.get(ProxyTicket.class).create(ticket, service, ProxyTicket.class);
            this.ticketRegistry.updateTicket(ticket);
            this.ticketRegistry.addTicket(create);
            LOGGER.info("Granted proxy ticket [{}] for service [{}] for user [{}]", new Object[]{create.getId(), service.getId(), principal.getId()});
            doPublishEvent(new CasProxyTicketGrantedEvent(this, ticket, create));
            return create;
        } catch (Exception e) {
            LoggingUtils.warn(LOGGER, e);
            throw new UnauthorizedSsoServiceException();
        }
    }

    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    public ProxyGrantingTicket createProxyGrantingTicket(String str, AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationResult.getAuthentication());
        ServiceTicket ticket = this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (ticket == null || ticket.isExpired()) {
            LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(ticket.getService());
        this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().serviceTicket(ticket).authenticationResult(authenticationResult).registeredService(findServiceBy).build()).throwExceptionIfNeeded();
        if (!findServiceBy.getProxyPolicy().isAllowedToProxy()) {
            LOGGER.warn("Service [{}] attempted to proxy, but is not allowed.", ticket.getService().getId());
            throw new UnauthorizedProxyingException();
        }
        ProxyGrantingTicket create = this.ticketFactory.get(ProxyGrantingTicket.class).create(ticket, authenticationResult.getAuthentication(), ProxyGrantingTicket.class);
        LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", create, str);
        this.ticketRegistry.addTicket(create);
        doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, create));
        return create;
    }

    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Assertion validateServiceTicket(String str, Service service) throws AbstractTicketException {
        if (!isTicketAuthenticityVerified(str)) {
            LOGGER.info("Service ticket [{}] is not a valid ticket issued by CAS.", str);
            throw new InvalidTicketException(str);
        }
        ServiceTicket ticket = this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (ticket == null) {
            LOGGER.warn("Service ticket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        try {
            Service resolveServiceFromAuthenticationRequest = resolveServiceFromAuthenticationRequest(ticket.getService());
            Service resolveServiceFromAuthenticationRequest2 = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request with service [{}] linked to service ticket [{}]", new Object[]{resolveServiceFromAuthenticationRequest2, resolveServiceFromAuthenticationRequest, ticket.getId()});
            synchronized (this.serviceTicketValidationLock) {
                if (ticket.isExpired()) {
                    LOGGER.info("ServiceTicket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!this.serviceMatchingStrategy.matches(resolveServiceFromAuthenticationRequest, resolveServiceFromAuthenticationRequest2)) {
                    LOGGER.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", new Object[]{str, ticket.getService().getId(), resolveServiceFromAuthenticationRequest2.getId()});
                    throw new UnrecognizableServiceForServiceTicketValidationException(resolveServiceFromAuthenticationRequest);
                }
                ((TicketState) TicketState.class.cast(ticket)).update();
            }
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(resolveServiceFromAuthenticationRequest);
            LOGGER.trace("Located registered service definition [{}] from [{}] to handle validation request", findServiceBy, resolveServiceFromAuthenticationRequest);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(resolveServiceFromAuthenticationRequest, findServiceBy);
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(ticket.getTicketGrantingTicket().getRoot().getAuthentication(), new ServiceContext(resolveServiceFromAuthenticationRequest, findServiceBy));
            Principal principal = authenticationSatisfiedByPolicy.getPrincipal();
            RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = findServiceBy.getAttributeReleasePolicy();
            LOGGER.debug("Attribute policy [{}] is associated with service [{}]", attributeReleasePolicy, findServiceBy);
            Map attributes = attributeReleasePolicy != null ? attributeReleasePolicy.getAttributes(principal, resolveServiceFromAuthenticationRequest, findServiceBy) : new HashMap();
            LOGGER.debug("Calculated attributes for release per the release policy are [{}]", attributes.keySet());
            String resolveUsername = findServiceBy.getUsernameAttributeProvider().resolveUsername(principal, resolveServiceFromAuthenticationRequest, findServiceBy);
            AuthenticationBuilder of = DefaultAuthenticationBuilder.of(principal, this.principalFactory, attributes, resolveServiceFromAuthenticationRequest, findServiceBy, authenticationSatisfiedByPolicy);
            LOGGER.debug("Principal determined for release to [{}] is [{}]", findServiceBy.getServiceId(), resolveUsername);
            Authentication build = of.build();
            enforceRegisteredServiceAccess(build, resolveServiceFromAuthenticationRequest, findServiceBy);
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(build);
            Assertion build2 = new DefaultAssertionBuilder(build).with(resolveServiceFromAuthenticationRequest).with(ticket.getTicketGrantingTicket().getChainedAuthentications()).with(ticket.isFromNewLogin()).build();
            doPublishEvent(new CasServiceTicketValidatedEvent(this, ticket, build2));
            if (ticket.isExpired()) {
                deleteTicket(str);
            } else {
                this.ticketRegistry.updateTicket(ticket);
            }
            return build2;
        } catch (Throwable th) {
            if (ticket.isExpired()) {
                deleteTicket(str);
            } else {
                this.ticketRegistry.updateTicket(ticket);
            }
            throw th;
        }
    }

    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public TicketGrantingTicket createTicketGrantingTicket(AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        Authentication authentication = authenticationResult.getAuthentication();
        Service service = authenticationResult.getService();
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
        if (service != null) {
            service = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request", service);
            enforceRegisteredServiceAccess(authentication, service, this.servicesManager.findServiceBy(service));
        }
        TicketGrantingTicket create = this.ticketFactory.get(TicketGrantingTicket.class).create(authentication, service, TicketGrantingTicket.class);
        this.ticketRegistry.addTicket(create);
        doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, create));
        return create;
    }

    private void enforceRegisteredServiceAccess(Authentication authentication, Service service, RegisteredService registeredService) {
        this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build()).throwExceptionIfNeeded();
    }

    private void enforceRegisteredServiceAccess(Service service, TicketGrantingTicket ticketGrantingTicket, RegisteredService registeredService) {
        this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().service(service).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build()).throwExceptionIfNeeded();
    }

    private static Authentication evaluatePossibilityOfMixedPrincipals(AuthenticationResult authenticationResult, TicketGrantingTicket ticketGrantingTicket) {
        if (authenticationResult == null) {
            return null;
        }
        Authentication authentication = authenticationResult.getAuthentication();
        if (authentication != null) {
            Authentication authentication2 = ticketGrantingTicket.getAuthentication();
            if (!authentication.getPrincipal().equals(authentication2.getPrincipal())) {
                throw new MixedPrincipalException(authentication, authentication.getPrincipal(), authentication2.getPrincipal());
            }
        }
        return authentication;
    }
}
