package org.apereo.cas;

import java.util.Map;
import java.util.Objects;
import lombok.Generated;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.CoreAuthenticationUtils;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.exceptions.MixedPrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.model.core.authentication.PrincipalAttributesCoreProperties;
import org.apereo.cas.services.CasModelRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.services.ServiceContext;
import org.apereo.cas.services.UnauthorizedProxyingException;
import org.apereo.cas.services.UnauthorizedSsoServiceException;
import org.apereo.cas.support.events.ticket.CasProxyGrantingTicketCreatedEvent;
import org.apereo.cas.support.events.ticket.CasProxyTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent;
import org.apereo.cas.support.events.ticket.CasTicketGrantingTicketCreatedEvent;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.RenewableServiceTicket;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.UnrecognizableServiceForServiceTicketValidationException;
import org.apereo.cas.ticket.proxy.ProxyGrantingTicket;
import org.apereo.cas.ticket.proxy.ProxyTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.DefaultAssertionBuilder;
import org.apereo.inspektr.audit.annotation.Audit;
import org.apereo.services.persondir.support.merger.IAttributeMerger;
import org.jooq.lambda.Unchecked;
import org.jooq.lambda.fi.util.function.CheckedSupplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/DefaultCentralAuthenticationService.class */
public class DefaultCentralAuthenticationService extends AbstractCentralAuthenticationService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultCentralAuthenticationService.class);
    private static final long serialVersionUID = -8943828074939533986L;

    public DefaultCentralAuthenticationService(CentralAuthenticationServiceContext centralAuthenticationServiceContext) {
        super(centralAuthenticationServiceContext);
    }

    private static Authentication evaluatePossibilityOfMixedPrincipals(AuthenticationResult authenticationResult, TicketGrantingTicket ticketGrantingTicket) {
        if (authenticationResult == null) {
            LOGGER.warn("Provided authentication result is undefined to evaluate for mixed principals");
            return null;
        }
        Authentication authentication = authenticationResult.getAuthentication();
        if (authentication != null) {
            Authentication authentication2 = ticketGrantingTicket.getAuthentication();
            if (!authentication.getPrincipal().equals(authentication2.getPrincipal())) {
                throw new MixedPrincipalException(authentication, authentication.getPrincipal(), authentication2.getPrincipal());
            }
        }
        return authentication;
    }

    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public ServiceTicket grantServiceTicket(final String str, final Service service, final AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        final boolean z = authenticationResult != null && authenticationResult.isCredentialProvided();
        return (ServiceTicket) this.configurationContext.getLockRepository().execute(str, Unchecked.supplier(new CheckedSupplier<ServiceTicket>() { // from class: org.apereo.cas.DefaultCentralAuthenticationService.1
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public ServiceTicket m2get() throws Throwable {
                TicketGrantingTicket ticket = DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().getTicket(str, TicketGrantingTicket.class);
                Service resolveServiceFromAuthenticationRequest = DefaultCentralAuthenticationService.this.resolveServiceFromAuthenticationRequest(service);
                RegisteredService findServiceBy = DefaultCentralAuthenticationService.this.configurationContext.getServicesManager().findServiceBy(resolveServiceFromAuthenticationRequest);
                Authentication evaluatePossibilityOfMixedPrincipals = DefaultCentralAuthenticationService.evaluatePossibilityOfMixedPrincipals(authenticationResult, ticket);
                RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, resolveServiceFromAuthenticationRequest, ticket, z);
                DefaultCentralAuthenticationService.this.evaluateProxiedServiceIfNeeded(resolveServiceFromAuthenticationRequest, ticket, findServiceBy);
                DefaultCentralAuthenticationService.this.getAuthenticationSatisfiedByPolicy(evaluatePossibilityOfMixedPrincipals, new ServiceContext(resolveServiceFromAuthenticationRequest, findServiceBy));
                Authentication authentication = ticket.getRoot().getAuthentication();
                AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
                Principal principal = authentication.getPrincipal();
                RegisteredServiceAttributeReleasePolicyContext build = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).service(service).principal(principal).build();
                IAttributeMerger attributeMerger = CoreAuthenticationUtils.getAttributeMerger(PrincipalAttributesCoreProperties.MergingStrategyTypes.MULTIVALUED);
                DefaultCentralAuthenticationService.this.enforceRegisteredServiceAccess(resolveServiceFromAuthenticationRequest, findServiceBy, DefaultCentralAuthenticationService.this.configurationContext.getPrincipalFactory().createPrincipal(principal.getId(), CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(principal.getAttributes(), authentication.getAttributes(), attributeMerger), findServiceBy.getAttributeReleasePolicy().getAttributes(build), attributeMerger)));
                ServiceTicket create = DefaultCentralAuthenticationService.this.configurationContext.getTicketFactory().get(ServiceTicket.class).create(ticket, resolveServiceFromAuthenticationRequest, z, ServiceTicket.class);
                DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().updateTicket(ticket);
                DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().addTicket(create);
                DefaultCentralAuthenticationService.LOGGER.info("Granted service ticket [{}] for service [{}] and principal [{}]", new Object[]{create.getId(), DigestUtils.abbreviate(resolveServiceFromAuthenticationRequest.getId()), principal.getId()});
                DefaultCentralAuthenticationService.this.doPublishEvent(new CasServiceTicketGrantedEvent(this, ticket, create));
                return create;
            }
        })).orElseThrow(() -> {
            return new InvalidTicketException(str);
        });
    }

    @Audit(action = "PROXY_TICKET", actionResolverName = "GRANT_PROXY_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_TICKET_RESOURCE_RESOLVER")
    public ProxyTicket grantProxyTicket(String str, final Service service) throws AbstractTicketException {
        final ProxyGrantingTicket ticket = this.configurationContext.getTicketRegistry().getTicket(str, ProxyGrantingTicket.class);
        RegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(service);
        try {
            enforceRegisteredServiceAccess(service, (TicketGrantingTicket) ticket, findServiceBy);
            RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, service, ticket);
            evaluateProxiedServiceIfNeeded(service, ticket, findServiceBy);
            getAuthenticationSatisfiedByPolicy(ticket.getRoot().getAuthentication(), new ServiceContext(service, findServiceBy));
            final Authentication authentication = ticket.getRoot().getAuthentication();
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
            return (ProxyTicket) this.configurationContext.getLockRepository().execute(ticket.getId(), Unchecked.supplier(new CheckedSupplier<ProxyTicket>() { // from class: org.apereo.cas.DefaultCentralAuthenticationService.2
                /* renamed from: get, reason: merged with bridge method [inline-methods] */
                public ProxyTicket m3get() throws Throwable {
                    Principal principal = authentication.getPrincipal();
                    ProxyTicket create = DefaultCentralAuthenticationService.this.configurationContext.getTicketFactory().get(ProxyTicket.class).create(ticket, service, ProxyTicket.class);
                    DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().updateTicket(ticket);
                    DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().addTicket(create);
                    DefaultCentralAuthenticationService.LOGGER.info("Granted proxy ticket [{}] for service [{}] for user [{}]", new Object[]{create.getId(), service.getId(), principal.getId()});
                    DefaultCentralAuthenticationService.this.doPublishEvent(new CasProxyTicketGrantedEvent(this, ticket, create));
                    return create;
                }
            })).orElseThrow(UnauthorizedProxyingException::new);
        } catch (Exception e) {
            LoggingUtils.warn(LOGGER, e);
            throw new UnauthorizedSsoServiceException();
        }
    }

    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    public ProxyGrantingTicket createProxyGrantingTicket(String str, AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationResult.getAuthentication());
        ServiceTicket ticket = this.configurationContext.getTicketRegistry().getTicket(str, ServiceTicket.class);
        if (ticket == null || ticket.isExpired()) {
            LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        CasModelRegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(ticket.getService());
        this.configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().serviceTicket(ticket).authenticationResult(authenticationResult).registeredService(findServiceBy).build()).throwExceptionIfNeeded();
        if (findServiceBy.getProxyPolicy().isAllowedToProxy()) {
            return (ProxyGrantingTicket) this.configurationContext.getLockRepository().execute(ticket.getId(), Unchecked.supplier(() -> {
                ProxyGrantingTicket create = this.configurationContext.getTicketFactory().get(ProxyGrantingTicket.class).create(ticket, authenticationResult.getAuthentication(), ProxyGrantingTicket.class);
                LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", create, str);
                this.configurationContext.getTicketRegistry().addTicket(create);
                this.configurationContext.getTicketRegistry().updateTicket(ticket.getTicketGrantingTicket());
                doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, create));
                return create;
            })).orElseThrow(UnauthorizedProxyingException::new);
        }
        LOGGER.warn("Service [{}] attempted to proxy, but is not allowed.", ticket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Assertion validateServiceTicket(String str, Service service) throws AbstractTicketException {
        if (!isTicketAuthenticityVerified(str)) {
            LOGGER.info("Service ticket [{}] is not a valid ticket issued by CAS.", str);
            throw new InvalidTicketException(str);
        }
        RenewableServiceTicket renewableServiceTicket = (ServiceTicket) this.configurationContext.getTicketRegistry().getTicket(str, ServiceTicket.class);
        if (renewableServiceTicket == null) {
            LOGGER.warn("Service ticket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        try {
            WebApplicationService resolveServiceFromAuthenticationRequest = resolveServiceFromAuthenticationRequest(renewableServiceTicket.getService());
            WebApplicationService resolveServiceFromAuthenticationRequest2 = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request with service [{}] linked to service ticket [{}]", new Object[]{resolveServiceFromAuthenticationRequest2, resolveServiceFromAuthenticationRequest, renewableServiceTicket.getId()});
            this.configurationContext.getLockRepository().execute(renewableServiceTicket.getId(), Unchecked.supplier(() -> {
                if (renewableServiceTicket.isExpired()) {
                    LOGGER.info("ServiceTicket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!this.configurationContext.getServiceMatchingStrategy().matches(resolveServiceFromAuthenticationRequest, resolveServiceFromAuthenticationRequest2)) {
                    LOGGER.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", new Object[]{str, renewableServiceTicket.getService().getId(), resolveServiceFromAuthenticationRequest2.getId()});
                    throw new UnrecognizableServiceForServiceTicketValidationException(resolveServiceFromAuthenticationRequest);
                }
                renewableServiceTicket.update();
                this.configurationContext.getTicketRegistry().updateTicket(renewableServiceTicket);
                return renewableServiceTicket;
            }));
            RegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(resolveServiceFromAuthenticationRequest);
            LOGGER.trace("Located registered service definition [{}] from [{}] to handle validation request", findServiceBy, resolveServiceFromAuthenticationRequest);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(resolveServiceFromAuthenticationRequest, findServiceBy);
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(renewableServiceTicket.getTicketGrantingTicket().getRoot().getAuthentication(), new ServiceContext(resolveServiceFromAuthenticationRequest, findServiceBy));
            Principal principal = authenticationSatisfiedByPolicy.getPrincipal();
            RegisteredServiceAttributeReleasePolicy registeredServiceAttributeReleasePolicy = (RegisteredServiceAttributeReleasePolicy) Objects.requireNonNull(findServiceBy.getAttributeReleasePolicy());
            LOGGER.debug("Attribute policy [{}] is associated with service [{}]", registeredServiceAttributeReleasePolicy, findServiceBy);
            Map attributes = registeredServiceAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).service(resolveServiceFromAuthenticationRequest).principal(principal).build());
            LOGGER.debug("Calculated attributes for release per the release policy are [{}]", attributes.keySet());
            String resolveUsername = findServiceBy.getUsernameAttributeProvider().resolveUsername(principal, resolveServiceFromAuthenticationRequest, findServiceBy);
            AuthenticationBuilder of = DefaultAuthenticationBuilder.of(principal, this.configurationContext.getPrincipalFactory(), attributes, resolveServiceFromAuthenticationRequest, findServiceBy, authenticationSatisfiedByPolicy);
            LOGGER.debug("Principal determined for release to [{}] is [{}]", findServiceBy.getServiceId(), resolveUsername);
            of.addAttribute("isFromNewLogin", CollectionUtils.wrap(Boolean.valueOf(renewableServiceTicket.isFromNewLogin())));
            of.addAttribute("longTermAuthenticationRequestTokenUsed", CollectionUtils.wrap(CoreAuthenticationUtils.isRememberMeAuthentication(authenticationSatisfiedByPolicy)));
            Authentication build = of.build();
            Map attributes2 = findServiceBy.getAttributeReleasePolicy().getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).service(service).principal(principal).build());
            IAttributeMerger attributeMerger = CoreAuthenticationUtils.getAttributeMerger(PrincipalAttributesCoreProperties.MergingStrategyTypes.MULTIVALUED);
            enforceRegisteredServiceAccess((Service) resolveServiceFromAuthenticationRequest, findServiceBy, this.configurationContext.getPrincipalFactory().createPrincipal(principal.getId(), CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(principal.getAttributes(), authenticationSatisfiedByPolicy.getAttributes(), attributeMerger), build.getPrincipal().getAttributes(), attributeMerger), build.getAttributes(), attributeMerger), attributes2, attributeMerger)));
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(build);
            Assertion assemble = DefaultAssertionBuilder.builder().primaryAuthentication(build).service(resolveServiceFromAuthenticationRequest).registeredService(findServiceBy).authentications(renewableServiceTicket.getTicketGrantingTicket().getChainedAuthentications()).newLogin(renewableServiceTicket.isFromNewLogin()).build().assemble();
            doPublishEvent(new CasServiceTicketValidatedEvent(this, renewableServiceTicket, assemble));
            FunctionUtils.doUnchecked(obj -> {
                if (renewableServiceTicket.isExpired()) {
                    this.configurationContext.getTicketRegistry().deleteTicket(str);
                } else {
                    this.configurationContext.getTicketRegistry().updateTicket(renewableServiceTicket);
                }
            }, new Object[0]);
            return assemble;
        } catch (Throwable th) {
            FunctionUtils.doUnchecked(obj2 -> {
                if (renewableServiceTicket.isExpired()) {
                    this.configurationContext.getTicketRegistry().deleteTicket(str);
                } else {
                    this.configurationContext.getTicketRegistry().updateTicket(renewableServiceTicket);
                }
            }, new Object[0]);
            throw th;
        }
    }

    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public TicketGrantingTicket createTicketGrantingTicket(AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        Authentication authentication = authenticationResult.getAuthentication();
        Service service = authenticationResult.getService();
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authentication);
        if (service != null) {
            service = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request", service);
            enforceRegisteredServiceAccess(authentication, service, this.configurationContext.getServicesManager().findServiceBy(service));
        }
        TicketGrantingTicket create = this.configurationContext.getTicketFactory().get(TicketGrantingTicket.class).create(authentication, service, TicketGrantingTicket.class);
        FunctionUtils.doUnchecked(obj -> {
            this.configurationContext.getTicketRegistry().addTicket(create);
            doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, create));
        }, new Object[0]);
        return create;
    }

    private void enforceRegisteredServiceAccess(Authentication authentication, Service service, RegisteredService registeredService) {
        this.configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(service).authentication(authentication).registeredService(registeredService).build()).throwExceptionIfNeeded();
    }

    private void enforceRegisteredServiceAccess(Service service, RegisteredService registeredService, Principal principal) {
        this.configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(service).principal(principal).registeredService(registeredService).build()).throwExceptionIfNeeded();
    }

    private void enforceRegisteredServiceAccess(Service service, TicketGrantingTicket ticketGrantingTicket, RegisteredService registeredService) {
        this.configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(service).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).build()).throwExceptionIfNeeded();
    }
}
