package org.apereo.cas;

import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.CoreAuthenticationUtils;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.credential.BasicIdentifiableCredential;
import org.apereo.cas.authentication.exceptions.MixedPrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.merger.AttributeMerger;
import org.apereo.cas.configuration.model.core.authentication.PrincipalAttributesCoreProperties;
import org.apereo.cas.services.CasModelRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.services.UnauthorizedProxyingException;
import org.apereo.cas.services.UnauthorizedSsoServiceException;
import org.apereo.cas.support.events.ticket.CasProxyGrantingTicketCreatedEvent;
import org.apereo.cas.support.events.ticket.CasProxyTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent;
import org.apereo.cas.support.events.ticket.CasTicketGrantingTicketCreatedEvent;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.RenewableServiceTicket;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.UnrecognizableServiceForServiceTicketValidationException;
import org.apereo.cas.ticket.proxy.ProxyGrantingTicket;
import org.apereo.cas.ticket.proxy.ProxyTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.DefaultAssertionBuilder;
import org.apereo.inspektr.audit.annotation.Audit;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.jooq.lambda.Unchecked;
import org.jooq.lambda.fi.util.function.CheckedSupplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/DefaultCentralAuthenticationService.class */
public class DefaultCentralAuthenticationService extends AbstractCentralAuthenticationService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultCentralAuthenticationService.class);
    private static final long serialVersionUID = -8943828074939533986L;

    public DefaultCentralAuthenticationService(CentralAuthenticationServiceContext centralAuthenticationServiceContext) {
        super(centralAuthenticationServiceContext);
    }

    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public Ticket createTicketGrantingTicket(AuthenticationResult authenticationResult) throws Throwable {
        Authentication authentication = authenticationResult.getAuthentication();
        Service service = authenticationResult.getService();
        ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
        if (service != null) {
            service = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request", service);
            enforceRegisteredServiceAccess(authentication, service, this.configurationContext.getServicesManager().findServiceBy(service));
        }
        TicketGrantingTicket create = this.configurationContext.getTicketFactory().get(TicketGrantingTicket.class).create(authentication, service);
        Ticket addTicket = this.configurationContext.getTicketRegistry().addTicket(create);
        doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, create, clientInfo));
        return addTicket;
    }

    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Ticket grantServiceTicket(final String str, final Service service, final AuthenticationResult authenticationResult) throws Throwable {
        final boolean z = authenticationResult != null && authenticationResult.isCredentialProvided();
        final ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
        return (Ticket) this.configurationContext.getLockRepository().execute(str, Unchecked.supplier(new CheckedSupplier<Ticket>() { // from class: org.apereo.cas.DefaultCentralAuthenticationService.1
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public Ticket m2get() throws Throwable {
                TicketGrantingTicket ticket = DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().getTicket(str, TicketGrantingTicket.class);
                Service resolveServiceFromAuthenticationRequest = DefaultCentralAuthenticationService.this.resolveServiceFromAuthenticationRequest(service);
                RegisteredService findServiceBy = DefaultCentralAuthenticationService.this.configurationContext.getServicesManager().findServiceBy(resolveServiceFromAuthenticationRequest);
                Authentication evaluatePossibilityOfMixedPrincipals = DefaultCentralAuthenticationService.evaluatePossibilityOfMixedPrincipals(authenticationResult, ticket);
                RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, resolveServiceFromAuthenticationRequest, ticket, z);
                DefaultCentralAuthenticationService.this.evaluateProxiedServiceIfNeeded(resolveServiceFromAuthenticationRequest, ticket, findServiceBy);
                DefaultCentralAuthenticationService.this.getAuthenticationSatisfiedByPolicy(evaluatePossibilityOfMixedPrincipals, resolveServiceFromAuthenticationRequest, findServiceBy);
                Authentication authentication = ticket.getRoot().getAuthentication();
                Principal principal = authentication.getPrincipal();
                RegisteredServiceAttributeReleasePolicyContext build = RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).service(service).principal(principal).applicationContext(DefaultCentralAuthenticationService.this.configurationContext.getApplicationContext()).build();
                AttributeMerger attributeMerger = CoreAuthenticationUtils.getAttributeMerger(PrincipalAttributesCoreProperties.MergingStrategyTypes.MULTIVALUED);
                DefaultCentralAuthenticationService.this.enforceRegisteredServiceAccess(resolveServiceFromAuthenticationRequest, findServiceBy, DefaultCentralAuthenticationService.this.configurationContext.getPrincipalFactory().createPrincipal(principal.getId(), CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(principal.getAttributes(), authentication.getAttributes(), attributeMerger), findServiceBy.getAttributeReleasePolicy().getAttributes(build), attributeMerger)));
                ServiceTicket create = DefaultCentralAuthenticationService.this.configurationContext.getTicketFactory().get(ServiceTicket.class).create(ticket, resolveServiceFromAuthenticationRequest, z, ServiceTicket.class);
                if (!ticket.isStateless()) {
                    DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().updateTicket(ticket);
                }
                Ticket addTicket = DefaultCentralAuthenticationService.this.configurationContext.getTicketRegistry().addTicket(create);
                DefaultCentralAuthenticationService.LOGGER.info("Granted service ticket [{}] for service [{}] and principal [{}]", new Object[]{create.getId(), DigestUtils.abbreviate(resolveServiceFromAuthenticationRequest.getId()), principal.getId()});
                DefaultCentralAuthenticationService.this.doPublishEvent(new CasServiceTicketGrantedEvent(this, ticket, create, clientInfo));
                return addTicket;
            }
        })).orElseThrow(() -> {
            return new InvalidTicketException(str);
        });
    }

    @Audit(action = "PROXY_TICKET", actionResolverName = "GRANT_PROXY_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_TICKET_RESOURCE_RESOLVER")
    public Ticket grantProxyTicket(String str, Service service) throws AbstractTicketException {
        return (Ticket) this.configurationContext.getLockRepository().execute(str, () -> {
            return (Ticket) FunctionUtils.doUnchecked(() -> {
                ProxyGrantingTicket ticket = this.configurationContext.getTicketRegistry().getTicket(str, ProxyGrantingTicket.class);
                RegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(service);
                try {
                    enforceRegisteredServiceAccess(service, (TicketGrantingTicket) ticket, findServiceBy);
                    RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, service, ticket);
                    evaluateProxiedServiceIfNeeded(service, ticket, findServiceBy);
                    getAuthenticationSatisfiedByPolicy(ticket.getRoot().getAuthentication(), service, findServiceBy);
                    Principal principal = ticket.getRoot().getAuthentication().getPrincipal();
                    ProxyTicket create = this.configurationContext.getTicketFactory().get(ProxyTicket.class).create(ticket, service);
                    ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
                    if (!ticket.isStateless()) {
                        this.configurationContext.getTicketRegistry().updateTicket(ticket);
                    }
                    Ticket addTicket = this.configurationContext.getTicketRegistry().addTicket(create);
                    LOGGER.info("Granted proxy ticket [{}] for service [{}] for user [{}]", new Object[]{addTicket.getId(), service.getId(), principal.getId()});
                    doPublishEvent(new CasProxyTicketGrantedEvent(this, ticket, addTicket, clientInfo));
                    return addTicket;
                } catch (Throwable th) {
                    LoggingUtils.warn(LOGGER, th);
                    throw new UnauthorizedSsoServiceException();
                }
            });
        }).orElseThrow(UnauthorizedProxyingException::new);
    }

    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Assertion validateServiceTicket(String str, Service service) throws Throwable {
        if (!isTicketAuthenticityVerified(str)) {
            LOGGER.info("Service ticket [{}] is not a valid ticket issued by CAS.", str);
            throw new InvalidTicketException(str);
        }
        RenewableServiceTicket renewableServiceTicket = (ServiceTicket) this.configurationContext.getTicketRegistry().getTicket(str, ServiceTicket.class);
        if (renewableServiceTicket == null) {
            LOGGER.warn("Service ticket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        if (!(renewableServiceTicket.getTicketGrantingTicket() instanceof TicketGrantingTicket) && !renewableServiceTicket.isStateless()) {
            LOGGER.warn("Service ticket [{}] is not assigned a valid ticket granting ticket", str);
            throw new InvalidTicketException(str);
        }
        try {
            Service resolveServiceFromAuthenticationRequest = resolveServiceFromAuthenticationRequest(renewableServiceTicket.getService());
            Service resolveServiceFromAuthenticationRequest2 = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request with service [{}] linked to service ticket [{}]", new Object[]{resolveServiceFromAuthenticationRequest2, resolveServiceFromAuthenticationRequest, renewableServiceTicket.getId()});
            this.configurationContext.getLockRepository().execute(renewableServiceTicket.getId(), Unchecked.supplier(() -> {
                if (renewableServiceTicket.isExpired()) {
                    LOGGER.info("Service ticket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!this.configurationContext.getServiceMatchingStrategy().matches(resolveServiceFromAuthenticationRequest, resolveServiceFromAuthenticationRequest2)) {
                    LOGGER.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", new Object[]{str, renewableServiceTicket.getService().getId(), resolveServiceFromAuthenticationRequest2.getId()});
                    throw new UnrecognizableServiceForServiceTicketValidationException(resolveServiceFromAuthenticationRequest);
                }
                renewableServiceTicket.update();
                if (!renewableServiceTicket.isStateless()) {
                    this.configurationContext.getTicketRegistry().updateTicket(renewableServiceTicket);
                }
                return renewableServiceTicket;
            }));
            RegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(resolveServiceFromAuthenticationRequest);
            LOGGER.trace("Located registered service definition [{}] from [{}] to handle validation request", findServiceBy, resolveServiceFromAuthenticationRequest);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(resolveServiceFromAuthenticationRequest, findServiceBy);
            TicketGrantingTicket ticketGrantingTicket = renewableServiceTicket.getTicketGrantingTicket();
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(renewableServiceTicket.isStateless() ? renewableServiceTicket.getAuthentication() : ticketGrantingTicket.getRoot().getAuthentication(), resolveServiceFromAuthenticationRequest, findServiceBy);
            Principal rebuildStatelessTicketPrincipal = renewableServiceTicket.isStateless() ? rebuildStatelessTicketPrincipal(renewableServiceTicket) : authenticationSatisfiedByPolicy.getPrincipal();
            RegisteredServiceAttributeReleasePolicy registeredServiceAttributeReleasePolicy = (RegisteredServiceAttributeReleasePolicy) Objects.requireNonNull(findServiceBy.getAttributeReleasePolicy());
            LOGGER.debug("Attribute policy [{}] is associated with service [{}]", registeredServiceAttributeReleasePolicy, findServiceBy);
            Map attributes = registeredServiceAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).service(resolveServiceFromAuthenticationRequest).principal(rebuildStatelessTicketPrincipal).applicationContext(this.configurationContext.getApplicationContext()).build());
            LOGGER.debug("Calculated attributes for release per the release policy are [{}]", attributes.keySet());
            AuthenticationBuilder of = DefaultAuthenticationBuilder.of(this.configurationContext.getApplicationContext(), rebuildStatelessTicketPrincipal, this.configurationContext.getPrincipalFactory(), attributes, resolveServiceFromAuthenticationRequest, findServiceBy, authenticationSatisfiedByPolicy);
            LOGGER.debug("Principal determined for release to [{}] is [{}]", findServiceBy.getServiceId(), of.getPrincipal().getId());
            of.addAttribute("isFromNewLogin", CollectionUtils.wrap(Boolean.valueOf(renewableServiceTicket.isFromNewLogin())));
            of.addAttribute("longTermAuthenticationRequestTokenUsed", CollectionUtils.wrap(CoreAuthenticationUtils.isRememberMeAuthentication(authenticationSatisfiedByPolicy)));
            Authentication build = of.build();
            Map attributes2 = findServiceBy.getAttributeReleasePolicy().getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(findServiceBy).service(service).applicationContext(this.configurationContext.getApplicationContext()).principal(rebuildStatelessTicketPrincipal).build());
            AttributeMerger attributeMerger = CoreAuthenticationUtils.getAttributeMerger(PrincipalAttributesCoreProperties.MergingStrategyTypes.MULTIVALUED);
            enforceRegisteredServiceAccess(resolveServiceFromAuthenticationRequest, findServiceBy, this.configurationContext.getPrincipalFactory().createPrincipal(rebuildStatelessTicketPrincipal.getId(), CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(CoreAuthenticationUtils.mergeAttributes(rebuildStatelessTicketPrincipal.getAttributes(), authenticationSatisfiedByPolicy.getAttributes(), attributeMerger), build.getPrincipal().getAttributes(), attributeMerger), build.getAttributes(), attributeMerger), attributes2, attributeMerger)));
            Assertion assemble = DefaultAssertionBuilder.builder().primaryAuthentication(build).originalAuthentication(authenticationSatisfiedByPolicy).service(resolveServiceFromAuthenticationRequest).registeredService(findServiceBy).authentications(renewableServiceTicket.isStateless() ? List.of(renewableServiceTicket.getAuthentication()) : ticketGrantingTicket.getChainedAuthentications()).newLogin(renewableServiceTicket.isFromNewLogin()).stateless(renewableServiceTicket.isStateless()).context(renewableServiceTicket.isStateless() ? CollectionUtils.wrap(Principal.class.getName(), authenticationSatisfiedByPolicy.getPrincipal().getId()) : CollectionUtils.wrap(TicketGrantingTicket.class.getName(), ticketGrantingTicket.getRoot().getId())).build().assemble();
            doPublishEvent(new CasServiceTicketValidatedEvent(this, renewableServiceTicket, assemble, ClientInfoHolder.getClientInfo()));
            if (!renewableServiceTicket.isStateless()) {
                if (renewableServiceTicket.isExpired()) {
                    this.configurationContext.getTicketRegistry().deleteTicket(str);
                } else {
                    this.configurationContext.getTicketRegistry().updateTicket(renewableServiceTicket);
                }
            }
            return assemble;
        } catch (Throwable th) {
            if (!renewableServiceTicket.isStateless()) {
                if (renewableServiceTicket.isExpired()) {
                    this.configurationContext.getTicketRegistry().deleteTicket(str);
                } else {
                    this.configurationContext.getTicketRegistry().updateTicket(renewableServiceTicket);
                }
            }
            throw th;
        }
    }

    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    public Ticket createProxyGrantingTicket(String str, AuthenticationResult authenticationResult) throws Throwable {
        ServiceTicket ticket = this.configurationContext.getTicketRegistry().getTicket(str, ServiceTicket.class);
        if (ticket == null || ticket.isExpired()) {
            LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        CasModelRegisteredService findServiceBy = this.configurationContext.getServicesManager().findServiceBy(ticket.getService());
        enforceRegisteredServiceAccess(AuditableContext.builder().serviceTicket(ticket).authenticationResult(authenticationResult).registeredService(findServiceBy).build());
        if (findServiceBy.getProxyPolicy().isAllowedToProxy()) {
            return (Ticket) this.configurationContext.getLockRepository().execute(ticket.getId(), Unchecked.supplier(() -> {
                ProxyGrantingTicket create = this.configurationContext.getTicketFactory().get(ProxyGrantingTicket.class).create(ticket, authenticationResult.getAuthentication());
                Ticket addTicket = this.configurationContext.getTicketRegistry().addTicket(create);
                LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", create, str);
                if (!ticket.isStateless()) {
                    this.configurationContext.getTicketRegistry().updateTicket(ticket.getTicketGrantingTicket());
                }
                doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, addTicket, ClientInfoHolder.getClientInfo()));
                return addTicket;
            })).orElseThrow(UnauthorizedProxyingException::new);
        }
        LOGGER.warn("Service [{}] attempted to proxy, but is not allowed.", ticket.getService().getId());
        throw new UnauthorizedProxyingException();
    }

    private void enforceRegisteredServiceAccess(Authentication authentication, Service service, RegisteredService registeredService) throws Throwable {
        Map attributes = registeredService.getAttributeReleasePolicy().getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(registeredService).service(service).principal(authentication.getPrincipal()).applicationContext(this.configurationContext.getApplicationContext()).build());
        attributes.putAll(authentication.getAttributes());
        enforceRegisteredServiceAccess(AuditableContext.builder().service(service).principal(this.configurationContext.getPrincipalFactory().createPrincipal(authentication.getPrincipal().getId(), CoreAuthenticationUtils.mergeAttributes(authentication.getPrincipal().getAttributes(), attributes))).registeredService(registeredService).build());
    }

    protected void enforceRegisteredServiceAccess(AuditableContext auditableContext) throws Throwable {
        this.configurationContext.getRegisteredServiceAccessStrategyEnforcer().execute(auditableContext).throwExceptionIfNeeded();
    }

    private void enforceRegisteredServiceAccess(Service service, RegisteredService registeredService, Principal principal) throws Throwable {
        enforceRegisteredServiceAccess(AuditableContext.builder().service(service).principal(principal).registeredService(registeredService).build());
    }

    private void enforceRegisteredServiceAccess(Service service, TicketGrantingTicket ticketGrantingTicket, RegisteredService registeredService) throws Throwable {
        enforceRegisteredServiceAccess(AuditableContext.builder().service(service).ticketGrantingTicket(ticketGrantingTicket).registeredService(registeredService).build());
    }

    protected Principal rebuildStatelessTicketPrincipal(ServiceTicket serviceTicket) throws Throwable {
        Authentication authentication = serviceTicket.getAuthentication();
        return this.configurationContext.getPrincipalResolver().resolve(new BasicIdentifiableCredential(authentication.getPrincipal().getId()), Optional.of(authentication.getPrincipal()), Optional.empty(), Optional.of(serviceTicket.getService()));
    }

    private static Authentication evaluatePossibilityOfMixedPrincipals(AuthenticationResult authenticationResult, TicketGrantingTicket ticketGrantingTicket) {
        if (authenticationResult == null) {
            LOGGER.warn("Provided authentication result is undefined to evaluate for mixed principals");
            return null;
        }
        Authentication authentication = authenticationResult.getAuthentication();
        if (authentication != null) {
            Authentication authentication2 = ticketGrantingTicket.getAuthentication();
            if (!authentication.getPrincipal().equals(authentication2.getPrincipal())) {
                throw new MixedPrincipalException(authentication, authentication.getPrincipal(), authentication2.getPrincipal());
            }
        }
        return authentication;
    }
}
