package org.apereo.cas.oidc.profile;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.oidc.claims.BaseOidcScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcAddressScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcCustomScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcPhoneScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.mapping.OidcAttributeToScopeClaimMapper;
import org.apereo.cas.services.ChainingAttributeReleasePolicy;
import org.apereo.cas.services.DenyAllAttributeReleasePolicy;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.J2EContext;
import org.reflections.Reflections;
import org.reflections.scanners.Scanner;
import org.reflections.scanners.SubTypesScanner;
import org.reflections.util.ClasspathHelper;
import org.reflections.util.ConfigurationBuilder;
import org.reflections.util.FilterBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter.class */
public class OidcProfileScopeToAttributesFilter extends DefaultOAuth20ProfileScopeToAttributesFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcProfileScopeToAttributesFilter.class);
    private final Map<String, BaseOidcScopeAttributeReleasePolicy> filters = new HashMap();
    private final Collection<BaseOidcScopeAttributeReleasePolicy> userScopes;
    private final OidcAttributeToScopeClaimMapper attributeToScopeClaimMapper;
    private final PrincipalFactory principalFactory;
    private final ServicesManager servicesManager;

    public OidcProfileScopeToAttributesFilter(PrincipalFactory principalFactory, ServicesManager servicesManager, Collection<BaseOidcScopeAttributeReleasePolicy> collection, OidcAttributeToScopeClaimMapper oidcAttributeToScopeClaimMapper) {
        this.attributeToScopeClaimMapper = oidcAttributeToScopeClaimMapper;
        String name = BaseOidcScopeAttributeReleasePolicy.class.getPackage().getName();
        new Reflections(new ConfigurationBuilder().filterInputsBy(new FilterBuilder().includePackage(new String[]{name})).setUrls(ClasspathHelper.forPackage(name, new ClassLoader[0])).setScanners(new Scanner[]{new SubTypesScanner(true)})).getSubTypesOf(BaseOidcScopeAttributeReleasePolicy.class).forEach(Unchecked.consumer(cls -> {
            BaseOidcScopeAttributeReleasePolicy baseOidcScopeAttributeReleasePolicy = (BaseOidcScopeAttributeReleasePolicy) cls.newInstance();
            this.filters.put(baseOidcScopeAttributeReleasePolicy.getScopeName(), baseOidcScopeAttributeReleasePolicy);
        }));
        collection.forEach(baseOidcScopeAttributeReleasePolicy -> {
            this.filters.put(baseOidcScopeAttributeReleasePolicy.getScopeName(), baseOidcScopeAttributeReleasePolicy);
        });
        this.principalFactory = principalFactory;
        this.servicesManager = servicesManager;
        this.userScopes = collection;
    }

    public Principal filter(Service service, Principal principal, RegisteredService registeredService, J2EContext j2EContext) {
        Principal filter = super.filter(service, principal, registeredService, j2EContext);
        if (!(registeredService instanceof OidcRegisteredService)) {
            return filter;
        }
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) registeredService;
        ArrayList arrayList = new ArrayList(OAuth20Utils.getRequestedScopes(j2EContext));
        arrayList.addAll(oidcRegisteredService.getScopes());
        if (!arrayList.contains("openid")) {
            LOGGER.debug("Request does not indicate a scope [{}] that can identify OpenID Connect", arrayList);
            return filter;
        }
        HashMap hashMap = new HashMap();
        filterAttributesByScope(arrayList, hashMap, filter, service, oidcRegisteredService);
        return this.principalFactory.createPrincipal(principal.getId(), hashMap);
    }

    private void filterAttributesByScope(Collection<String> collection, Map<String, Object> map, Principal principal, Service service, RegisteredService registeredService) {
        collection.stream().distinct().filter(str -> {
            return this.filters.containsKey(str);
        }).forEach(str2 -> {
            map.putAll(this.filters.get(str2).getAttributes(principal, service, registeredService));
        });
    }

    public void reconcile(RegisteredService registeredService) {
        if (!(registeredService instanceof OidcRegisteredService)) {
            super.reconcile(registeredService);
            return;
        }
        LOGGER.debug("Reconciling scopes and claims for [{}]", registeredService.getServiceId());
        ArrayList arrayList = new ArrayList();
        ChainingAttributeReleasePolicy chainingAttributeReleasePolicy = new ChainingAttributeReleasePolicy();
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(registeredService);
        oidcRegisteredService.getScopes().forEach(str -> {
            LOGGER.debug("Reviewing scope [{}] for [{}]", str, registeredService.getServiceId());
            String lowerCase = str.trim().toLowerCase();
            boolean z = -1;
            switch (lowerCase.hashCode()) {
                case -1349088399:
                    if (lowerCase.equals("custom")) {
                        z = 5;
                        break;
                    }
                    break;
                case -1147692044:
                    if (lowerCase.equals("address")) {
                        z = true;
                        break;
                    }
                    break;
                case -309425751:
                    if (lowerCase.equals("profile")) {
                        z = 2;
                        break;
                    }
                    break;
                case 96619420:
                    if (lowerCase.equals("email")) {
                        z = false;
                        break;
                    }
                    break;
                case 106642798:
                    if (lowerCase.equals("phone")) {
                        z = 3;
                        break;
                    }
                    break;
                case 144166720:
                    if (lowerCase.equals("offline_access")) {
                        z = 4;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcEmailScopeAttributeReleasePolicy.class.getSimpleName());
                    chainingAttributeReleasePolicy.getPolicies().add(new OidcEmailScopeAttributeReleasePolicy());
                    return;
                case true:
                    LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcAddressScopeAttributeReleasePolicy.class.getSimpleName());
                    chainingAttributeReleasePolicy.getPolicies().add(new OidcAddressScopeAttributeReleasePolicy());
                    return;
                case true:
                    LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcProfileScopeAttributeReleasePolicy.class.getSimpleName());
                    chainingAttributeReleasePolicy.getPolicies().add(new OidcProfileScopeAttributeReleasePolicy());
                    return;
                case true:
                    LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcProfileScopeAttributeReleasePolicy.class.getSimpleName());
                    chainingAttributeReleasePolicy.getPolicies().add(new OidcPhoneScopeAttributeReleasePolicy());
                    return;
                case true:
                    LOGGER.debug("Given scope [{}], service [{}] is marked to generate refresh tokens", str, Long.valueOf(registeredService.getId()));
                    oidcRegisteredService.setGenerateRefreshToken(Boolean.TRUE);
                    return;
                case true:
                    LOGGER.debug("Found custom scope [{}] for service [{}]", str, Long.valueOf(registeredService.getId()));
                    arrayList.add(str.trim());
                    return;
                default:
                    LOGGER.debug("[{}] appears to be a user-defined scope and does not match any of the predefined standard scopes. Checking [{}] against user-defined scopes provided as [{}]", new Object[]{str, str, this.userScopes});
                    BaseOidcScopeAttributeReleasePolicy orElse = this.userScopes.stream().filter(baseOidcScopeAttributeReleasePolicy -> {
                        return baseOidcScopeAttributeReleasePolicy.getScopeName().equals(str.trim());
                    }).findFirst().orElse(null);
                    if (orElse != null) {
                        LOGGER.debug("Mapped user-defined scope [{}] to attribute release policy [{}]", str, orElse);
                        chainingAttributeReleasePolicy.getPolicies().add(orElse);
                        return;
                    }
                    return;
            }
        });
        arrayList.remove("openid");
        if (!arrayList.isEmpty()) {
            LOGGER.debug("Mapped scopes [{}] to attribute release policy [{}]", arrayList, OidcCustomScopeAttributeReleasePolicy.class.getSimpleName());
            chainingAttributeReleasePolicy.getPolicies().add(new OidcCustomScopeAttributeReleasePolicy(arrayList));
        }
        if (chainingAttributeReleasePolicy.getPolicies().isEmpty()) {
            LOGGER.warn("No attribute release policy could be determined based on given scopes. No claims/attributes will be released to [{}]", Long.valueOf(registeredService.getId()));
            oidcRegisteredService.setAttributeReleasePolicy(new DenyAllAttributeReleasePolicy());
        } else {
            oidcRegisteredService.setAttributeReleasePolicy(chainingAttributeReleasePolicy);
        }
        LOGGER.debug("Scope/claim reconciliation for service [{}] resulted in the following attribute release policy [{}]", registeredService.getServiceId(), oidcRegisteredService.getAttributeReleasePolicy());
        if (oidcRegisteredService.equals(registeredService)) {
            LOGGER.debug("No changes detected in service [{}] after scope/claim reconciliation", Long.valueOf(registeredService.getId()));
            return;
        }
        LOGGER.debug("Saving scope/claim reconciliation results for service [{}] into registry", registeredService.getServiceId());
        this.servicesManager.save(oidcRegisteredService);
        LOGGER.debug("Saved service [{}] into registry", registeredService.getServiceId());
    }
}
