package org.apereo.cas.web;

import java.io.Serializable;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.TransientSessionTicket;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.web.support.ArgumentExtractor;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.cas.client.CasClient;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.util.generator.StaticValueGenerator;
import org.pac4j.oauth.client.OAuth10Client;
import org.pac4j.oauth.client.OAuth20Client;
import org.pac4j.oauth.config.OAuth20Configuration;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.saml.client.SAML2Client;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.webflow.execution.RequestContext;

@Transactional(transactionManager = "ticketTransactionManager")
/* loaded from: input_file:org/apereo/cas/web/DelegatedClientWebflowManager.class */
public class DelegatedClientWebflowManager {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientWebflowManager.class);
    public static final String PARAMETER_CLIENT_ID = "delegatedclientid";
    private static final String OAUTH10_CLIENT_ID_SESSION_KEY = "OAUTH10_CLIENT_ID";
    private static final String CAS_CLIENT_ID_SESSION_KEY = "CAS_CLIENT_ID";
    private final TicketRegistry ticketRegistry;
    private final TicketFactory ticketFactory;
    private final CasConfigurationProperties casProperties;
    private final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;
    private final ArgumentExtractor argumentExtractor;

    public Ticket store(JEEContext jEEContext, BaseClient baseClient) {
        Map<String, Serializable> buildTicketProperties = buildTicketProperties(jEEContext);
        WebApplicationService extractService = this.argumentExtractor.extractService(jEEContext.getNativeRequest());
        Service resolveService = this.authenticationRequestServiceSelectionStrategies.resolveService(extractService);
        buildTicketProperties.put("service", extractService);
        buildTicketProperties.put("targetService", resolveService);
        TransientSessionTicket create = this.ticketFactory.get(TransientSessionTicket.class).create(extractService, buildTicketProperties);
        String id = create.getId();
        LOGGER.debug("Storing delegated authentication request ticket [{}] for service [{}] with properties [{}]", new Object[]{id, create.getService(), create.getProperties()});
        this.ticketRegistry.addTicket(create);
        jEEContext.setRequestAttribute(PARAMETER_CLIENT_ID, id);
        SessionStore sessionStore = jEEContext.getSessionStore();
        if (baseClient instanceof SAML2Client) {
            sessionStore.set(jEEContext, "samlRelayState", id);
        }
        if (baseClient instanceof OAuth20Client) {
            OAuth20Configuration configuration = ((OAuth20Client) baseClient).getConfiguration();
            configuration.setWithState(true);
            configuration.setStateGenerator(new StaticValueGenerator(id));
        }
        if (baseClient instanceof OidcClient) {
            OidcConfiguration configuration2 = ((OidcClient) baseClient).getConfiguration();
            configuration2.setWithState(true);
            configuration2.setStateGenerator(new StaticValueGenerator(id));
        }
        if (baseClient instanceof CasClient) {
            sessionStore.set(jEEContext, CAS_CLIENT_ID_SESSION_KEY, create.getId());
        }
        if (baseClient instanceof OAuth10Client) {
            sessionStore.set(jEEContext, OAUTH10_CLIENT_ID_SESSION_KEY, create.getId());
        }
        return create;
    }

    protected Map<String, Serializable> buildTicketProperties(JEEContext jEEContext) {
        HashMap hashMap = new HashMap();
        String paramName = this.casProperties.getTheme().getParamName();
        String paramName2 = this.casProperties.getLocale().getParamName();
        hashMap.put(paramName, (Serializable) jEEContext.getRequestParameter(paramName).map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
        hashMap.put(paramName2, (Serializable) jEEContext.getRequestParameter(paramName2).map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
        hashMap.put("method", (Serializable) jEEContext.getRequestParameter("method").map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
        return hashMap;
    }

    public Service retrieve(RequestContext requestContext, WebContext webContext, BaseClient baseClient) {
        TransientSessionTicket retrieveSessionTicketViaClientId = retrieveSessionTicketViaClientId(webContext, getDelegatedClientId(webContext, baseClient));
        restoreDelegatedAuthenticationRequest(requestContext, webContext, retrieveSessionTicketViaClientId);
        LOGGER.debug("Removing delegated client identifier [{}] from registry", retrieveSessionTicketViaClientId.getId());
        this.ticketRegistry.deleteTicket(retrieveSessionTicketViaClientId.getId());
        return retrieveSessionTicketViaClientId.getService();
    }

    protected Service restoreDelegatedAuthenticationRequest(RequestContext requestContext, WebContext webContext, TransientSessionTicket transientSessionTicket) {
        Service service = transientSessionTicket.getService();
        LOGGER.trace("Restoring requested service [{}] back in the authentication flow", service);
        WebUtils.putServiceIntoFlowScope(requestContext, service);
        webContext.setRequestAttribute("service", service);
        String paramName = this.casProperties.getTheme().getParamName();
        String paramName2 = this.casProperties.getLocale().getParamName();
        Map properties = transientSessionTicket.getProperties();
        webContext.setRequestAttribute(paramName, properties.get(paramName));
        webContext.setRequestAttribute(paramName2, properties.get(paramName2));
        webContext.setRequestAttribute("method", properties.get("method"));
        return service;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TransientSessionTicket retrieveSessionTicketViaClientId(WebContext webContext, String str) {
        TransientSessionTicket ticket = this.ticketRegistry.getTicket(str, TransientSessionTicket.class);
        if (ticket == null) {
            LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL());
            throw new UnauthorizedServiceException("screen.service.error.message", "");
        }
        if (!ticket.isExpired()) {
            LOGGER.debug("Located delegated client identifier as [{}]", ticket.getId());
            return ticket;
        }
        LOGGER.error("Delegated client identifier [{}] has expired in the authentication request", ticket.getId());
        this.ticketRegistry.deleteTicket(ticket.getId());
        throw new UnauthorizedServiceException("screen.service.error.message", "");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getDelegatedClientId(WebContext webContext, BaseClient baseClient) {
        Optional requestParameter = webContext.getRequestParameter(PARAMETER_CLIENT_ID);
        if (requestParameter.isEmpty()) {
            if (baseClient instanceof SAML2Client) {
                LOGGER.debug("Client identifier could not found as part of the request parameters. Looking at relay-state for the SAML2 client");
                requestParameter = webContext.getRequestParameter("RelayState");
            }
            if ((baseClient instanceof OAuth20Client) || (baseClient instanceof OidcClient)) {
                LOGGER.debug("Client identifier could not found as part of the request parameters. Looking at state for the OAuth2/Oidc client");
                requestParameter = webContext.getRequestParameter("state");
            }
            if (baseClient instanceof OAuth10Client) {
                LOGGER.debug("Client identifier could not be found as part of request parameters. Looking at the session store for the OAuth1 client");
                SessionStore sessionStore = webContext.getSessionStore();
                requestParameter = sessionStore.get(webContext, OAUTH10_CLIENT_ID_SESSION_KEY);
                sessionStore.set(webContext, OAUTH10_CLIENT_ID_SESSION_KEY, (Object) null);
            }
            if (baseClient instanceof CasClient) {
                LOGGER.debug("Client identifier could not be found as part of request parameters. Looking at the session store for the CAS client");
                SessionStore sessionStore2 = webContext.getSessionStore();
                requestParameter = sessionStore2.get(webContext, CAS_CLIENT_ID_SESSION_KEY);
                sessionStore2.set(webContext, CAS_CLIENT_ID_SESSION_KEY, (Object) null);
            }
        }
        LOGGER.debug("Located delegated client identifier for this request as [{}]", requestParameter);
        return (String) requestParameter.map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
    }

    @Generated
    public DelegatedClientWebflowManager(TicketRegistry ticketRegistry, TicketFactory ticketFactory, CasConfigurationProperties casConfigurationProperties, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, ArgumentExtractor argumentExtractor) {
        this.ticketRegistry = ticketRegistry;
        this.ticketFactory = ticketFactory;
        this.casProperties = casConfigurationProperties;
        this.authenticationRequestServiceSelectionStrategies = authenticationServiceSelectionPlan;
        this.argumentExtractor = argumentExtractor;
    }
}
