package org.apereo.cas.web.flow;

import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceDelegatedAuthenticationPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper;
import org.apereo.cas.web.DelegatedClientIdentityProviderConfiguration;
import org.apereo.cas.web.DelegatedClientIdentityProviderConfigurationFactory;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/DelegatedClientIdentityProviderConfigurationFunction.class */
public class DelegatedClientIdentityProviderConfigurationFunction implements Function<RequestContext, Set<DelegatedClientIdentityProviderConfiguration>> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientIdentityProviderConfigurationFunction.class);
    private final ServicesManager servicesManager;
    private final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;
    private final Clients clients;
    private final SessionStore<JEEContext> sessionStore;
    private final DelegatedAuthenticationAccessStrategyHelper delegatedAuthenticationAccessStrategyHelper;
    private final CasConfigurationProperties casProperties;

    protected void determineAutoRedirectPolicyForProvider(RequestContext requestContext, WebApplicationService webApplicationService, DelegatedClientIdentityProviderConfiguration delegatedClientIdentityProviderConfiguration) {
        if (webApplicationService != null) {
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(webApplicationService);
            RegisteredServiceDelegatedAuthenticationPolicy delegatedAuthenticationPolicy = findServiceBy.getAccessStrategy().getDelegatedAuthenticationPolicy();
            if (delegatedAuthenticationPolicy.isExclusive() && delegatedAuthenticationPolicy.getAllowedProviders().size() == 1 && delegatedClientIdentityProviderConfiguration.getName().equalsIgnoreCase((String) delegatedAuthenticationPolicy.getAllowedProviders().iterator().next())) {
                LOGGER.trace("Registered service [{}] is exclusively allowed to use provider [{}]", findServiceBy, delegatedClientIdentityProviderConfiguration);
                delegatedClientIdentityProviderConfiguration.setAutoRedirect(true);
                WebUtils.putDelegatedAuthenticationProviderPrimary(requestContext, delegatedClientIdentityProviderConfiguration);
            }
        }
        if (WebUtils.getDelegatedAuthenticationProviderPrimary(requestContext) == null && delegatedClientIdentityProviderConfiguration.isAutoRedirect()) {
            LOGGER.trace("Provider [{}] is configured to auto-redirect", delegatedClientIdentityProviderConfiguration);
            WebUtils.putDelegatedAuthenticationProviderPrimary(requestContext, delegatedClientIdentityProviderConfiguration);
        }
    }

    private boolean isDelegatedClientAuthorizedForService(Client<Credentials> client, Service service) {
        return this.delegatedAuthenticationAccessStrategyHelper.isDelegatedClientAuthorizedForService(client, service);
    }

    @Override // java.util.function.Function
    public Set<DelegatedClientIdentityProviderConfiguration> apply(RequestContext requestContext) {
        WebApplicationService service = WebUtils.getService(requestContext);
        WebApplicationService resolveService = this.authenticationRequestServiceSelectionStrategies.resolveService(service, WebApplicationService.class);
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, this.sessionStore);
        LOGGER.debug("Initialized context with request parameters [{}]", jEEContext.getRequestParameters());
        List findAllClients = this.clients.findAllClients();
        LinkedHashSet linkedHashSet = new LinkedHashSet(findAllClients.size());
        Stream filter = findAllClients.stream().filter(client -> {
            return (client instanceof IndirectClient) && isDelegatedClientAuthorizedForService(client, resolveService);
        });
        Class<IndirectClient> cls = IndirectClient.class;
        Objects.requireNonNull(IndirectClient.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).forEach(indirectClient -> {
            try {
                LOGGER.debug("Initializing client [{}] with request parameters [{}]", indirectClient, jEEContext.getRequestParameters());
                indirectClient.init();
                DelegatedClientIdentityProviderConfigurationFactory.builder().client(indirectClient).webContext(jEEContext).service(service).casProperties(this.casProperties).build().resolve().ifPresent(delegatedClientIdentityProviderConfiguration -> {
                    linkedHashSet.add(delegatedClientIdentityProviderConfiguration);
                    determineAutoRedirectPolicyForProvider(requestContext, resolveService, delegatedClientIdentityProviderConfiguration);
                });
            } catch (Exception e) {
                LOGGER.error("Cannot process client [{}]", indirectClient, e);
            }
        });
        if (!linkedHashSet.isEmpty()) {
            WebUtils.putDelegatedAuthenticationProviderConfigurations(requestContext, linkedHashSet);
        } else if (httpServletResponseFromExternalWebflowContext.getStatus() != HttpStatus.UNAUTHORIZED.value()) {
            LOGGER.warn("No delegated authentication providers could be determined based on the provided configuration. Either no clients are configured, or the current access strategy rules prohibit CAS from using authentication providers");
        }
        return linkedHashSet;
    }

    @Generated
    public DelegatedClientIdentityProviderConfigurationFunction(ServicesManager servicesManager, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, Clients clients, SessionStore<JEEContext> sessionStore, DelegatedAuthenticationAccessStrategyHelper delegatedAuthenticationAccessStrategyHelper, CasConfigurationProperties casConfigurationProperties) {
        this.servicesManager = servicesManager;
        this.authenticationRequestServiceSelectionStrategies = authenticationServiceSelectionPlan;
        this.clients = clients;
        this.sessionStore = sessionStore;
        this.delegatedAuthenticationAccessStrategyHelper = delegatedAuthenticationAccessStrategyHelper;
        this.casProperties = casConfigurationProperties;
    }
}
