package org.apereo.cas.web.flow;

import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.web.flow.actions.AbstractAuthenticationAction;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.credentials.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.class */
public class DelegatedClientAuthenticationAction extends AbstractAuthenticationAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientAuthenticationAction.class);
    private final DelegatedClientAuthenticationConfigurationContext configContext;

    public DelegatedClientAuthenticationAction(DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext) {
        super(delegatedClientAuthenticationConfigurationContext.getInitialAuthenticationAttemptWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getServiceTicketRequestWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getAdaptiveAuthenticationPolicy());
        this.configContext = delegatedClientAuthenticationConfigurationContext;
    }

    public static Optional<ModelAndView> hasDelegationRequestFailed(HttpServletRequest httpServletRequest, int i) {
        Map parameterMap = httpServletRequest.getParameterMap();
        Stream of = Stream.of((Object[]) new String[]{"error", "error_code", "error_description", "error_message"});
        Objects.requireNonNull(parameterMap);
        if (!of.anyMatch((v1) -> {
            return r1.containsKey(v1);
        })) {
            return Optional.empty();
        }
        HashMap hashMap = new HashMap();
        if (parameterMap.containsKey("error_code")) {
            hashMap.put("code", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_code")));
        } else {
            hashMap.put("code", Integer.valueOf(i));
        }
        hashMap.put("error", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error")));
        hashMap.put("reason", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_reason")));
        if (parameterMap.containsKey("error_description")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_description")));
        } else if (parameterMap.containsKey("error_message")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_message")));
        }
        hashMap.put("service", httpServletRequest.getAttribute("service"));
        hashMap.put("client", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("client_name")));
        LOGGER.debug("Delegation request has failed. Details are [{}]", hashMap);
        return Optional.of(new ModelAndView("casPac4jStopWebflow", hashMap));
    }

    public Event doExecute(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, this.configContext.getSessionStore());
        String parameter = httpServletRequestFromExternalWebflowContext.getParameter("client_name");
        LOGGER.trace("Delegated authentication is handled by client name [{}]", parameter);
        Service service = (Service) null;
        if (!isLogoutRequest(httpServletRequestFromExternalWebflowContext) && singleSignOnSessionExists(requestContext) && StringUtils.isNotBlank(parameter)) {
            LOGGER.trace("Found existing single sign-on session");
            service = populateContextWithService(requestContext, jEEContext, parameter);
            if (singleSignOnSessionAuthorizedForService(requestContext)) {
                LOGGER.trace("Skipping delegation and routing back to CAS authentication flow with providers [{}]", this.configContext.getDelegatedClientIdentityProvidersFunction().apply(requestContext));
                return super.doExecute(requestContext);
            }
            LOGGER.debug("Single sign-on session in unauthorized for service [{}]", resolveServiceFromRequestContext(requestContext));
            this.configContext.getCentralAuthenticationService().deleteTicket(WebUtils.getTicketGrantingTicketId(requestContext));
        }
        if (hasDelegationRequestFailed(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext.getStatus()).isPresent()) {
            throw new IllegalArgumentException("Delegated authentication has failed with client " + parameter);
        }
        if (!StringUtils.isNotBlank(parameter)) {
            LOGGER.trace("Delegated authentication providers are finalized as [{}]", this.configContext.getDelegatedClientIdentityProvidersFunction().apply(requestContext));
            WebUtils.createCredential(requestContext);
            return httpServletResponseFromExternalWebflowContext.getStatus() == HttpStatus.UNAUTHORIZED.value() ? stopWebflow() : error();
        }
        if (service == null) {
            service = populateContextWithService(requestContext, jEEContext, parameter);
        }
        populateContextWithClientCredential(findDelegatedClientByName(httpServletRequestFromExternalWebflowContext, parameter, service), jEEContext, requestContext);
        return super.doExecute(requestContext);
    }

    private Service resolveServiceFromRequestContext(RequestContext requestContext) {
        return this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(WebUtils.getService(requestContext));
    }

    private Optional<Authentication> getSingleSignOnAuthenticationFrom(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            LOGGER.trace("No ticket-granting ticket could be located in the webflow context");
            return Optional.empty();
        }
        TicketGrantingTicket ticket = this.configContext.getCentralAuthenticationService().getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        if (ticket == null || ticket.isExpired()) {
            return Optional.empty();
        }
        LOGGER.trace("Located a valid ticket-granting ticket");
        return Optional.of(ticket.getAuthentication());
    }

    private boolean isDelegatedClientAuthorizedForService(Client<Credentials> client, Service service) {
        return this.configContext.getDelegatedAuthenticationAccessStrategyHelper().isDelegatedClientAuthorizedForService(client, service);
    }

    protected static boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("logoutendpoint") != null;
    }

    protected Event doPreExecute(RequestContext requestContext) throws Exception {
        if (this.configContext.getCasProperties().getAuthn().getPac4j().isReplicateSessions() && this.configContext.getCasProperties().getSessionReplication().getCookie().isAutoConfigureCookiePath()) {
            String contextPath = requestContext.getExternalContext().getContextPath();
            String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
            String cookiePath = this.configContext.getCookieGenerator().getCookiePath();
            if (StringUtils.isBlank(cookiePath)) {
                LOGGER.debug("Setting path for cookies for distributed session cookie generator to: [{}]", str);
                this.configContext.getCookieGenerator().setCookiePath(str);
            } else {
                LOGGER.trace("Delegated authentication cookie domain is [{}] with path [{}]", this.configContext.getCookieGenerator().getCookieDomain(), cookiePath);
            }
        }
        return super.doPreExecute(requestContext);
    }

    protected Service populateContextWithService(RequestContext requestContext, JEEContext jEEContext, String str) {
        Service restoreAuthenticationRequestInContext = restoreAuthenticationRequestInContext(requestContext, jEEContext, str);
        Service resolveService = this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(restoreAuthenticationRequestInContext);
        LOGGER.trace("Authentication is resolved by service request from [{}]", restoreAuthenticationRequestInContext);
        RegisteredService findServiceBy = this.configContext.getServicesManager().findServiceBy(resolveService);
        LOGGER.trace("Located registered service [{}] mapped to resolved service [{}]", findServiceBy, resolveService);
        WebUtils.putRegisteredService(requestContext, findServiceBy);
        WebUtils.putServiceIntoFlowScope(requestContext, restoreAuthenticationRequestInContext);
        return restoreAuthenticationRequestInContext;
    }

    protected void populateContextWithClientCredential(BaseClient<Credentials> baseClient, JEEContext jEEContext, RequestContext requestContext) {
        LOGGER.debug("Fetching credentials from delegated client [{}]", baseClient);
        ClientCredential clientCredential = new ClientCredential(getCredentialsFromDelegatedClient(jEEContext, baseClient), baseClient.getName());
        LOGGER.info("Credentials are successfully authenticated using the delegated client [{}]", baseClient.getName());
        WebUtils.putCredential(requestContext, clientCredential);
    }

    protected Credentials getCredentialsFromDelegatedClient(JEEContext jEEContext, BaseClient<Credentials> baseClient) {
        Optional credentials = baseClient.getCredentials(jEEContext);
        LOGGER.debug("Retrieved credentials from client as [{}]", credentials);
        if (credentials.isEmpty()) {
            throw new IllegalArgumentException("Unable to determine credentials from the context with client " + baseClient.getName());
        }
        return (Credentials) credentials.get();
    }

    protected BaseClient<Credentials> findDelegatedClientByName(HttpServletRequest httpServletRequest, String str, Service service) {
        Optional findClient = this.configContext.getClients().findClient(str);
        if (findClient.isEmpty()) {
            LOGGER.warn("Delegated client [{}] can not be located", str);
            throw new UnauthorizedServiceException("screen.service.error.message", "");
        }
        BaseClient<Credentials> baseClient = (BaseClient) BaseClient.class.cast(findClient.get());
        LOGGER.debug("Delegated authentication client is [{}] with service [{}]", baseClient, service);
        if (service != null) {
            httpServletRequest.setAttribute("service", service.getId());
            if (!isDelegatedClientAuthorizedForService(baseClient, service)) {
                LOGGER.warn("Delegated client [{}] is not authorized by service [{}]", baseClient, service);
                throw new UnauthorizedServiceException("screen.service.error.message", "");
            }
        }
        baseClient.init();
        return baseClient;
    }

    protected Event stopWebflow() {
        return new Event(this, "stop");
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, JEEContext jEEContext, String str) {
        Optional findClient;
        if (isLogoutRequest(jEEContext.getNativeRequest())) {
            return null;
        }
        try {
            findClient = this.configContext.getClients().findClient(str);
        } catch (Exception e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.error(e.getMessage(), e);
            } else {
                LOGGER.error(e.getMessage());
            }
        }
        if (findClient.isPresent()) {
            return this.configContext.getDelegatedClientWebflowManager().retrieve(requestContext, jEEContext, (Client) BaseClient.class.cast(findClient.get()));
        }
        LOGGER.warn("Unable to locate client [{}] in registered clients", str);
        throw new UnauthorizedServiceException("screen.service.error.message", "");
    }

    protected boolean singleSignOnSessionAuthorizedForService(RequestContext requestContext) {
        Service resolveServiceFromRequestContext = resolveServiceFromRequestContext(requestContext);
        return ((Boolean) getSingleSignOnAuthenticationFrom(requestContext).map(authentication -> {
            return Boolean.valueOf(this.configContext.getDelegatedAuthenticationAccessStrategyHelper().isDelegatedClientAuthorizedForAuthentication(authentication, resolveServiceFromRequestContext));
        }).orElse(Boolean.FALSE)).booleanValue();
    }

    protected boolean singleSignOnSessionExists(RequestContext requestContext) {
        try {
            Optional<Authentication> singleSignOnAuthenticationFrom = getSingleSignOnAuthenticationFrom(requestContext);
            if (singleSignOnAuthenticationFrom.isPresent()) {
                LOGGER.trace("Located a valid ticket-granting ticket. Examining existing single sign-on session strategies...");
                Authentication authentication = singleSignOnAuthenticationFrom.get();
                AuthenticationResultBuilder establishAuthenticationContextFromInitial = this.configContext.getAuthenticationSystemSupport().establishAuthenticationContextFromInitial(authentication);
                LOGGER.trace("Recording and tracking initial authentication results in the request context");
                WebUtils.putAuthenticationResultBuilder(establishAuthenticationContextFromInitial, requestContext);
                WebUtils.putAuthentication(authentication, requestContext);
                SingleSignOnParticipationStrategy singleSignOnParticipationStrategy = this.configContext.getSingleSignOnParticipationStrategy();
                if (singleSignOnParticipationStrategy.supports(requestContext)) {
                    if (singleSignOnParticipationStrategy.isParticipating(requestContext)) {
                        return true;
                    }
                }
                return false;
            }
        } catch (AbstractTicketException e) {
            LOGGER.trace("Could not retrieve ticket id [{}] from registry.", e.getMessage());
        }
        LOGGER.trace("Ticket-granting ticket found in the webflow context is invalid or has expired");
        return false;
    }

    @Generated
    public DelegatedClientAuthenticationConfigurationContext getConfigContext() {
        return this.configContext;
    }
}
