package org.apereo.cas.web;

import java.io.Serializable;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.model.support.pac4j.Pac4jDelegatedAuthenticationCookieProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.TransientSessionTicket;
import org.apereo.cas.web.flow.DelegatedClientAuthenticationConfigurationContext;
import org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.cas.client.CasClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.oauth.client.OAuth10Client;
import org.pac4j.oauth.client.OAuth20Client;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.saml.client.SAML2Client;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.web.servlet.support.RequestContextUtils;
import org.springframework.webflow.execution.RequestContext;

@Transactional(transactionManager = "ticketTransactionManager")
/* loaded from: input_file:org/apereo/cas/web/DefaultDelegatedClientAuthenticationWebflowManager.class */
public class DefaultDelegatedClientAuthenticationWebflowManager implements DelegatedClientAuthenticationWebflowManager {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultDelegatedClientAuthenticationWebflowManager.class);
    private static final String OIDC_CLIENT_ID_SESSION_KEY = "OIDC_CLIENT_ID";
    private static final String OAUTH20_CLIENT_ID_SESSION_KEY = "OAUTH20_CLIENT_ID";
    private static final String OAUTH10_CLIENT_ID_SESSION_KEY = "OAUTH10_CLIENT_ID";
    private static final String CAS_CLIENT_ID_SESSION_KEY = "CAS_CLIENT_ID";
    private final DelegatedClientAuthenticationConfigurationContext configContext;

    @Override // org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager
    public TransientSessionTicket store(JEEContext jEEContext, Client client) throws Exception {
        TransientSessionTicket storeDelegatedClientAuthenticationRequest = storeDelegatedClientAuthenticationRequest(jEEContext);
        rememberSelectedClientIfNecessary(jEEContext, client);
        if (client instanceof SAML2Client) {
            trackSessionIdForSAML2Client(jEEContext, storeDelegatedClientAuthenticationRequest, (SAML2Client) client);
        }
        if (client instanceof OAuth20Client) {
            trackSessionIdForOAuth20Client(jEEContext, (OAuth20Client) client, storeDelegatedClientAuthenticationRequest);
        }
        if (client instanceof OidcClient) {
            trackSessionIdForOidcClient(jEEContext, (OidcClient) client, storeDelegatedClientAuthenticationRequest);
        }
        if (client instanceof CasClient) {
            trackSessionIdForCasClient(jEEContext, storeDelegatedClientAuthenticationRequest, (CasClient) client);
        }
        if (client instanceof OAuth10Client) {
            trackSessionIdForOAuth10Client(jEEContext, storeDelegatedClientAuthenticationRequest);
        }
        return storeDelegatedClientAuthenticationRequest;
    }

    @Override // org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager
    public Service retrieve(RequestContext requestContext, WebContext webContext, Client client) throws Exception {
        TransientSessionTicket retrieveSessionTicketViaClientId = retrieveSessionTicketViaClientId(webContext, getDelegatedClientId(webContext, client));
        restoreDelegatedAuthenticationRequest(requestContext, webContext, retrieveSessionTicketViaClientId);
        LOGGER.debug("Removing delegated client identifier [{}] from registry", retrieveSessionTicketViaClientId.getId());
        this.configContext.getCentralAuthenticationService().deleteTicket(retrieveSessionTicketViaClientId.getId());
        return retrieveSessionTicketViaClientId.getService();
    }

    protected void trackSessionIdForOAuth10Client(WebContext webContext, TransientSessionTicket transientSessionTicket) {
        this.configContext.getSessionStore().set(webContext, OAUTH10_CLIENT_ID_SESSION_KEY, transientSessionTicket.getId());
    }

    protected void trackSessionIdForCasClient(WebContext webContext, TransientSessionTicket transientSessionTicket, CasClient casClient) {
        this.configContext.getSessionStore().set(webContext, CAS_CLIENT_ID_SESSION_KEY, transientSessionTicket.getId());
    }

    protected void trackSessionIdForOidcClient(WebContext webContext, OidcClient oidcClient, TransientSessionTicket transientSessionTicket) {
        this.configContext.getSessionStore().set(webContext, OIDC_CLIENT_ID_SESSION_KEY, transientSessionTicket.getId());
    }

    protected void trackSessionIdForOAuth20Client(WebContext webContext, OAuth20Client oAuth20Client, TransientSessionTicket transientSessionTicket) {
        this.configContext.getSessionStore().set(webContext, OAUTH20_CLIENT_ID_SESSION_KEY, transientSessionTicket.getId());
    }

    protected void trackSessionIdForSAML2Client(WebContext webContext, TransientSessionTicket transientSessionTicket, SAML2Client sAML2Client) {
        this.configContext.getSessionStore().set(webContext, "samlRelayState", transientSessionTicket.getId());
    }

    protected TransientSessionTicket storeDelegatedClientAuthenticationRequest(JEEContext jEEContext) throws Exception {
        Map<String, Serializable> buildTicketProperties = buildTicketProperties(jEEContext);
        WebApplicationService extractService = this.configContext.getArgumentExtractor().extractService(jEEContext.getNativeRequest());
        Service resolveService = this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(extractService);
        buildTicketProperties.put("service", extractService);
        buildTicketProperties.put("targetService", resolveService);
        RegisteredService findServiceBy = this.configContext.getServicesManager().findServiceBy(resolveService);
        jEEContext.getRequestParameter("ForceAuthn").or(() -> {
            return Optional.of(Boolean.toString(RegisteredServiceProperty.RegisteredServiceProperties.DELEGATED_AUTHN_FORCE_AUTHN.isAssignedTo(findServiceBy)));
        }).filter(str -> {
            return StringUtils.equalsIgnoreCase(str, "true");
        }).ifPresent(str2 -> {
            buildTicketProperties.put("ForceAuthn", true);
        });
        jEEContext.getRequestParameter("Passive").or(() -> {
            return Optional.of(Boolean.toString(RegisteredServiceProperty.RegisteredServiceProperties.DELEGATED_AUTHN_PASSIVE_AUTHN.isAssignedTo(findServiceBy)));
        }).filter(str3 -> {
            return StringUtils.equalsIgnoreCase(str3, "true");
        }).ifPresent(str4 -> {
            buildTicketProperties.put("Passive", true);
        });
        TransientSessionTicket create = this.configContext.getTicketFactory().get(TransientSessionTicket.class).create(extractService, buildTicketProperties);
        LOGGER.debug("Storing delegated authentication request ticket [{}] for service [{}] with properties [{}]", new Object[]{create.getId(), create.getService(), create.getProperties()});
        this.configContext.getCentralAuthenticationService().addTicket(create);
        jEEContext.setRequestAttribute(DelegatedClientAuthenticationWebflowManager.PARAMETER_CLIENT_ID, create.getId());
        if (buildTicketProperties.containsKey("ForceAuthn")) {
            jEEContext.setRequestAttribute("ForceAuthn", true);
        }
        if (buildTicketProperties.containsKey("Passive")) {
            jEEContext.setRequestAttribute("Passive", true);
        }
        return create;
    }

    protected void rememberSelectedClientIfNecessary(JEEContext jEEContext, Client client) {
        Pac4jDelegatedAuthenticationCookieProperties cookie = this.configContext.getCasProperties().getAuthn().getPac4j().getCookie();
        if (cookie.isEnabled()) {
            if (cookie.isAutoConfigureCookiePath()) {
                String contextPath = jEEContext.getNativeRequest().getContextPath();
                String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
                if (StringUtils.isBlank(this.configContext.getDelegatedClientCookieGenerator().getCookiePath())) {
                    LOGGER.debug("Setting path for cookies for delegated authentication cookie generator to: [{}]", str);
                    this.configContext.getDelegatedClientCookieGenerator().setCookiePath(str);
                }
            }
            this.configContext.getDelegatedClientCookieGenerator().addCookie(jEEContext.getNativeRequest(), jEEContext.getNativeResponse(), client.getName());
        }
    }

    protected Map<String, Serializable> buildTicketProperties(WebContext webContext) {
        HashMap hashMap = new HashMap();
        String paramName = this.configContext.getCasProperties().getTheme().getParamName();
        String paramName2 = this.configContext.getCasProperties().getLocale().getParamName();
        hashMap.put(paramName, (Serializable) webContext.getRequestParameter(paramName).map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
        hashMap.put(paramName2, (Serializable) webContext.getRequestParameter(paramName2).map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
        hashMap.put("method", (Serializable) webContext.getRequestParameter("method").map((v0) -> {
            return String.valueOf(v0);
        }).orElse(""));
        LOGGER.debug("Built ticket properties [{}]", hashMap);
        return hashMap;
    }

    protected Service restoreDelegatedAuthenticationRequest(RequestContext requestContext, WebContext webContext, TransientSessionTicket transientSessionTicket) {
        Service service = transientSessionTicket.getService();
        LOGGER.trace("Restoring requested service [{}] back in the authentication flow", service);
        WebUtils.putServiceIntoFlowScope(requestContext, service);
        webContext.setRequestAttribute("service", service);
        String paramName = this.configContext.getCasProperties().getTheme().getParamName();
        String paramName2 = this.configContext.getCasProperties().getLocale().getParamName();
        Map properties = transientSessionTicket.getProperties();
        webContext.setRequestAttribute(paramName, properties.get(paramName));
        Optional.ofNullable(properties.get(paramName2)).ifPresent(obj -> {
            webContext.setRequestAttribute(paramName2, obj);
            HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
            HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
            Optional.ofNullable(RequestContextUtils.getLocaleResolver(httpServletRequestFromExternalWebflowContext)).ifPresent(localeResolver -> {
                localeResolver.setLocale(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, new Locale(obj.toString()));
            });
        });
        webContext.setRequestAttribute("method", properties.get("method"));
        return service;
    }

    protected TransientSessionTicket retrieveSessionTicketViaClientId(WebContext webContext, String str) {
        try {
            TransientSessionTicket ticket = this.configContext.getCentralAuthenticationService().getTicket(str, TransientSessionTicket.class);
            LOGGER.debug("Located delegated authentication client identifier as [{}]", ticket.getId());
            return ticket;
        } catch (Exception e) {
            LOGGER.error("Delegated client identifier cannot be located in the authentication request [{}]", webContext.getFullRequestURL());
            throw new UnauthorizedServiceException("screen.service.error.message", "");
        }
    }

    protected String getDelegatedClientId(WebContext webContext, Client client) {
        String str = (String) webContext.getRequestParameter(DelegatedClientAuthenticationWebflowManager.PARAMETER_CLIENT_ID).map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        if (StringUtils.isBlank(str) && (client instanceof SAML2Client)) {
            LOGGER.debug("Client identifier could not found in request parameters. Looking at relay-state for the SAML2 client");
            str = (String) webContext.getRequestParameter("RelayState").map((v0) -> {
                return String.valueOf(v0);
            }).orElse("");
        }
        String delegatedClientIdFromSessionStore = getDelegatedClientIdFromSessionStore(webContext, client, getDelegatedClientIdFromSessionStore(webContext, client, getDelegatedClientIdFromSessionStore(webContext, client, getDelegatedClientIdFromSessionStore(webContext, client, str, OAuth20Client.class, OAUTH20_CLIENT_ID_SESSION_KEY), OidcClient.class, OIDC_CLIENT_ID_SESSION_KEY), OAuth10Client.class, OAUTH10_CLIENT_ID_SESSION_KEY), CasClient.class, CAS_CLIENT_ID_SESSION_KEY);
        LOGGER.debug("Located delegated client identifier [{}]", delegatedClientIdFromSessionStore);
        return delegatedClientIdFromSessionStore;
    }

    protected String getDelegatedClientIdFromSessionStore(WebContext webContext, Client client, String str, Class cls, String str2) {
        if (!StringUtils.isBlank(str) || client == null || !cls.isAssignableFrom(client.getClass())) {
            return str;
        }
        LOGGER.debug("Client identifier could not be found in request parameters. Looking at session store for the [{}] client", cls);
        String str3 = (String) this.configContext.getSessionStore().get(webContext, str2).map((v0) -> {
            return v0.toString();
        }).orElse("");
        this.configContext.getSessionStore().set(webContext, str2, (Object) null);
        return str3;
    }

    @Generated
    public DefaultDelegatedClientAuthenticationWebflowManager(DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext) {
        this.configContext = delegatedClientAuthenticationConfigurationContext;
    }

    @Generated
    public DelegatedClientAuthenticationConfigurationContext getConfigContext() {
        return this.configContext;
    }
}
