package org.apereo.cas.web.flow.actions;

import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.DelegatedAuthenticationCandidateProfile;
import org.apereo.cas.authentication.principal.DelegatedClientAuthenticationCredentialResolver;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.model.support.replication.SessionReplicationProperties;
import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationFailureEvaluator;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.web.flow.DelegatedAuthenticationSingleSignOnEvaluator;
import org.apereo.cas.web.flow.DelegatedClientAuthenticationConfigurationContext;
import org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.exception.http.HttpAction;
import org.pac4j.jee.context.JEEContext;
import org.pac4j.jee.http.adapter.JEEHttpActionAdapter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/actions/DelegatedClientAuthenticationAction.class */
public class DelegatedClientAuthenticationAction extends AbstractAuthenticationAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientAuthenticationAction.class);
    protected final DelegatedClientAuthenticationConfigurationContext configContext;
    private final DelegatedClientAuthenticationWebflowManager delegatedClientAuthenticationWebflowManager;
    private final DelegatedClientAuthenticationFailureEvaluator failureEvaluator;
    private final DelegatedAuthenticationSingleSignOnEvaluator ssoEvaluator;

    public DelegatedClientAuthenticationAction(DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext, DelegatedClientAuthenticationWebflowManager delegatedClientAuthenticationWebflowManager, DelegatedClientAuthenticationFailureEvaluator delegatedClientAuthenticationFailureEvaluator) {
        super(delegatedClientAuthenticationConfigurationContext.getInitialAuthenticationAttemptWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getServiceTicketRequestWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getAdaptiveAuthenticationPolicy());
        this.configContext = delegatedClientAuthenticationConfigurationContext;
        this.failureEvaluator = delegatedClientAuthenticationFailureEvaluator;
        this.delegatedClientAuthenticationWebflowManager = delegatedClientAuthenticationWebflowManager;
        this.ssoEvaluator = new DelegatedAuthenticationSingleSignOnEvaluator(delegatedClientAuthenticationConfigurationContext);
    }

    protected static boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("logoutendpoint") != null;
    }

    public Event doExecute(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext);
        try {
            String retrieveClientName = retrieveClientName(jEEContext);
            LOGGER.trace("Delegated authentication is handled by client name [{}]", retrieveClientName);
            Service service = (Service) null;
            if (!isLogoutRequest(httpServletRequestFromExternalWebflowContext) && !WebUtils.hasDelegatedClientAuthenticationCandidateProfile(requestContext) && this.ssoEvaluator.singleSignOnSessionExists(requestContext) && StringUtils.isNotBlank(retrieveClientName)) {
                LOGGER.trace("Found an existing single sign-on session");
                service = populateContextWithService(requestContext, jEEContext, retrieveClientName);
                if (this.ssoEvaluator.singleSignOnSessionAuthorizedForService(requestContext)) {
                    LOGGER.debug("Skipping delegation and routing back to CAS authentication flow with providers [{}]", this.configContext.getDelegatedClientIdentityProvidersProducer().produce(requestContext));
                    return super.doExecute(requestContext);
                }
                LOGGER.debug("Single sign-on session in unauthorized for service [{}]", this.ssoEvaluator.resolveServiceFromRequestContext(requestContext));
                this.configContext.getTicketRegistry().deleteTicket(WebUtils.getTicketGrantingTicketId(requestContext));
            }
            if (this.failureEvaluator.evaluate(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext.getStatus()).isPresent()) {
                throw new IllegalArgumentException("Delegated authentication has failed with client " + retrieveClientName);
            }
            if (WebUtils.hasDelegatedClientAuthenticationCandidateProfile(requestContext)) {
                WebUtils.putCredential(requestContext, new ClientCredential(retrieveClientName, ((DelegatedAuthenticationCandidateProfile) WebUtils.getDelegatedClientAuthenticationCandidateProfile(requestContext, DelegatedAuthenticationCandidateProfile.class)).toUserProfile(retrieveClientName)));
                return super.doExecute(requestContext);
            }
            if (!StringUtils.isNotBlank(retrieveClientName)) {
                return getFinalEvent();
            }
            BaseClient findDelegatedClientByName = findDelegatedClientByName(requestContext, retrieveClientName, (Service) Optional.ofNullable(service).orElseGet(() -> {
                return populateContextWithService(requestContext, jEEContext, retrieveClientName);
            }));
            WebUtils.putDelegatedAuthenticationClientName(requestContext, findDelegatedClientByName.getName());
            return finalizeDelegatedClientAuthentication(requestContext, populateContextWithClientCredential(findDelegatedClientByName, jEEContext, requestContext));
        } catch (UnauthorizedServiceException e) {
            LOGGER.warn(e.getMessage(), e);
            throw e;
        } catch (Exception e2) {
            LoggingUtils.error(LOGGER, e2);
            return stopWebflow(e2, requestContext);
        } catch (HttpAction e3) {
            FunctionUtils.doIf(LOGGER.isDebugEnabled(), obj -> {
                LOGGER.debug(e3.getMessage(), e3);
            }, obj2 -> {
                LOGGER.info(e3.getMessage());
            }).accept(e3);
            JEEHttpActionAdapter.INSTANCE.adapt(e3, jEEContext);
            return isLogoutRequest(httpServletRequestFromExternalWebflowContext) ? getFinalEvent() : success();
        }
    }

    protected Event finalizeDelegatedClientAuthentication(RequestContext requestContext, ClientCredential clientCredential) {
        ArrayList arrayList = new ArrayList(this.configContext.getApplicationContext().getBeansOfType(DelegatedClientAuthenticationCredentialResolver.class).values());
        AnnotationAwareOrderComparator.sortIfNecessary(arrayList);
        List list = (List) arrayList.stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).filter(delegatedClientAuthenticationCredentialResolver -> {
            return delegatedClientAuthenticationCredentialResolver.supports(clientCredential);
        }).map(delegatedClientAuthenticationCredentialResolver2 -> {
            return delegatedClientAuthenticationCredentialResolver2.resolve(requestContext, clientCredential);
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return super.doExecute(requestContext);
        }
        WebUtils.putDelegatedClientAuthenticationResolvedCredentials(requestContext, list);
        return new Event(this, "select");
    }

    private Event getFinalEvent() {
        return new Event(this, "generate");
    }

    protected String retrieveClientName(WebContext webContext) {
        return (String) this.configContext.getDelegatedClientNameExtractor().extract(webContext).orElse("");
    }

    protected Event doPreExecute(RequestContext requestContext) throws Exception {
        SessionReplicationProperties sessionReplication = this.configContext.getCasProperties().getAuthn().getPac4j().getCore().getSessionReplication();
        if (sessionReplication.isReplicateSessions() && sessionReplication.getCookie().isAutoConfigureCookiePath()) {
            String contextPath = requestContext.getExternalContext().getContextPath();
            String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
            String cookiePath = this.configContext.getDelegatedClientDistributedSessionCookieGenerator().getCookiePath();
            if (StringUtils.isBlank(cookiePath)) {
                LOGGER.debug("Setting path for cookies for distributed session cookie generator to: [{}]", str);
                this.configContext.getDelegatedClientDistributedSessionCookieGenerator().setCookiePath(str);
            } else {
                LOGGER.trace("Delegated authentication cookie domain is [{}] with path [{}]", this.configContext.getDelegatedClientDistributedSessionCookieGenerator().getCookieDomain(), cookiePath);
            }
        }
        return super.doPreExecute(requestContext);
    }

    protected Service populateContextWithService(RequestContext requestContext, JEEContext jEEContext, String str) {
        Service restoreAuthenticationRequestInContext = restoreAuthenticationRequestInContext(requestContext, jEEContext, str);
        Service resolveService = this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(restoreAuthenticationRequestInContext);
        LOGGER.trace("Authentication is resolved by service request from [{}]", restoreAuthenticationRequestInContext);
        RegisteredService findServiceBy = this.configContext.getServicesManager().findServiceBy(resolveService);
        LOGGER.trace("Located registered service [{}] mapped to resolved service [{}]", findServiceBy, resolveService);
        WebUtils.putRegisteredService(requestContext, findServiceBy);
        WebUtils.putServiceIntoFlowScope(requestContext, restoreAuthenticationRequestInContext);
        return restoreAuthenticationRequestInContext;
    }

    protected ClientCredential populateContextWithClientCredential(BaseClient baseClient, JEEContext jEEContext, RequestContext requestContext) {
        LOGGER.debug("Fetching credentials from delegated client [{}]", baseClient);
        ClientCredential clientCredential = new ClientCredential(getCredentialsFromDelegatedClient(jEEContext, baseClient), baseClient.getName());
        LOGGER.info("Credentials are successfully authenticated using the delegated client [{}]", baseClient.getName());
        WebUtils.putCredential(requestContext, clientCredential);
        return clientCredential;
    }

    protected Credentials getCredentialsFromDelegatedClient(JEEContext jEEContext, BaseClient baseClient) {
        Optional credentials = baseClient.getCredentials(jEEContext, this.configContext.getSessionStore());
        LOGGER.debug("Retrieved credentials from client as [{}]", credentials);
        if (credentials.isEmpty()) {
            throw new IllegalArgumentException("Unable to determine credentials from the context with client " + baseClient.getName());
        }
        return (Credentials) credentials.get();
    }

    protected BaseClient findDelegatedClientByName(RequestContext requestContext, String str, Service service) {
        Optional findClient = this.configContext.getClients().findClient(str);
        if (findClient.isEmpty()) {
            LOGGER.warn("Delegated client [{}] can not be located", str);
            throw new UnauthorizedServiceException("screen.service.error.message", "");
        }
        BaseClient baseClient = (BaseClient) BaseClient.class.cast(findClient.get());
        LOGGER.debug("Delegated authentication client is [{}] with service [{}]", baseClient, service);
        if (service != null) {
            WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext).setAttribute("service", service);
        }
        if (isDelegatedClientAuthorizedForService(baseClient, service, requestContext)) {
            baseClient.init();
            return baseClient;
        }
        LOGGER.warn("Delegated client [{}] is not authorized by service [{}]", baseClient, service);
        throw new UnauthorizedServiceException("screen.service.error.message", "");
    }

    protected Event stopWebflow(Exception exc, RequestContext requestContext) {
        requestContext.getFlashScope().put("rootCauseException", exc);
        return new Event(this, "stop", new LocalAttributeMap("error", exc));
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, JEEContext jEEContext, String str) {
        Optional findClient;
        if (isLogoutRequest(jEEContext.getNativeRequest())) {
            return null;
        }
        try {
            findClient = this.configContext.getClients().findClient(str);
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
        }
        if (findClient.isPresent()) {
            return this.delegatedClientAuthenticationWebflowManager.retrieve(requestContext, jEEContext, (Client) BaseClient.class.cast(findClient.get()));
        }
        LOGGER.warn("Unable to locate client [{}] in registered clients", str);
        throw new UnauthorizedServiceException("screen.service.error.message", "");
    }

    protected boolean isDelegatedClientAuthorizedForService(Client client, Service service, RequestContext requestContext) {
        return this.configContext.getDelegatedClientIdentityProviderAuthorizers().stream().allMatch(delegatedClientIdentityProviderAuthorizer -> {
            return delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, requestContext);
        });
    }

    @Generated
    public DelegatedClientAuthenticationConfigurationContext getConfigContext() {
        return this.configContext;
    }

    @Generated
    public DelegatedClientAuthenticationWebflowManager getDelegatedClientAuthenticationWebflowManager() {
        return this.delegatedClientAuthenticationWebflowManager;
    }

    @Generated
    public DelegatedClientAuthenticationFailureEvaluator getFailureEvaluator() {
        return this.failureEvaluator;
    }

    @Generated
    public DelegatedAuthenticationSingleSignOnEvaluator getSsoEvaluator() {
        return this.ssoEvaluator;
    }
}
