package org.apereo.cas.support.saml.web.idp.delegation;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceDelegatedAuthenticationPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.apereo.cas.support.saml.idp.SamlIdPSessionManager;
import org.apereo.cas.util.CollectionUtils;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.IDPList;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.saml.client.SAML2Client;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/delegation/SamlIdPDelegatedClientAuthenticationRequestCustomizer.class */
public class SamlIdPDelegatedClientAuthenticationRequestCustomizer implements DelegatedClientAuthenticationRequestCustomizer {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlIdPDelegatedClientAuthenticationRequestCustomizer.class);
    private final SessionStore sessionStore;
    private final OpenSamlConfigBean openSamlConfigBean;
    private final ServicesManager servicesManager;
    private final CasConfigurationProperties casProperties;

    public void customize(IndirectClient indirectClient, WebContext webContext) {
        Optional map = SamlIdPSessionManager.of(this.openSamlConfigBean, this.sessionStore).fetch(webContext, AuthnRequest.class).map((v0) -> {
            return v0.getLeft();
        });
        Class<AuthnRequest> cls = AuthnRequest.class;
        Objects.requireNonNull(AuthnRequest.class);
        map.map((v1) -> {
            return r1.cast(v1);
        }).ifPresent(authnRequest -> {
            LOGGER.debug("Retrieved the SAML2 authentication request from [{}]", SamlIdPUtils.getIssuerFromSamlObject(authnRequest));
            if (Boolean.TRUE.equals(authnRequest.isForceAuthn())) {
                customizeForceAuthnRequest(indirectClient, webContext, authnRequest);
            }
            if (Boolean.TRUE.equals(authnRequest.isPassive())) {
                customizePassiveAuthnRequest(indirectClient, webContext);
            }
            customizeAuthnContextClass(indirectClient, webContext, authnRequest);
        });
    }

    public boolean isAuthorized(WebContext webContext, IndirectClient indirectClient, WebApplicationService webApplicationService) {
        Optional fetch = SamlIdPSessionManager.of(this.openSamlConfigBean, this.sessionStore).fetch(webContext, AuthnRequest.class);
        if (fetch.isEmpty()) {
            LOGGER.trace("No SAML2 authentication request found in session store");
            return true;
        }
        AuthnRequest authnRequest = (AuthnRequest) ((Pair) fetch.get()).getLeft();
        LOGGER.trace("Retrieved the SAML2 authentication request from [{}]", SamlIdPUtils.getIssuerFromSamlObject(authnRequest));
        IDPList iDPList = authnRequest.getScoping() != null ? authnRequest.getScoping().getIDPList() : null;
        Set set = (Set) ((iDPList == null || iDPList.getIDPEntrys() == null) ? List.of() : iDPList.getIDPEntrys()).stream().map((v0) -> {
            return v0.getProviderID();
        }).collect(Collectors.toSet());
        LOGGER.debug("Scoped identity providers are [{}] to examine against client [{}]", set, indirectClient.getName());
        if (!supports(indirectClient, webContext)) {
            return true;
        }
        SAML2Client sAML2Client = (SAML2Client) indirectClient;
        LOGGER.debug("Comparing delegated SAML2 identity provider [{}] against scoped identity providers [{}]", sAML2Client.getIdentityProviderResolvedEntityId(), set);
        if (set.isEmpty() || set.contains(sAML2Client.getIdentityProviderResolvedEntityId())) {
            return true;
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(webApplicationService);
        RegisteredServiceDelegatedAuthenticationPolicy delegatedAuthenticationPolicy = findServiceBy != null ? findServiceBy.getAccessStrategy().getDelegatedAuthenticationPolicy() : null;
        return delegatedAuthenticationPolicy != null && delegatedAuthenticationPolicy.isProviderAllowed(sAML2Client.getName(), findServiceBy);
    }

    public boolean supports(IndirectClient indirectClient, WebContext webContext) {
        return indirectClient instanceof SAML2Client;
    }

    protected void customizeAuthnContextClass(IndirectClient indirectClient, WebContext webContext, AuthnRequest authnRequest) {
        RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
        if (requestedAuthnContext == null || requestedAuthnContext.getAuthnContextClassRefs() == null || requestedAuthnContext.getAuthnContextClassRefs().isEmpty()) {
            return;
        }
        List list = requestedAuthnContext.getAuthnContextClassRefs().stream().map((v0) -> {
            return v0.getURI();
        }).toList();
        Map convertDirectedListToMap = CollectionUtils.convertDirectedListToMap(this.casProperties.getAuthn().getSamlIdp().getCore().getContext().getAuthenticationContextClassMappings());
        LOGGER.debug("Defined authentication context mappings are [{}]", convertDirectedListToMap);
        List list2 = list.stream().map(str -> {
            return (String) convertDirectedListToMap.getOrDefault(str, str);
        }).map(str2 -> {
            return new ArrayList(StringUtils.commaDelimitedListToSet(str2));
        }).flatMap((v0) -> {
            return v0.stream();
        }).toList();
        LOGGER.debug("Mapped authentication context classes are [{}]", list2);
        webContext.setRequestAttribute("AuthnContextClassRefs", list2);
        webContext.setRequestAttribute("ComparisonType", ((AuthnContextComparisonTypeEnumeration) Optional.ofNullable(requestedAuthnContext.getComparison()).orElse(AuthnContextComparisonTypeEnumeration.EXACT)).name());
    }

    protected void customizePassiveAuthnRequest(IndirectClient indirectClient, WebContext webContext) {
        webContext.setRequestAttribute("Passive", true);
    }

    protected void customizeForceAuthnRequest(IndirectClient indirectClient, WebContext webContext, AuthnRequest authnRequest) {
        webContext.setRequestAttribute("ForceAuthn", true);
    }

    @Generated
    public SamlIdPDelegatedClientAuthenticationRequestCustomizer(SessionStore sessionStore, OpenSamlConfigBean openSamlConfigBean, ServicesManager servicesManager, CasConfigurationProperties casConfigurationProperties) {
        this.sessionStore = sessionStore;
        this.openSamlConfigBean = openSamlConfigBean;
        this.servicesManager = servicesManager;
        this.casProperties = casConfigurationProperties;
    }
}
