package org.apereo.cas.support.saml.web.idp.profile.builders.authn;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.idp.metadata.locator.SamlIdPSamlRegisteredServiceCriterion;
import org.apereo.cas.support.saml.util.AbstractSaml20ObjectBuilder;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileBuilderContext;
import org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.scripting.ExecutableCompiledScript;
import org.apereo.cas.util.scripting.ExecutableCompiledScriptFactory;
import org.apereo.cas.util.spring.ApplicationContextProvider;
import org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver;
import org.opensaml.saml.metadata.criteria.entity.impl.EvaluableEntityRoleEntityDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.opensaml.saml.saml2.core.AuthenticatingAuthority;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.IDPSSODescriptor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/saml/web/idp/profile/builders/authn/SamlProfileAuthnContextClassRefBuilder.class */
public class SamlProfileAuthnContextClassRefBuilder extends AbstractSaml20ObjectBuilder implements SamlProfileObjectBuilder<AuthnContext> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SamlProfileAuthnContextClassRefBuilder.class);
    private static final long serialVersionUID = 5783371664834470257L;
    private final MetadataResolver samlIdPMetadataResolver;
    private final CasConfigurationProperties casProperties;

    public SamlProfileAuthnContextClassRefBuilder(OpenSamlConfigBean openSamlConfigBean, MetadataResolver metadataResolver, CasConfigurationProperties casConfigurationProperties) {
        super(openSamlConfigBean);
        this.samlIdPMetadataResolver = metadataResolver;
        this.casProperties = casConfigurationProperties;
    }

    @Override // org.apereo.cas.support.saml.web.idp.profile.builders.SamlProfileObjectBuilder
    /* renamed from: build, reason: avoid collision after fix types in other method and merged with bridge method [inline-methods] */
    public AuthnContext mo26build(SamlProfileBuilderContext samlProfileBuilderContext) throws Exception {
        String buildAuthnContextClassRefValue = buildAuthnContextClassRefValue(samlProfileBuilderContext);
        AuthnContext authnContext = (AuthnContext) newSamlObject(AuthnContext.class);
        AuthnContextClassRef newSamlObject = newSamlObject(AuthnContextClassRef.class);
        newSamlObject.setURI(buildAuthnContextClassRefValue);
        authnContext.setAuthnContextClassRef(newSamlObject);
        buildDefaultAuthenticatingAuthority(samlProfileBuilderContext, authnContext);
        return authnContext;
    }

    protected void buildDefaultAuthenticatingAuthority(SamlProfileBuilderContext samlProfileBuilderContext, AuthnContext authnContext) throws Exception {
        if (samlProfileBuilderContext.getRegisteredService().isSkipGeneratingAuthenticatingAuthority()) {
            return;
        }
        CriteriaSet criteriaSet = new CriteriaSet(new Criterion[]{new EvaluableEntityRoleEntityDescriptorCriterion(IDPSSODescriptor.DEFAULT_ELEMENT_NAME), new SamlIdPSamlRegisteredServiceCriterion(samlProfileBuilderContext.getRegisteredService())});
        LOGGER.trace("Resolving entity id from SAML2 IdP metadata for signature signing configuration is [{}]", samlProfileBuilderContext.getRegisteredService().getName());
        String entityID = ((EntityDescriptor) Objects.requireNonNull((EntityDescriptor) this.samlIdPMetadataResolver.resolveSingle(criteriaSet))).getEntityID();
        LOGGER.trace("Resolved entity id from SAML2 IdP metadata is [{}]", entityID);
        AuthenticatingAuthority newSamlObject = newSamlObject(AuthenticatingAuthority.class);
        newSamlObject.setURI(entityID);
        authnContext.getAuthenticatingAuthorities().add(newSamlObject);
    }

    private String buildAuthnContextClassRefValue(SamlProfileBuilderContext samlProfileBuilderContext) {
        String resolve = SpringExpressionLanguageValueResolver.getInstance().resolve(samlProfileBuilderContext.getRegisteredService().getRequiredAuthenticationContextClass());
        if (StringUtils.isNotBlank(resolve)) {
            LOGGER.debug("Using [{}] as indicated by SAML registered service [{}]", resolve, samlProfileBuilderContext.getRegisteredService().getName());
            Optional findExecutableCompiledScriptFactory = ExecutableCompiledScriptFactory.findExecutableCompiledScriptFactory();
            return (findExecutableCompiledScriptFactory.isPresent() && ((ExecutableCompiledScriptFactory) findExecutableCompiledScriptFactory.get()).isScript(resolve)) ? buildScriptedAuthnContextClassRef(samlProfileBuilderContext, resolve) : resolve;
        }
        String defaultAuthenticationContextClass = getDefaultAuthenticationContextClass();
        AuthnRequest samlRequest = samlProfileBuilderContext.getSamlRequest();
        RequestedAuthnContext requestedAuthnContext = samlRequest instanceof AuthnRequest ? samlRequest.getRequestedAuthnContext() : null;
        if (requestedAuthnContext == null) {
            LOGGER.debug("No specific authN context is requested. Returning [{}]", defaultAuthenticationContextClass);
            return buildDefaultAuthenticationContextClass(defaultAuthenticationContextClass, samlProfileBuilderContext);
        }
        List<AuthnContextClassRef> authnContextClassRefs = requestedAuthnContext.getAuthnContextClassRefs();
        if (authnContextClassRefs == null || authnContextClassRefs.isEmpty()) {
            LOGGER.debug("Requested authN context class ref is unspecified. Returning [{}]", defaultAuthenticationContextClass);
            return buildDefaultAuthenticationContextClass(defaultAuthenticationContextClass, samlProfileBuilderContext);
        }
        String str = (String) StringUtils.defaultIfBlank(getAuthenticationContextByAssertion(samlProfileBuilderContext, requestedAuthnContext, authnContextClassRefs), defaultAuthenticationContextClass);
        LOGGER.debug("Returning authentication context [{}]", str);
        return str;
    }

    protected String buildScriptedAuthnContextClassRef(SamlProfileBuilderContext samlProfileBuilderContext, String str) {
        LOGGER.debug("Executing groovy script [{}] to determine authentication context class for [{}]", str, samlProfileBuilderContext.getAdaptor().getEntityId());
        return (String) ApplicationContextProvider.getScriptResourceCacheManager().map(scriptResourceCacheManager -> {
            ExecutableCompiledScript resolveScriptableResource = scriptResourceCacheManager.resolveScriptableResource(str, new String[]{str, samlProfileBuilderContext.getAdaptor().getEntityId()});
            return (String) FunctionUtils.doIfNotNull(resolveScriptableResource, () -> {
                Map wrap = CollectionUtils.wrap("context", samlProfileBuilderContext, "logger", LOGGER);
                resolveScriptableResource.setBinding(wrap);
                return (String) resolveScriptableResource.execute(wrap.values().toArray(), String.class, true);
            }, () -> {
                return str;
            }).get();
        }).orElseThrow(() -> {
            return new RuntimeException("Unable to locate script cache manager or execute groovy script");
        });
    }

    protected String buildDefaultAuthenticationContextClass(String str, SamlProfileBuilderContext samlProfileBuilderContext) {
        Set collection = CollectionUtils.toCollection(samlProfileBuilderContext.getAuthenticatedAssertion().orElseThrow().getAttributes().get(this.casProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute()));
        return (String) CollectionUtils.convertDirectedListToMap(this.casProperties.getAuthn().getSamlIdp().getCore().getContext().getAuthenticationContextClassMappings()).entrySet().stream().filter(entry -> {
            return collection.contains(entry.getValue());
        }).map((v0) -> {
            return v0.getKey();
        }).findFirst().orElse(str);
    }

    protected String getDefaultAuthenticationContextClass() {
        return (String) StringUtils.defaultIfBlank(this.casProperties.getAuthn().getSamlIdp().getCore().getContext().getDefaultAuthenticationContextClass(), "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");
    }

    protected String getAuthenticationContextByAssertion(SamlProfileBuilderContext samlProfileBuilderContext, RequestedAuthnContext requestedAuthnContext, List<AuthnContextClassRef> list) {
        LOGGER.debug("AuthN context comparison to use [{}]", requestedAuthnContext.getComparison());
        list.forEach(authnContextClassRef -> {
            LOGGER.debug("Requested AuthN Context [{}]", authnContextClassRef.getURI());
        });
        Map convertDirectedListToMap = CollectionUtils.convertDirectedListToMap(this.casProperties.getAuthn().getSamlIdp().getCore().getContext().getAuthenticationContextClassMappings());
        LOGGER.debug("Defined authentication context mappings are [{}]", convertDirectedListToMap);
        return (String) list.stream().filter(authnContextClassRef2 -> {
            return StringUtils.isNotBlank(authnContextClassRef2.getURI());
        }).filter(authnContextClassRef3 -> {
            return convertDirectedListToMap.containsKey(authnContextClassRef3.getURI());
        }).map(authnContextClassRef4 -> {
            return Pair.of(authnContextClassRef4, (String) convertDirectedListToMap.get(authnContextClassRef4.getURI()));
        }).findFirst().map(pair -> {
            return getMappedAuthenticationContextClass(samlProfileBuilderContext, pair);
        }).orElse("");
    }

    private String getMappedAuthenticationContextClass(SamlProfileBuilderContext samlProfileBuilderContext, Pair<AuthnContextClassRef, String> pair) {
        ArrayList arrayList = new ArrayList(org.springframework.util.StringUtils.commaDelimitedListToSet((String) pair.getValue()));
        Map<String, Object> attributes = samlProfileBuilderContext.getAuthenticatedAssertion().get().getAttributes();
        for (String str : org.springframework.util.StringUtils.commaDelimitedListToSet(this.casProperties.getAuthn().getMfa().getCore().getAuthenticationContextAttribute())) {
            LOGGER.debug("Checking for mapped authentication context method [{}] in attributes [{}] via [{}]", new Object[]{arrayList, attributes, str});
            if (attributes.containsKey(str)) {
                String str2 = (String) CollectionUtils.firstElement(attributes.get(str)).map((v0) -> {
                    return v0.toString();
                }).orElse("");
                LOGGER.debug("Comparing satisfied authentication context [{}] against [{}]", str2, pair.getValue());
                if (arrayList.contains(str2)) {
                    return ((AuthnContextClassRef) pair.getLeft()).getURI();
                }
            }
        }
        return null;
    }
}
