package org.apereo.cas.authentication;

import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedSsoServiceException;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.ws.idp.services.WSFederationRegisteredService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/authentication/DefaultSecurityTokenServiceTokenFetcher.class */
public class DefaultSecurityTokenServiceTokenFetcher implements SecurityTokenServiceTokenFetcher {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultSecurityTokenServiceTokenFetcher.class);
    private final ServicesManager servicesManager;
    private final AuthenticationServiceSelectionStrategy selectionStrategy;
    private final CipherExecutor<String, String> credentialCipherExecutor;
    private final SecurityTokenServiceClientBuilder clientBuilder;

    @Override // org.apereo.cas.authentication.SecurityTokenServiceTokenFetcher
    public Optional<SecurityToken> fetch(Service service, String str) throws Throwable {
        Service resolveServiceFrom = this.selectionStrategy.resolveServiceFrom(service);
        LOGGER.debug("Resolved service as [{}]", resolveServiceFrom);
        if (resolveServiceFrom == null) {
            return Optional.empty();
        }
        WSFederationRegisteredService wSFederationRegisteredService = (WSFederationRegisteredService) this.servicesManager.findServiceBy(resolveServiceFrom, WSFederationRegisteredService.class);
        if (wSFederationRegisteredService == null || !wSFederationRegisteredService.getAccessStrategy().isServiceAccessAllowed(wSFederationRegisteredService, service)) {
            LOGGER.warn("Service [{}] is not allowed to use SSO.", wSFederationRegisteredService);
            throw new UnauthorizedSsoServiceException();
        }
        LOGGER.debug("Building security token service client for registered service [{}]", wSFederationRegisteredService);
        return Optional.ofNullable(invokeSecurityTokenServiceForToken(wSFederationRegisteredService, this.clientBuilder.buildClientForSecurityTokenRequests(wSFederationRegisteredService), str));
    }

    private SecurityToken invokeSecurityTokenServiceForToken(WSFederationRegisteredService wSFederationRegisteredService, SecurityTokenServiceClient securityTokenServiceClient, String str) {
        try {
            Map properties = securityTokenServiceClient.getProperties();
            properties.put("security.username", str);
            String str2 = (String) this.credentialCipherExecutor.encode(str);
            properties.put("security.password", str2);
            LOGGER.debug("Requesting security token for principal [{}] and registered service [{}]", str2, wSFederationRegisteredService);
            return securityTokenServiceClient.requestSecurityToken(wSFederationRegisteredService.getAppliesTo());
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            throw new AuthenticationException(e.getMessage());
        }
    }

    @Generated
    public DefaultSecurityTokenServiceTokenFetcher(ServicesManager servicesManager, AuthenticationServiceSelectionStrategy authenticationServiceSelectionStrategy, CipherExecutor<String, String> cipherExecutor, SecurityTokenServiceClientBuilder securityTokenServiceClientBuilder) {
        this.servicesManager = servicesManager;
        this.selectionStrategy = authenticationServiceSelectionStrategy;
        this.credentialCipherExecutor = cipherExecutor;
        this.clientBuilder = securityTokenServiceClientBuilder;
    }

    @Generated
    public String toString() {
        return "DefaultSecurityTokenServiceTokenFetcher(super=" + super.toString() + ", servicesManager=" + String.valueOf(this.servicesManager) + ", selectionStrategy=" + String.valueOf(this.selectionStrategy) + ", credentialCipherExecutor=" + String.valueOf(this.credentialCipherExecutor) + ", clientBuilder=" + String.valueOf(this.clientBuilder) + ")";
    }
}
