package org.apereo.cas.oidc.profile;

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import lombok.Generated;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcProperties;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.claims.BaseOidcScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcAddressScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcCustomScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcEmailScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcPhoneScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy;
import org.apereo.cas.services.ChainingAttributeReleasePolicy;
import org.apereo.cas.services.DenyAllAttributeReleasePolicy;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.ticket.accesstoken.AccessToken;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.J2EContext;
import org.reflections.Reflections;
import org.reflections.scanners.Scanner;
import org.reflections.scanners.SubTypesScanner;
import org.reflections.util.ClasspathHelper;
import org.reflections.util.ConfigurationBuilder;
import org.reflections.util.FilterBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter.class */
public class OidcProfileScopeToAttributesFilter extends DefaultOAuth20ProfileScopeToAttributesFilter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcProfileScopeToAttributesFilter.class);
    private final Map<String, BaseOidcScopeAttributeReleasePolicy> filters = new HashMap();
    private final Collection<BaseOidcScopeAttributeReleasePolicy> userScopes;
    private final PrincipalFactory principalFactory;
    private final ServicesManager servicesManager;
    private final CasConfigurationProperties casProperties;

    /* renamed from: org.apereo.cas.oidc.profile.OidcProfileScopeToAttributesFilter$1, reason: invalid class name */
    /* loaded from: input_file:org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes = new int[OidcConstants.StandardScopes.values().length];

        static {
            try {
                $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.EMAIL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.ADDRESS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.PROFILE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.PHONE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.OFFLINE_ACCESS.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.CUSTOM.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    public OidcProfileScopeToAttributesFilter(PrincipalFactory principalFactory, ServicesManager servicesManager, Collection<BaseOidcScopeAttributeReleasePolicy> collection, CasConfigurationProperties casConfigurationProperties) {
        this.casProperties = casConfigurationProperties;
        this.principalFactory = principalFactory;
        this.servicesManager = servicesManager;
        this.userScopes = collection;
        configureAttributeReleasePoliciesByScope();
    }

    private void configureAttributeReleasePoliciesByScope() {
        OidcProperties oidc = this.casProperties.getAuthn().getOidc();
        String name = BaseOidcScopeAttributeReleasePolicy.class.getPackage().getName();
        new Reflections(new ConfigurationBuilder().filterInputsBy(new FilterBuilder().includePackage(new String[]{name})).setUrls(ClasspathHelper.forPackage(name, new ClassLoader[0])).setScanners(new Scanner[]{new SubTypesScanner(true)})).getSubTypesOf(BaseOidcScopeAttributeReleasePolicy.class).forEach(Unchecked.consumer(cls -> {
            BaseOidcScopeAttributeReleasePolicy baseOidcScopeAttributeReleasePolicy = (BaseOidcScopeAttributeReleasePolicy) cls.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            if (!oidc.getScopes().contains(baseOidcScopeAttributeReleasePolicy.getScopeName())) {
                LOGGER.debug("OpenID Connect scope [{}] is not configured for use and will be ignored", baseOidcScopeAttributeReleasePolicy.getScopeName());
            } else {
                LOGGER.trace("Found OpenID Connect scope [{}] to filter attributes", baseOidcScopeAttributeReleasePolicy.getScopeName());
                this.filters.put(baseOidcScopeAttributeReleasePolicy.getScopeName(), baseOidcScopeAttributeReleasePolicy);
            }
        }));
        if (this.userScopes.isEmpty()) {
            return;
        }
        LOGGER.debug("Configuring attributes release policies for user-defined scopes [{}]", this.userScopes);
        this.userScopes.forEach(baseOidcScopeAttributeReleasePolicy -> {
            this.filters.put(baseOidcScopeAttributeReleasePolicy.getScopeName(), baseOidcScopeAttributeReleasePolicy);
        });
    }

    public Principal filter(Service service, Principal principal, RegisteredService registeredService, J2EContext j2EContext, AccessToken accessToken) {
        Principal filter = super.filter(service, principal, registeredService, j2EContext, accessToken);
        if (!(registeredService instanceof OidcRegisteredService)) {
            return filter;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet(accessToken.getScopes());
        if (!linkedHashSet.contains(OidcConstants.StandardScopes.OPENID.getScope())) {
            LOGGER.warn("Request does not indicate a scope [{}] that can identify an OpenID Connect request. This is a REQUIRED scope that MUST be present in the request. Given its absence, CAS will not process any attribute claims and will return the authenticated principal as is.", linkedHashSet);
            return filter;
        }
        RegisteredService registeredService2 = (OidcRegisteredService) registeredService;
        linkedHashSet.retainAll(registeredService2.getScopes());
        Map<String, Object> filterAttributesByScope = filterAttributesByScope(linkedHashSet, filter, service, registeredService2, accessToken);
        LOGGER.debug("Final collection of attributes filtered by scopes [{}] are [{}]", linkedHashSet, filterAttributesByScope);
        return this.principalFactory.createPrincipal(principal.getId(), filterAttributesByScope);
    }

    private Map<String, Object> filterAttributesByScope(Collection<String> collection, Principal principal, Service service, RegisteredService registeredService, AccessToken accessToken) {
        HashMap hashMap = new HashMap();
        Stream<String> distinct = collection.stream().distinct();
        Map<String, BaseOidcScopeAttributeReleasePolicy> map = this.filters;
        Objects.requireNonNull(map);
        distinct.filter((v1) -> {
            return r1.containsKey(v1);
        }).forEach(str -> {
            hashMap.putAll(this.filters.get(str).getAttributes(principal, service, registeredService));
        });
        return hashMap;
    }

    public void reconcile(RegisteredService registeredService) {
        if (!(registeredService instanceof OidcRegisteredService)) {
            super.reconcile(registeredService);
            return;
        }
        LOGGER.trace("Reconciling OpenId Connect scopes and claims for [{}]", registeredService.getServiceId());
        ArrayList arrayList = new ArrayList();
        ChainingAttributeReleasePolicy chainingAttributeReleasePolicy = new ChainingAttributeReleasePolicy();
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(registeredService);
        oidcRegisteredService.getScopes().forEach(str -> {
            LOGGER.trace("Reviewing scope [{}] for [{}]", str, registeredService.getServiceId());
            try {
                switch (AnonymousClass1.$SwitchMap$org$apereo$cas$oidc$OidcConstants$StandardScopes[OidcConstants.StandardScopes.valueOf(str.trim().toLowerCase().toUpperCase()).ordinal()]) {
                    case 1:
                        LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcEmailScopeAttributeReleasePolicy.class.getSimpleName());
                        chainingAttributeReleasePolicy.getPolicies().add(new OidcEmailScopeAttributeReleasePolicy());
                        break;
                    case 2:
                        LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcAddressScopeAttributeReleasePolicy.class.getSimpleName());
                        chainingAttributeReleasePolicy.getPolicies().add(new OidcAddressScopeAttributeReleasePolicy());
                        break;
                    case 3:
                        LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcProfileScopeAttributeReleasePolicy.class.getSimpleName());
                        chainingAttributeReleasePolicy.getPolicies().add(new OidcProfileScopeAttributeReleasePolicy());
                        break;
                    case 4:
                        LOGGER.debug("Mapped [{}] to attribute release policy [{}]", str, OidcProfileScopeAttributeReleasePolicy.class.getSimpleName());
                        chainingAttributeReleasePolicy.getPolicies().add(new OidcPhoneScopeAttributeReleasePolicy());
                        break;
                    case 5:
                        LOGGER.debug("Given scope [{}], service [{}] is marked to generate refresh tokens", str, Long.valueOf(registeredService.getId()));
                        oidcRegisteredService.setGenerateRefreshToken(true);
                        break;
                    case 6:
                        LOGGER.debug("Found custom scope [{}] for service [{}]", str, Long.valueOf(registeredService.getId()));
                        arrayList.add(str.trim());
                        break;
                    default:
                        LOGGER.debug("Scope [{}] is unsupported for service [{}]", str, Long.valueOf(registeredService.getId()));
                        break;
                }
            } catch (Exception e) {
                LOGGER.debug("[{}] appears to be a user-defined scope and does not match any of the predefined standard scopes. Checking [{}] against user-defined scopes provided as [{}]", new Object[]{str, str, this.userScopes});
                BaseOidcScopeAttributeReleasePolicy orElse = this.userScopes.stream().filter(baseOidcScopeAttributeReleasePolicy -> {
                    return baseOidcScopeAttributeReleasePolicy.getScopeName().equals(str.trim());
                }).findFirst().orElse(null);
                if (orElse != null) {
                    LOGGER.debug("Mapped user-defined scope [{}] to attribute release policy [{}]", str, orElse);
                    chainingAttributeReleasePolicy.getPolicies().add(orElse);
                }
            }
        });
        arrayList.remove(OidcConstants.StandardScopes.OPENID.getScope());
        if (!arrayList.isEmpty()) {
            LOGGER.debug("Mapped scopes [{}] to attribute release policy [{}]", arrayList, OidcCustomScopeAttributeReleasePolicy.class.getSimpleName());
            chainingAttributeReleasePolicy.getPolicies().add(new OidcCustomScopeAttributeReleasePolicy(arrayList));
        }
        if (chainingAttributeReleasePolicy.getPolicies().isEmpty()) {
            LOGGER.trace("No attribute release policy could be determined based on given scopes. No claims/attributes will be released to [{}]", registeredService.getServiceId());
            oidcRegisteredService.setAttributeReleasePolicy(new DenyAllAttributeReleasePolicy());
        } else {
            oidcRegisteredService.setAttributeReleasePolicy(chainingAttributeReleasePolicy);
        }
        LOGGER.trace("Scope/claim reconciliation for service [{}] resulted in the following attribute release policy [{}]", registeredService.getServiceId(), oidcRegisteredService.getAttributeReleasePolicy());
        if (oidcRegisteredService.equals(registeredService)) {
            LOGGER.trace("No changes detected in service [{}] after scope/claim reconciliation", Long.valueOf(registeredService.getId()));
            return;
        }
        LOGGER.trace("Saving scope/claim reconciliation results for service [{}] into registry", registeredService.getServiceId());
        this.servicesManager.save(oidcRegisteredService);
        LOGGER.debug("Saved service [{}] into registry", registeredService.getServiceId());
    }
}
