package org.apereo.cas.web.flow;

import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.support.pac4j.logout.RequestSloException;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.Pac4jUtils;
import org.apereo.cas.web.DelegatedClientNavigationController;
import org.apereo.cas.web.DelegatedClientWebflowManager;
import org.apereo.cas.web.flow.actions.AbstractAuthenticationAction;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.pac4j.DelegatedSessionCookieManager;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.class */
public class DelegatedClientAuthenticationAction extends AbstractAuthenticationAction {
    public static final String PAC4J_URLS = "pac4jUrls";
    protected final Clients clients;
    protected final ServicesManager servicesManager;
    protected final AuditableExecution delegatedAuthenticationPolicyEnforcer;
    protected final DelegatedClientWebflowManager delegatedClientWebflowManager;
    protected final DelegatedSessionCookieManager delegatedSessionCookieManager;
    protected final AuthenticationSystemSupport authenticationSystemSupport;
    protected final String localeParamName;
    protected final String themeParamName;
    private final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;
    private final CentralAuthenticationService centralAuthenticationService;

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientAuthenticationAction.class);
    private static final Pattern PAC4J_CLIENT_SUFFIX_PATTERN = Pattern.compile("Client\\d*");
    private static final Pattern PAC4J_CLIENT_CSS_CLASS_SUBSTITUTION_PATTERN = Pattern.compile("\\W");

    /* loaded from: input_file:org/apereo/cas/web/flow/DelegatedClientAuthenticationAction$ProviderLoginPageConfiguration.class */
    public static class ProviderLoginPageConfiguration implements Serializable {
        private static final long serialVersionUID = 6216882278086699364L;
        private final String name;
        private final String redirectUrl;
        private final String type;
        private final String cssClass;
        private final boolean autoRedirect;

        @Generated
        public ProviderLoginPageConfiguration(String str, String str2, String str3, String str4, boolean z) {
            this.name = str;
            this.redirectUrl = str2;
            this.type = str3;
            this.cssClass = str4;
            this.autoRedirect = z;
        }

        @Generated
        public String getName() {
            return this.name;
        }

        @Generated
        public String getRedirectUrl() {
            return this.redirectUrl;
        }

        @Generated
        public String getType() {
            return this.type;
        }

        @Generated
        public String getCssClass() {
            return this.cssClass;
        }

        @Generated
        public boolean isAutoRedirect() {
            return this.autoRedirect;
        }

        @Generated
        public String toString() {
            return "DelegatedClientAuthenticationAction.ProviderLoginPageConfiguration(name=" + this.name + ", redirectUrl=" + this.redirectUrl + ", type=" + this.type + ", cssClass=" + this.cssClass + ", autoRedirect=" + this.autoRedirect + ")";
        }
    }

    public DelegatedClientAuthenticationAction(CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver, CasWebflowEventResolver casWebflowEventResolver, AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy, Clients clients, ServicesManager servicesManager, AuditableExecution auditableExecution, DelegatedClientWebflowManager delegatedClientWebflowManager, DelegatedSessionCookieManager delegatedSessionCookieManager, AuthenticationSystemSupport authenticationSystemSupport, String str, String str2, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, CentralAuthenticationService centralAuthenticationService) {
        super(casDelegatingWebflowEventResolver, casWebflowEventResolver, adaptiveAuthenticationPolicy);
        this.clients = clients;
        this.servicesManager = servicesManager;
        this.delegatedAuthenticationPolicyEnforcer = auditableExecution;
        this.delegatedClientWebflowManager = delegatedClientWebflowManager;
        this.delegatedSessionCookieManager = delegatedSessionCookieManager;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.localeParamName = str;
        this.themeParamName = str2;
        this.authenticationRequestServiceSelectionStrategies = authenticationServiceSelectionPlan;
        this.centralAuthenticationService = centralAuthenticationService;
    }

    public Event doExecute(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        if (!isLogoutRequest(httpServletRequestFromExternalWebflowContext) && singleSignOnSessionExists(requestContext)) {
            String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
            Optional<Authentication> singleSignOnAuthenticationFrom = getSingleSignOnAuthenticationFrom(requestContext);
            if (singleSignOnAuthenticationFrom.isPresent() && isDelegatedClientAuthorizedFor((String) CollectionUtils.firstElement(singleSignOnAuthenticationFrom.get().getAttributes().getOrDefault("clientName", new ArrayList())).map((v0) -> {
                return v0.toString();
            }).orElse(""), resolveServiceFromRequestContext(requestContext))) {
                LOGGER.debug("An existing single sign-on session already exists. Skipping delegation and routing back to CAS authentication flow");
                prepareForLoginPage(requestContext);
                return resumeWebflow();
            }
            LOGGER.debug("Single sign-on session in unauthorized for service [{}]", resolveServiceFromRequestContext(requestContext));
            this.centralAuthenticationService.deleteTicket(ticketGrantingTicketId);
        }
        String parameter = httpServletRequestFromExternalWebflowContext.getParameter("client_name");
        LOGGER.debug("Delegated authentication is handled by client name [{}]", parameter);
        if (hasDelegationRequestFailed(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext.getStatus()).isPresent()) {
            throw new IllegalArgumentException("Delegated authentication has failed with client " + parameter);
        }
        String parameter2 = httpServletRequestFromExternalWebflowContext.getParameter("logoutendpoint");
        J2EContext pac4jJ2EContext = Pac4jUtils.getPac4jJ2EContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext);
        if (!StringUtils.isNotBlank(parameter)) {
            prepareForLoginPage(requestContext);
            return httpServletResponseFromExternalWebflowContext.getStatus() == HttpStatus.UNAUTHORIZED.value() ? stopWebflow() : error();
        }
        Service restoreAuthenticationRequestInContext = StringUtils.isBlank(parameter2) ? restoreAuthenticationRequestInContext(requestContext, pac4jJ2EContext, parameter) : null;
        BaseClient<Credentials, CommonProfile> findDelegatedClientByName = findDelegatedClientByName(httpServletRequestFromExternalWebflowContext, parameter, restoreAuthenticationRequestInContext);
        try {
            Credentials credentials = findDelegatedClientByName.getCredentials(pac4jJ2EContext);
            LOGGER.debug("Retrieved credentials from client as [{}]", credentials);
            if (credentials == null) {
                throw new IllegalArgumentException("Unable to determine credentials from the context with client " + findDelegatedClientByName.getName());
            }
            WebUtils.putCredential(requestContext, new ClientCredential(credentials, findDelegatedClientByName.getName()));
            WebUtils.putService(requestContext, restoreAuthenticationRequestInContext);
            WebUtils.putRegisteredService(requestContext, this.servicesManager.findServiceBy(this.authenticationRequestServiceSelectionStrategies.resolveService(restoreAuthenticationRequestInContext)));
            return super.doExecute(requestContext);
        } catch (Exception e) {
            return handleException(pac4jJ2EContext, findDelegatedClientByName, e);
        }
    }

    private Optional<Authentication> getSingleSignOnAuthenticationFrom(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            LOGGER.trace("No ticket-granting ticket could be located in the webflow context");
            return Optional.empty();
        }
        TicketGrantingTicket ticket = this.centralAuthenticationService.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        if (ticket == null || ticket.isExpired()) {
            return Optional.empty();
        }
        LOGGER.trace("Located a valid ticket-granting ticket. Examining existing single sign-on session strategies...");
        return Optional.of(ticket.getAuthentication());
    }

    protected Event handleException(J2EContext j2EContext, BaseClient<Credentials, CommonProfile> baseClient, Exception exc) {
        if (!(exc instanceof RequestSloException)) {
            LOGGER.info(exc.getMessage(), exc);
            throw new IllegalArgumentException("Delegated authentication has failed with client " + baseClient.getName());
        }
        try {
            j2EContext.getResponse().sendRedirect("logout");
            return stopWebflow();
        } catch (IOException e) {
            throw new IllegalArgumentException("Unable to call logout", e);
        }
    }

    public boolean isDelegatedClientAuthorizedFor(String str, Service service) {
        if (service == null || StringUtils.isBlank(service.getId())) {
            LOGGER.debug("Can not evaluate delegated authentication policy without a service");
            return true;
        }
        if (StringUtils.isBlank(str)) {
            LOGGER.debug("No client is provided to execute authorization for [{}]. SSO session may have been established w/o delegation", service);
            return true;
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.warn("Service access for [{}] is denied", findServiceBy);
            return false;
        }
        LOGGER.trace("Located registered service definition [{}] matching [{}]", findServiceBy, service);
        if (this.delegatedAuthenticationPolicyEnforcer.execute(AuditableContext.builder().registeredService(findServiceBy).properties(CollectionUtils.wrap(Client.class.getSimpleName(), str)).build()).isExecutionFailure()) {
            LOGGER.warn("Delegated authentication policy for [{}] refuses access to client [{}]", findServiceBy.getServiceId(), str);
            return false;
        }
        LOGGER.debug("Delegated authentication policy for [{}] allows for using client [{}]", findServiceBy, str);
        return true;
    }

    protected BaseClient<Credentials, CommonProfile> findDelegatedClientByName(HttpServletRequest httpServletRequest, String str, Service service) {
        BaseClient<Credentials, CommonProfile> findClient = this.clients.findClient(str);
        LOGGER.debug("Delegated authentication client is [{}] with service [{}}", findClient, service);
        if (service != null) {
            httpServletRequest.setAttribute("service", service.getId());
            if (!isDelegatedClientAuthorizedForService(findClient, service)) {
                LOGGER.warn("Delegated client [{}] is not authorized by service [{}]", findClient, service);
                throw new UnauthorizedServiceException("screen.service.error.message", "");
            }
        }
        return findClient;
    }

    protected void prepareForLoginPage(RequestContext requestContext) {
        WebApplicationService service = WebUtils.getService(requestContext);
        WebApplicationService resolveService = this.authenticationRequestServiceSelectionStrategies.resolveService(service, WebApplicationService.class);
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        J2EContext pac4jJ2EContext = Pac4jUtils.getPac4jJ2EContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Stream filter = this.clients.findAllClients().stream().filter(client -> {
            return (client instanceof IndirectClient) && isDelegatedClientAuthorizedForService(client, resolveService);
        });
        Class<IndirectClient> cls = IndirectClient.class;
        Objects.requireNonNull(IndirectClient.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).forEach(indirectClient -> {
            try {
                Optional<ProviderLoginPageConfiguration> buildProviderConfiguration = buildProviderConfiguration(indirectClient, pac4jJ2EContext, service);
                Objects.requireNonNull(linkedHashSet);
                buildProviderConfiguration.ifPresent((v1) -> {
                    r1.add(v1);
                });
            } catch (Exception e) {
                LOGGER.error("Cannot process client [{}]", indirectClient, e);
            }
        });
        if (!linkedHashSet.isEmpty()) {
            requestContext.getFlowScope().put(PAC4J_URLS, linkedHashSet);
        } else if (httpServletResponseFromExternalWebflowContext.getStatus() != HttpStatus.UNAUTHORIZED.value()) {
            LOGGER.warn("No delegated authentication providers could be determined based on the provided configuration. Either no clients are configured, or the current access strategy rules prohibit CAS from using authentication providers for this request.");
        }
    }

    protected Optional<ProviderLoginPageConfiguration> buildProviderConfiguration(IndirectClient indirectClient, WebContext webContext, WebApplicationService webApplicationService) {
        String name = indirectClient.getName();
        String lowerCase = PAC4J_CLIENT_SUFFIX_PATTERN.matcher(indirectClient.getClass().getSimpleName()).replaceAll("").toLowerCase();
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(DelegatedClientNavigationController.ENDPOINT_REDIRECT).queryParam("client_name", new Object[]{name});
        if (webApplicationService != null) {
            String source = webApplicationService.getSource();
            String originalUrl = webApplicationService.getOriginalUrl();
            if (StringUtils.isNotBlank(source) && StringUtils.isNotBlank(originalUrl)) {
                queryParam.queryParam(source, new Object[]{originalUrl});
            }
        }
        String requestParameter = webContext.getRequestParameter("method");
        if (StringUtils.isNotBlank(requestParameter)) {
            queryParam.queryParam("method", new Object[]{requestParameter});
        }
        String requestParameter2 = webContext.getRequestParameter(this.localeParamName);
        if (StringUtils.isNotBlank(requestParameter2)) {
            queryParam.queryParam(this.localeParamName, new Object[]{requestParameter2});
        }
        String requestParameter3 = webContext.getRequestParameter(this.themeParamName);
        if (StringUtils.isNotBlank(requestParameter3)) {
            queryParam.queryParam(this.themeParamName, new Object[]{requestParameter3});
        }
        return Optional.of(new ProviderLoginPageConfiguration(name, queryParam.toUriString(), lowerCase, getCssClass(name), ((Boolean) indirectClient.getCustomProperties().getOrDefault("autoRedirect", Boolean.FALSE)).booleanValue()));
    }

    protected String getCssClass(String str) {
        String str2;
        str2 = "fa fa-lock";
        str2 = StringUtils.isNotBlank(str) ? str2.concat(' ' + PAC4J_CLIENT_CSS_CLASS_SUBSTITUTION_PATTERN.matcher(str).replaceAll("-")) : "fa fa-lock";
        LOGGER.debug("cssClass for [{}] is [{}]", str, str2);
        return str2;
    }

    protected Event stopWebflow() {
        return new Event(this, "stop");
    }

    protected Event resumeWebflow() {
        return new Event(this, "resume");
    }

    private Service resolveServiceFromRequestContext(RequestContext requestContext) {
        return this.authenticationRequestServiceSelectionStrategies.resolveService(WebUtils.getService(requestContext));
    }

    public static Optional<ModelAndView> hasDelegationRequestFailed(HttpServletRequest httpServletRequest, int i) {
        Map parameterMap = httpServletRequest.getParameterMap();
        if (!parameterMap.containsKey("error") && !parameterMap.containsKey("error_code") && !parameterMap.containsKey("error_description") && !parameterMap.containsKey("error_message")) {
            return Optional.empty();
        }
        HashMap hashMap = new HashMap();
        if (parameterMap.containsKey("error_code")) {
            hashMap.put("code", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_code")));
        } else {
            hashMap.put("code", Integer.valueOf(i));
        }
        hashMap.put("error", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error")));
        hashMap.put("reason", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_reason")));
        if (parameterMap.containsKey("error_description")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_description")));
        } else if (parameterMap.containsKey("error_message")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_message")));
        }
        hashMap.put("service", httpServletRequest.getAttribute("service"));
        hashMap.put("client", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("client_name")));
        LOGGER.debug("Delegation request has failed. Details are [{}]", hashMap);
        return Optional.of(new ModelAndView("casPac4jStopWebflow", hashMap));
    }

    protected boolean isDelegatedClientAuthorizedForService(Client client, Service service) {
        if (service == null || StringUtils.isBlank(service.getId())) {
            LOGGER.debug("Can not evaluate delegated authentication policy since no service was provided in the request while processing client [{}]", client);
            return true;
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.warn("Service access for [{}] is denied", findServiceBy);
            return false;
        }
        LOGGER.debug("Located registered service definition [{}] matching [{}]", findServiceBy, service);
        if (this.delegatedAuthenticationPolicyEnforcer.execute(AuditableContext.builder().registeredService(findServiceBy).properties(CollectionUtils.wrap(Client.class.getSimpleName(), client.getName())).build()).isExecutionFailure()) {
            LOGGER.warn("Delegated authentication policy for [{}] refuses access to client [{}]", findServiceBy.getServiceId(), client);
            return false;
        }
        LOGGER.debug("Delegated authentication policy for [{}] allows for using client [{}]", findServiceBy, client);
        return true;
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, J2EContext j2EContext, String str) {
        try {
            this.delegatedSessionCookieManager.restore(j2EContext);
            return this.delegatedClientWebflowManager.retrieve(requestContext, j2EContext, this.clients.findClient(str));
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
            throw new UnauthorizedServiceException("screen.service.error.message", "Service unauthorized");
        }
    }

    private boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("logoutendpoint") != null;
    }

    private boolean singleSignOnSessionExists(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            LOGGER.trace("No ticket-granting ticket could be located in the webflow context");
            return false;
        }
        try {
            Ticket ticket = this.centralAuthenticationService.getTicket(ticketGrantingTicketId, Ticket.class);
            if (ticket != null && !ticket.isExpired()) {
                LOGGER.trace("Located a valid ticket-granting ticket, honoring existing single sign-on session");
                return true;
            }
        } catch (AbstractTicketException e) {
            LOGGER.trace("Could not retrieve ticket id [{}] from registry.", e.getMessage());
        }
        LOGGER.trace("Ticket-granting ticket found in the webflow context is invalid or has expired");
        return false;
    }

    @Generated
    public Clients getClients() {
        return this.clients;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public AuditableExecution getDelegatedAuthenticationPolicyEnforcer() {
        return this.delegatedAuthenticationPolicyEnforcer;
    }

    @Generated
    public DelegatedClientWebflowManager getDelegatedClientWebflowManager() {
        return this.delegatedClientWebflowManager;
    }

    @Generated
    public DelegatedSessionCookieManager getDelegatedSessionCookieManager() {
        return this.delegatedSessionCookieManager;
    }

    @Generated
    public AuthenticationSystemSupport getAuthenticationSystemSupport() {
        return this.authenticationSystemSupport;
    }

    @Generated
    public String getLocaleParamName() {
        return this.localeParamName;
    }

    @Generated
    public String getThemeParamName() {
        return this.themeParamName;
    }

    @Generated
    public AuthenticationServiceSelectionPlan getAuthenticationRequestServiceSelectionStrategies() {
        return this.authenticationRequestServiceSelectionStrategies;
    }

    @Generated
    public CentralAuthenticationService getCentralAuthenticationService() {
        return this.centralAuthenticationService;
    }
}
