package org.apereo.cas.authentication;

import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.services.MultifactorAuthenticationProvider;
import org.apereo.cas.services.MultifactorAuthenticationProviderBypass;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceMultifactorPolicy;
import org.apereo.cas.util.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.core.OrderComparator;

/* loaded from: input_file:org/apereo/cas/authentication/DefaultAuthenticationContextValidator.class */
public class DefaultAuthenticationContextValidator implements AuthenticationContextValidator {
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultAuthenticationContextValidator.class);
    private final String authenticationContextAttribute;
    private final String globalFailureMode;
    private final String mfaTrustedAuthnAttributeName;

    @Autowired
    private ConfigurableApplicationContext applicationContext;

    public DefaultAuthenticationContextValidator(String str, String str2, String str3) {
        this.authenticationContextAttribute = str;
        this.globalFailureMode = str2;
        this.mfaTrustedAuthnAttributeName = str3;
    }

    public String getAuthenticationContextAttribute() {
        return this.authenticationContextAttribute;
    }

    public Pair<Boolean, Optional<MultifactorAuthenticationProvider>> validate(Authentication authentication, String str, RegisteredService registeredService) {
        Map attributes = authentication.getAttributes();
        Set collection = CollectionUtils.toCollection(attributes.get(this.authenticationContextAttribute));
        LOGGER.debug("Attempting to match requested authentication context [{}] against [{}]", str, collection);
        Map<String, MultifactorAuthenticationProvider> allMultifactorAuthenticationProvidersFromApplicationContext = getAllMultifactorAuthenticationProvidersFromApplicationContext();
        if (allMultifactorAuthenticationProvidersFromApplicationContext == null) {
            LOGGER.debug("No providers have been configured");
            return Pair.of(Boolean.FALSE, Optional.empty());
        }
        Optional<MultifactorAuthenticationProvider> locateRequestedProvider = locateRequestedProvider(allMultifactorAuthenticationProvidersFromApplicationContext.values(), str);
        if (!locateRequestedProvider.isPresent()) {
            LOGGER.debug("Requested authentication provider cannot be recognized.");
            return Pair.of(Boolean.FALSE, Optional.empty());
        }
        if (collection.stream().filter(obj -> {
            return obj.toString().equals(str);
        }).count() > 0) {
            LOGGER.debug("Requested authentication context [{}] is satisfied", str);
            return Pair.of(Boolean.TRUE, locateRequestedProvider);
        }
        if (StringUtils.isNotBlank(this.mfaTrustedAuthnAttributeName) && attributes.containsKey(this.mfaTrustedAuthnAttributeName)) {
            LOGGER.debug("Requested authentication context [{}] is satisfied since device is already trusted", str);
            return Pair.of(Boolean.TRUE, locateRequestedProvider);
        }
        if (attributes.containsKey(MultifactorAuthenticationProviderBypass.AUTHENTICATION_ATTRIBUTE_BYPASS_MFA) && attributes.containsKey(MultifactorAuthenticationProviderBypass.AUTHENTICATION_ATTRIBUTE_BYPASS_MFA_PROVIDER)) {
            boolean booleanValue = ((Boolean) Boolean.class.cast(attributes.get(MultifactorAuthenticationProviderBypass.AUTHENTICATION_ATTRIBUTE_BYPASS_MFA))).booleanValue();
            String obj2 = attributes.get(MultifactorAuthenticationProviderBypass.AUTHENTICATION_ATTRIBUTE_BYPASS_MFA_PROVIDER).toString();
            LOGGER.debug("Found multifactor authentication bypass attributes for provider [{}]", obj2);
            if (booleanValue && StringUtils.equals(obj2, str)) {
                LOGGER.debug("Requested authentication context [{}] is satisfied given mfa was bypassed for the authentication attempt", str);
                return Pair.of(Boolean.TRUE, locateRequestedProvider);
            }
            LOGGER.debug("Either multifactor authentication was not bypassed or the requested context [{}] does not match the bypassed provider [{}]", locateRequestedProvider, obj2);
        }
        Collection<MultifactorAuthenticationProvider> satisfiedAuthenticationProviders = getSatisfiedAuthenticationProviders(authentication, allMultifactorAuthenticationProvidersFromApplicationContext.values());
        if (satisfiedAuthenticationProviders == null) {
            LOGGER.warn("No satisfied multifactor authentication providers are recorded in the current authentication context.");
            return Pair.of(Boolean.FALSE, locateRequestedProvider);
        }
        if (!satisfiedAuthenticationProviders.isEmpty()) {
            MultifactorAuthenticationProvider[] multifactorAuthenticationProviderArr = (MultifactorAuthenticationProvider[]) satisfiedAuthenticationProviders.toArray(new MultifactorAuthenticationProvider[0]);
            OrderComparator.sortIfNecessary(multifactorAuthenticationProviderArr);
            Optional findFirst = Arrays.stream(multifactorAuthenticationProviderArr).filter(multifactorAuthenticationProvider -> {
                MultifactorAuthenticationProvider multifactorAuthenticationProvider = (MultifactorAuthenticationProvider) locateRequestedProvider.get();
                return multifactorAuthenticationProvider.equals(multifactorAuthenticationProvider) || multifactorAuthenticationProvider.getOrder() >= multifactorAuthenticationProvider.getOrder();
            }).findFirst();
            if (findFirst.isPresent()) {
                LOGGER.debug("Current provider [{}] already satisfies the authentication requirements of [{}]; proceed with flow normally.", findFirst.get(), locateRequestedProvider);
                return Pair.of(Boolean.TRUE, locateRequestedProvider);
            }
        }
        LOGGER.debug("No multifactor providers could be located to satisfy the requested context for [{}]", locateRequestedProvider);
        RegisteredServiceMultifactorPolicy.FailureModes multifactorFailureModeForService = getMultifactorFailureModeForService(registeredService);
        if (multifactorFailureModeForService == RegisteredServiceMultifactorPolicy.FailureModes.PHANTOM && !locateRequestedProvider.get().isAvailable(registeredService)) {
            LOGGER.debug("Service [{}] is configured to use a [{}] failure mode for multifactor authentication policy. Since provider [{}] is unavailable at the moment, CAS will knowingly allow [{}] as a satisfied criteria of the present authentication context", new Object[]{registeredService.getServiceId(), multifactorFailureModeForService, locateRequestedProvider, str});
            return Pair.of(true, locateRequestedProvider);
        }
        if (multifactorFailureModeForService != RegisteredServiceMultifactorPolicy.FailureModes.OPEN || locateRequestedProvider.get().isAvailable(registeredService)) {
            return Pair.of(false, locateRequestedProvider);
        }
        LOGGER.debug("Service [{}] is configured to use a [{}] failure mode for multifactor authentication policy and since provider [{}] is unavailable at the moment, CAS will consider the authentication satisfied without the presence of [{}]", new Object[]{registeredService.getServiceId(), multifactorFailureModeForService, locateRequestedProvider, str});
        return Pair.of(true, satisfiedAuthenticationProviders.stream().findFirst());
    }

    private Map<String, MultifactorAuthenticationProvider> getAllMultifactorAuthenticationProvidersFromApplicationContext() {
        try {
            return this.applicationContext.getBeansOfType(MultifactorAuthenticationProvider.class, false, true);
        } catch (Exception e) {
            LOGGER.warn("Could not locate beans of type [{}] in the application context", MultifactorAuthenticationProvider.class);
            return null;
        }
    }

    private Collection<MultifactorAuthenticationProvider> getSatisfiedAuthenticationProviders(Authentication authentication, Collection<MultifactorAuthenticationProvider> collection) {
        Set collection2 = CollectionUtils.toCollection(authentication.getAttributes().get(this.authenticationContextAttribute));
        if (collection2 == null || collection2.isEmpty()) {
            LOGGER.debug("No authentication context could be determined based on authentication attribute [{}]", this.authenticationContextAttribute);
            return null;
        }
        collection2.stream().forEach(obj -> {
            collection.removeIf(multifactorAuthenticationProvider -> {
                return !multifactorAuthenticationProvider.getId().equals(obj);
            });
        });
        LOGGER.debug("Found [{}] providers that may satisfy the context", Integer.valueOf(collection.size()));
        return collection;
    }

    private static Optional<MultifactorAuthenticationProvider> locateRequestedProvider(Collection<MultifactorAuthenticationProvider> collection, String str) {
        return collection.stream().filter(multifactorAuthenticationProvider -> {
            return multifactorAuthenticationProvider.getId().equals(str);
        }).findFirst();
    }

    private RegisteredServiceMultifactorPolicy.FailureModes getMultifactorFailureModeForService(RegisteredService registeredService) {
        RegisteredServiceMultifactorPolicy multifactorPolicy = registeredService.getMultifactorPolicy();
        return (multifactorPolicy == null || multifactorPolicy.getFailureMode() == null) ? RegisteredServiceMultifactorPolicy.FailureModes.valueOf(this.globalFailureMode) : multifactorPolicy.getFailureMode();
    }
}
