package org.apereo.cas.web.flow;

import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceDelegatedAuthenticationPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.validation.DelegatedAuthenticationAccessStrategyHelper;
import org.apereo.cas.web.DelegatedClientIdentityProviderConfiguration;
import org.apereo.cas.web.DelegatedClientIdentityProviderConfigurationFactory;
import org.apereo.cas.web.DelegatedClientWebflowManager;
import org.apereo.cas.web.flow.actions.AbstractAuthenticationAction;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.support.ArgumentExtractor;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.Clients;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.class */
public class DelegatedClientAuthenticationAction extends AbstractAuthenticationAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientAuthenticationAction.class);
    public static final String FLOW_ATTRIBUTE_PROVIDER_URLS = "delegatedAuthenticationProviderUrls";
    protected final Clients clients;
    protected final ServicesManager servicesManager;
    protected final AuditableExecution delegatedAuthenticationPolicyEnforcer;
    protected final DelegatedClientWebflowManager delegatedClientWebflowManager;
    protected final AuthenticationSystemSupport authenticationSystemSupport;
    private final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;
    private final CentralAuthenticationService centralAuthenticationService;
    private final SingleSignOnParticipationStrategy singleSignOnParticipationStrategy;
    private final SessionStore<JEEContext> sessionStore;
    private final DelegatedAuthenticationAccessStrategyHelper delegatedAuthenticationAccessStrategyHelper;
    private final CasConfigurationProperties casProperties;
    private final List<ArgumentExtractor> argumentExtractors;

    public DelegatedClientAuthenticationAction(CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver, CasWebflowEventResolver casWebflowEventResolver, AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy, Clients clients, ServicesManager servicesManager, AuditableExecution auditableExecution, DelegatedClientWebflowManager delegatedClientWebflowManager, AuthenticationSystemSupport authenticationSystemSupport, CasConfigurationProperties casConfigurationProperties, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, CentralAuthenticationService centralAuthenticationService, SingleSignOnParticipationStrategy singleSignOnParticipationStrategy, SessionStore<JEEContext> sessionStore, List<ArgumentExtractor> list) {
        super(casDelegatingWebflowEventResolver, casWebflowEventResolver, adaptiveAuthenticationPolicy);
        this.clients = clients;
        this.servicesManager = servicesManager;
        this.delegatedAuthenticationPolicyEnforcer = auditableExecution;
        this.delegatedClientWebflowManager = delegatedClientWebflowManager;
        this.authenticationSystemSupport = authenticationSystemSupport;
        this.authenticationRequestServiceSelectionStrategies = authenticationServiceSelectionPlan;
        this.centralAuthenticationService = centralAuthenticationService;
        this.singleSignOnParticipationStrategy = singleSignOnParticipationStrategy;
        this.sessionStore = sessionStore;
        this.casProperties = casConfigurationProperties;
        this.delegatedAuthenticationAccessStrategyHelper = new DelegatedAuthenticationAccessStrategyHelper(this.servicesManager, auditableExecution);
        this.argumentExtractors = list;
    }

    public static Optional<ModelAndView> hasDelegationRequestFailed(HttpServletRequest httpServletRequest, int i) {
        Map parameterMap = httpServletRequest.getParameterMap();
        Stream of = Stream.of((Object[]) new String[]{"error", "error_code", "error_description", "error_message"});
        Objects.requireNonNull(parameterMap);
        if (!of.anyMatch((v1) -> {
            return r1.containsKey(v1);
        })) {
            return Optional.empty();
        }
        HashMap hashMap = new HashMap();
        if (parameterMap.containsKey("error_code")) {
            hashMap.put("code", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_code")));
        } else {
            hashMap.put("code", Integer.valueOf(i));
        }
        hashMap.put("error", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error")));
        hashMap.put("reason", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_reason")));
        if (parameterMap.containsKey("error_description")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_description")));
        } else if (parameterMap.containsKey("error_message")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_message")));
        }
        hashMap.put("service", httpServletRequest.getAttribute("service"));
        hashMap.put("client", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("client_name")));
        LOGGER.debug("Delegation request has failed. Details are [{}]", hashMap);
        return Optional.of(new ModelAndView("casPac4jStopWebflow", hashMap));
    }

    protected static boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter("logoutendpoint") != null;
    }

    public Event doExecute(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, this.sessionStore);
        String parameter = httpServletRequestFromExternalWebflowContext.getParameter("client_name");
        LOGGER.trace("Delegated authentication is handled by client name [{}]", parameter);
        if (!isLogoutRequest(httpServletRequestFromExternalWebflowContext) && singleSignOnSessionExists(requestContext) && StringUtils.isNotBlank(parameter)) {
            LOGGER.trace("Found existing single sign-on session");
            populateContextWithService(requestContext, jEEContext, parameter);
            if (singleSignOnSessionAuthorizedForService(requestContext)) {
                prepareRequestContextForSingleSignOn(requestContext, jEEContext, parameter);
                prepareDelegatedClients(requestContext);
                LOGGER.trace("Skipping delegation and routing back to CAS authentication flow");
                return super.doExecute(requestContext);
            }
            LOGGER.debug("Single sign-on session in unauthorized for service [{}]", resolveServiceFromRequestContext(requestContext));
            this.centralAuthenticationService.deleteTicket(WebUtils.getTicketGrantingTicketId(requestContext));
        }
        if (hasDelegationRequestFailed(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext.getStatus()).isPresent()) {
            throw new IllegalArgumentException("Delegated authentication has failed with client " + parameter);
        }
        if (StringUtils.isNotBlank(parameter)) {
            populateContextWithClientCredential(findDelegatedClientByName(httpServletRequestFromExternalWebflowContext, parameter, populateContextWithService(requestContext, jEEContext, parameter)), jEEContext, requestContext);
            return super.doExecute(requestContext);
        }
        prepareDelegatedClients(requestContext);
        WebUtils.createCredential(requestContext);
        return httpServletResponseFromExternalWebflowContext.getStatus() == HttpStatus.UNAUTHORIZED.value() ? stopWebflow() : error();
    }

    private Service populateContextWithService(RequestContext requestContext, JEEContext jEEContext, String str) {
        Service restoreAuthenticationRequestInContext = restoreAuthenticationRequestInContext(requestContext, jEEContext, str);
        Service resolveService = this.authenticationRequestServiceSelectionStrategies.resolveService(restoreAuthenticationRequestInContext);
        LOGGER.trace("Authentication is resolved by service request from [{}]", restoreAuthenticationRequestInContext);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(resolveService);
        LOGGER.trace("Located registered service [{}] mapped to resolved service [{}]", findServiceBy, resolveService);
        WebUtils.putRegisteredService(requestContext, findServiceBy);
        WebUtils.putServiceIntoFlowScope(requestContext, restoreAuthenticationRequestInContext);
        return restoreAuthenticationRequestInContext;
    }

    protected void populateContextWithClientCredential(BaseClient<Credentials> baseClient, JEEContext jEEContext, RequestContext requestContext) {
        LOGGER.debug("Fetching credentials from delegated client [{}]", baseClient);
        ClientCredential clientCredential = new ClientCredential(getCredentialsFromDelegatedClient(jEEContext, baseClient), baseClient.getName());
        LOGGER.info("Credentials are successfully authenticated using the delegated client [{}]", baseClient.getName());
        WebUtils.putCredential(requestContext, clientCredential);
    }

    protected Credentials getCredentialsFromDelegatedClient(JEEContext jEEContext, BaseClient<Credentials> baseClient) {
        Optional credentials = baseClient.getCredentials(jEEContext);
        LOGGER.debug("Retrieved credentials from client as [{}]", credentials);
        if (credentials.isEmpty()) {
            throw new IllegalArgumentException("Unable to determine credentials from the context with client " + baseClient.getName());
        }
        return (Credentials) credentials.get();
    }

    protected BaseClient<Credentials> findDelegatedClientByName(HttpServletRequest httpServletRequest, String str, Service service) {
        Optional findClient = this.clients.findClient(str);
        if (findClient.isEmpty()) {
            LOGGER.warn("Delegated client [{}] can not be located", str);
            throw new UnauthorizedServiceException("screen.service.error.message", "");
        }
        BaseClient<Credentials> baseClient = (BaseClient) BaseClient.class.cast(findClient.get());
        LOGGER.debug("Delegated authentication client is [{}] with service [{}]", baseClient, service);
        if (service != null) {
            httpServletRequest.setAttribute("service", service.getId());
            if (!isDelegatedClientAuthorizedForService(baseClient, service)) {
                LOGGER.warn("Delegated client [{}] is not authorized by service [{}]", baseClient, service);
                throw new UnauthorizedServiceException("screen.service.error.message", "");
            }
        }
        baseClient.init();
        return baseClient;
    }

    protected void prepareDelegatedClients(RequestContext requestContext) {
        WebApplicationService service = WebUtils.getService(requestContext);
        WebApplicationService resolveService = this.authenticationRequestServiceSelectionStrategies.resolveService(service, WebApplicationService.class);
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, this.sessionStore);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Stream filter = this.clients.findAllClients().stream().filter(client -> {
            return (client instanceof IndirectClient) && isDelegatedClientAuthorizedForService(client, resolveService);
        });
        Class<IndirectClient> cls = IndirectClient.class;
        Objects.requireNonNull(IndirectClient.class);
        filter.map((v1) -> {
            return r1.cast(v1);
        }).forEach(indirectClient -> {
            try {
                indirectClient.init();
                DelegatedClientIdentityProviderConfigurationFactory.builder().client(indirectClient).webContext(jEEContext).service(service).casProperties(this.casProperties).build().resolve().ifPresent(delegatedClientIdentityProviderConfiguration -> {
                    linkedHashSet.add(delegatedClientIdentityProviderConfiguration);
                    determineAutoRedirectPolicyForProvider(requestContext, resolveService, delegatedClientIdentityProviderConfiguration);
                });
            } catch (Exception e) {
                LOGGER.error("Cannot process client [{}]", indirectClient, e);
            }
        });
        if (!linkedHashSet.isEmpty()) {
            requestContext.getFlowScope().put(FLOW_ATTRIBUTE_PROVIDER_URLS, linkedHashSet);
        } else if (httpServletResponseFromExternalWebflowContext.getStatus() != HttpStatus.UNAUTHORIZED.value()) {
            LOGGER.warn("No delegated authentication providers could be determined based on the provided configuration. Either no clients are configured, or the current access strategy rules prohibit CAS from using authentication providers for this request.");
        }
    }

    protected void determineAutoRedirectPolicyForProvider(RequestContext requestContext, WebApplicationService webApplicationService, DelegatedClientIdentityProviderConfiguration delegatedClientIdentityProviderConfiguration) {
        if (webApplicationService != null) {
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(webApplicationService);
            RegisteredServiceDelegatedAuthenticationPolicy delegatedAuthenticationPolicy = findServiceBy.getAccessStrategy().getDelegatedAuthenticationPolicy();
            if (delegatedAuthenticationPolicy.isExclusive() && delegatedAuthenticationPolicy.getAllowedProviders().size() == 1 && delegatedClientIdentityProviderConfiguration.getName().equalsIgnoreCase((String) delegatedAuthenticationPolicy.getAllowedProviders().iterator().next())) {
                LOGGER.trace("Registered service [{}] is exclusively allowed to use provider [{}]", findServiceBy, delegatedClientIdentityProviderConfiguration);
                delegatedClientIdentityProviderConfiguration.setAutoRedirect(true);
                WebUtils.putDelegatedAuthenticationProviderPrimary(requestContext, delegatedClientIdentityProviderConfiguration);
            }
        }
        if (WebUtils.getDelegatedAuthenticationProviderPrimary(requestContext) == null && delegatedClientIdentityProviderConfiguration.isAutoRedirect()) {
            LOGGER.trace("Provider [{}] is configured to auto-redirect", delegatedClientIdentityProviderConfiguration);
            WebUtils.putDelegatedAuthenticationProviderPrimary(requestContext, delegatedClientIdentityProviderConfiguration);
        }
    }

    protected Event stopWebflow() {
        return new Event(this, "stop");
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, JEEContext jEEContext, String str) {
        Optional findClient;
        if (isLogoutRequest(jEEContext.getNativeRequest())) {
            return null;
        }
        try {
            findClient = this.clients.findClient(str);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
        }
        if (findClient.isPresent()) {
            return this.delegatedClientWebflowManager.retrieve(requestContext, jEEContext, (BaseClient) BaseClient.class.cast(findClient.get()));
        }
        LOGGER.warn("Unable to locate client [{}] in the collection of registered clients", str);
        throw new UnauthorizedServiceException("screen.service.error.message", "Service Unauthorized");
    }

    private boolean singleSignOnSessionAuthorizedForService(RequestContext requestContext) {
        Service resolveServiceFromRequestContext = resolveServiceFromRequestContext(requestContext);
        return ((Boolean) getSingleSignOnAuthenticationFrom(requestContext).map(authentication -> {
            return Boolean.valueOf(this.delegatedAuthenticationAccessStrategyHelper.isDelegatedClientAuthorizedForAuthentication(authentication, resolveServiceFromRequestContext));
        }).orElse(Boolean.FALSE)).booleanValue();
    }

    private Service resolveServiceFromRequestContext(RequestContext requestContext) {
        return this.authenticationRequestServiceSelectionStrategies.resolveService(WebUtils.getService(requestContext));
    }

    private Optional<Authentication> getSingleSignOnAuthenticationFrom(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            LOGGER.trace("No ticket-granting ticket could be located in the webflow context");
            return Optional.empty();
        }
        TicketGrantingTicket ticket = this.centralAuthenticationService.getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        if (ticket == null || ticket.isExpired()) {
            return Optional.empty();
        }
        LOGGER.trace("Located a valid ticket-granting ticket. Examining existing single sign-on session strategies...");
        return Optional.of(ticket.getAuthentication());
    }

    protected boolean singleSignOnSessionExists(RequestContext requestContext) {
        try {
            Optional<Authentication> singleSignOnAuthenticationFrom = getSingleSignOnAuthenticationFrom(requestContext);
            if (singleSignOnAuthenticationFrom.isPresent()) {
                LOGGER.trace("Located a valid ticket-granting ticket. Examining existing single sign-on session strategies...");
                Authentication authentication = singleSignOnAuthenticationFrom.get();
                AuthenticationResultBuilder establishAuthenticationContextFromInitial = this.authenticationSystemSupport.establishAuthenticationContextFromInitial(authentication);
                List credentials = authentication.getCredentials();
                if (!credentials.isEmpty()) {
                    credentials.forEach(credentialMetaData -> {
                        establishAuthenticationContextFromInitial.collect(credentialMetaData.toCredential());
                    });
                    establishAuthenticationContextFromInitial.getInitialCredential().ifPresent(credential -> {
                        WebUtils.putCredential(requestContext, credential);
                    });
                }
                LOGGER.trace("Recording and tracking initial authentication results in the request context");
                WebUtils.putAuthenticationResultBuilder(establishAuthenticationContextFromInitial, requestContext);
                WebUtils.putAuthentication(authentication, requestContext);
                if (this.singleSignOnParticipationStrategy.supports(requestContext)) {
                    if (this.singleSignOnParticipationStrategy.isParticipating(requestContext)) {
                        return true;
                    }
                }
                return false;
            }
        } catch (AbstractTicketException e) {
            LOGGER.trace("Could not retrieve ticket id [{}] from registry.", e.getMessage());
        }
        LOGGER.trace("Ticket-granting ticket found in the webflow context is invalid or has expired");
        return false;
    }

    private void prepareRequestContextForSingleSignOn(RequestContext requestContext, JEEContext jEEContext, String str) {
        WebApplicationService service = WebUtils.getService(this.argumentExtractors, requestContext);
        WebUtils.putServiceIntoFlowScope(requestContext, service);
        WebUtils.putRegisteredService(requestContext, this.servicesManager.findServiceBy(service));
        if (StringUtils.isNotBlank(str)) {
            populateContextWithClientCredential(findDelegatedClientByName(jEEContext.getNativeRequest(), str, service), jEEContext, requestContext);
        }
    }

    private boolean isDelegatedClientAuthorizedForService(Client<Credentials> client, Service service) {
        return this.delegatedAuthenticationAccessStrategyHelper.isDelegatedClientAuthorizedForService(client, service);
    }

    @Generated
    public Clients getClients() {
        return this.clients;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public AuditableExecution getDelegatedAuthenticationPolicyEnforcer() {
        return this.delegatedAuthenticationPolicyEnforcer;
    }

    @Generated
    public DelegatedClientWebflowManager getDelegatedClientWebflowManager() {
        return this.delegatedClientWebflowManager;
    }

    @Generated
    public AuthenticationSystemSupport getAuthenticationSystemSupport() {
        return this.authenticationSystemSupport;
    }

    @Generated
    public AuthenticationServiceSelectionPlan getAuthenticationRequestServiceSelectionStrategies() {
        return this.authenticationRequestServiceSelectionStrategies;
    }

    @Generated
    public CentralAuthenticationService getCentralAuthenticationService() {
        return this.centralAuthenticationService;
    }

    @Generated
    public SingleSignOnParticipationStrategy getSingleSignOnParticipationStrategy() {
        return this.singleSignOnParticipationStrategy;
    }

    @Generated
    public SessionStore<JEEContext> getSessionStore() {
        return this.sessionStore;
    }

    @Generated
    public DelegatedAuthenticationAccessStrategyHelper getDelegatedAuthenticationAccessStrategyHelper() {
        return this.delegatedAuthenticationAccessStrategyHelper;
    }

    @Generated
    public CasConfigurationProperties getCasProperties() {
        return this.casProperties;
    }

    @Generated
    public List<ArgumentExtractor> getArgumentExtractors() {
        return this.argumentExtractors;
    }
}
