package org.apereo.cas.authentication;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProviderBypassProperties;
import org.apereo.cas.services.MultifactorAuthenticationProvider;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.RegexUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/cas-server-core-authentication-mfa-5.3.9.jar:org/apereo/cas/authentication/DefaultMultifactorAuthenticationProviderBypass.class */
public class DefaultMultifactorAuthenticationProviderBypass implements MultifactorAuthenticationProviderBypass {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultMultifactorAuthenticationProviderBypass.class);
    private static final long serialVersionUID = 3720922341350004543L;
    private final MultifactorAuthenticationProviderBypassProperties bypassProperties;
    private final Pattern httpRequestRemoteAddressPattern;
    private final Set<Pattern> httpRequestHeaderPatterns;

    public DefaultMultifactorAuthenticationProviderBypass(MultifactorAuthenticationProviderBypassProperties multifactorAuthenticationProviderBypassProperties) {
        this.bypassProperties = multifactorAuthenticationProviderBypassProperties;
        if (StringUtils.isNotBlank(multifactorAuthenticationProviderBypassProperties.getHttpRequestRemoteAddress())) {
            this.httpRequestRemoteAddressPattern = RegexUtils.createPattern(multifactorAuthenticationProviderBypassProperties.getHttpRequestRemoteAddress());
        } else {
            this.httpRequestRemoteAddressPattern = RegexUtils.MATCH_NOTHING_PATTERN;
        }
        this.httpRequestHeaderPatterns = (Set) org.springframework.util.StringUtils.commaDelimitedListToSet(multifactorAuthenticationProviderBypassProperties.getHttpRequestHeaders()).stream().map(RegexUtils::createPattern).collect(Collectors.toSet());
    }

    @Override // org.apereo.cas.authentication.MultifactorAuthenticationProviderBypass
    public boolean shouldMultifactorAuthenticationProviderExecute(Authentication authentication, RegisteredService registeredService, MultifactorAuthenticationProvider multifactorAuthenticationProvider, HttpServletRequest httpServletRequest) {
        Principal principal = authentication.getPrincipal();
        LOGGER.debug("Evaluating multifactor authentication bypass properties for principal [{}], service [{}] and provider [{}]", principal.getId(), registeredService, multifactorAuthenticationProvider);
        if (locateMatchingAttributeBasedOnPrincipalAttributes(this.bypassProperties, principal)) {
            LOGGER.debug("Bypass rules for principal [{}] indicate the request may be ignored", principal.getId());
            return false;
        }
        if (locateMatchingAttributeBasedOnAuthenticationAttributes(this.bypassProperties, authentication)) {
            LOGGER.debug("Bypass rules for authentication for principal [{}] indicate the request may be ignored", principal.getId());
            return false;
        }
        if (locateMatchingAttributeValue("authenticationMethod", this.bypassProperties.getAuthenticationMethodName(), authentication.getAttributes(), false)) {
            LOGGER.debug("Bypass rules for authentication method [{}] indicate the request may be ignored", this.bypassProperties.getAuthenticationMethodName());
            return false;
        }
        if (locateMatchingAttributeValue("successfulAuthenticationHandlers", this.bypassProperties.getAuthenticationHandlerName(), authentication.getAttributes(), false)) {
            LOGGER.debug("Bypass rules for authentication handlers [{}] indicate the request may be ignored", this.bypassProperties.getAuthenticationHandlerName());
            return false;
        }
        if (locateMatchingCredentialType(authentication, this.bypassProperties.getCredentialClassType())) {
            LOGGER.debug("Bypass rules for credential types [{}] indicate the request may be ignored", this.bypassProperties.getCredentialClassType());
            return false;
        }
        if (!locateMatchingHttpRequest(authentication, httpServletRequest)) {
            return !locateMatchingRegisteredServiceForBypass(authentication, registeredService);
        }
        LOGGER.debug("Bypass rules for http request indicate the request may be ignored for [{}]", principal.getId());
        return false;
    }

    protected boolean locateMatchingRegisteredServiceForBypass(Authentication authentication, RegisteredService registeredService) {
        if (registeredService == null || registeredService.getMultifactorPolicy() == null) {
            return false;
        }
        return registeredService.getMultifactorPolicy().isBypassEnabled();
    }

    protected boolean locateMatchingCredentialType(Authentication authentication, String str) {
        return StringUtils.isNotBlank(str) && authentication.getCredentials().stream().filter(credentialMetaData -> {
            return credentialMetaData.getCredentialClass().getName().matches(str);
        }).findAny().isPresent();
    }

    protected boolean locateMatchingAttributeBasedOnAuthenticationAttributes(MultifactorAuthenticationProviderBypassProperties multifactorAuthenticationProviderBypassProperties, Authentication authentication) {
        return locateMatchingAttributeValue(multifactorAuthenticationProviderBypassProperties.getAuthenticationAttributeName(), multifactorAuthenticationProviderBypassProperties.getAuthenticationAttributeValue(), authentication.getAttributes());
    }

    protected boolean locateMatchingAttributeBasedOnPrincipalAttributes(MultifactorAuthenticationProviderBypassProperties multifactorAuthenticationProviderBypassProperties, Principal principal) {
        return locateMatchingAttributeValue(multifactorAuthenticationProviderBypassProperties.getPrincipalAttributeName(), multifactorAuthenticationProviderBypassProperties.getPrincipalAttributeValue(), principal.getAttributes());
    }

    protected boolean locateMatchingAttributeValue(String str, String str2, Map<String, Object> map) {
        return locateMatchingAttributeValue(str, str2, map, true);
    }

    protected boolean locateMatchingAttributeValue(String str, String str2, Map<String, Object> map, boolean z) {
        LOGGER.debug("Locating matching attribute [{}] with value [{}] amongst the attribute collection [{}]", str, str2, map);
        if (StringUtils.isBlank(str)) {
            LOGGER.debug("Failed to match since attribute name is undefined");
            return false;
        }
        Set set = (Set) map.entrySet().stream().filter(entry -> {
            LOGGER.debug("Attempting to match [{}] against [{}]", str, entry.getKey());
            return ((String) entry.getKey()).matches(str);
        }).collect(Collectors.toSet());
        LOGGER.debug("Found [{}] attributes relevant for multifactor authentication bypass", Integer.valueOf(set.size()));
        if (set.isEmpty()) {
            return false;
        }
        if (StringUtils.isBlank(str2)) {
            LOGGER.debug("No attribute value to match is provided; Match result is set to [{}]", Boolean.valueOf(z));
            return z;
        }
        Set set2 = (Set) set.stream().filter(entry2 -> {
            Set<Object> collection = CollectionUtils.toCollection(entry2.getValue());
            LOGGER.debug("Matching attribute [{}] with values [{}] against [{}]", entry2.getKey(), collection, str2);
            return collection.stream().filter(obj -> {
                return obj.toString().matches(str2);
            }).findAny().isPresent();
        }).collect(Collectors.toSet());
        LOGGER.debug("Matching attribute values remaining are [{}]", set2);
        return !set2.isEmpty();
    }

    protected boolean locateMatchingHttpRequest(Authentication authentication, HttpServletRequest httpServletRequest) {
        if (StringUtils.isNotBlank(this.bypassProperties.getHttpRequestRemoteAddress())) {
            if (this.httpRequestRemoteAddressPattern.matcher(httpServletRequest.getRemoteAddr()).find()) {
                LOGGER.debug("Http request remote address [{}] matches [{}]", this.bypassProperties.getHttpRequestRemoteAddress(), httpServletRequest.getRemoteAddr());
                return true;
            }
            if (this.httpRequestRemoteAddressPattern.matcher(httpServletRequest.getRemoteHost()).find()) {
                LOGGER.debug("Http request remote host [{}] matches [{}]", this.bypassProperties.getHttpRequestRemoteAddress(), httpServletRequest.getRemoteHost());
                return true;
            }
        }
        if (!StringUtils.isNotBlank(this.bypassProperties.getHttpRequestHeaders())) {
            return false;
        }
        ArrayList list = Collections.list(httpServletRequest.getHeaderNames());
        if (!this.httpRequestHeaderPatterns.stream().anyMatch(pattern -> {
            return list.stream().anyMatch(str -> {
                return pattern.matcher(str).matches();
            });
        })) {
            return false;
        }
        LOGGER.debug("Http request remote headers [{}] match [{}]", list, this.bypassProperties.getHttpRequestHeaders());
        return true;
    }
}
