package org.apereo.cas;

import com.codahale.metrics.annotation.Counted;
import com.codahale.metrics.annotation.Metered;
import com.codahale.metrics.annotation.Timed;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationBuilder;
import org.apereo.cas.authentication.AuthenticationCredentialsLocalBinder;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.ContextualAuthenticationPolicyFactory;
import org.apereo.cas.authentication.DefaultAuthenticationBuilder;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.exceptions.MixedPrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.logout.LogoutManager;
import org.apereo.cas.logout.LogoutRequest;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
import org.apereo.cas.services.ServiceContext;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedProxyingException;
import org.apereo.cas.services.UnauthorizedSsoServiceException;
import org.apereo.cas.support.events.ticket.CasProxyGrantingTicketCreatedEvent;
import org.apereo.cas.support.events.ticket.CasProxyTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketGrantedEvent;
import org.apereo.cas.support.events.ticket.CasServiceTicketValidatedEvent;
import org.apereo.cas.support.events.ticket.CasTicketGrantingTicketCreatedEvent;
import org.apereo.cas.support.events.ticket.CasTicketGrantingTicketDestroyedEvent;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.InvalidTicketException;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.ServiceTicketFactory;
import org.apereo.cas.ticket.TicketFactory;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.TicketGrantingTicketFactory;
import org.apereo.cas.ticket.UnrecognizableServiceForServiceTicketValidationException;
import org.apereo.cas.ticket.proxy.ProxyGrantingTicket;
import org.apereo.cas.ticket.proxy.ProxyGrantingTicketFactory;
import org.apereo.cas.ticket.proxy.ProxyTicket;
import org.apereo.cas.ticket.proxy.ProxyTicketFactory;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.ImmutableAssertion;
import org.apereo.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.annotation.Transactional;

@Transactional(transactionManager = "ticketTransactionManager")
/* loaded from: input_file:WEB-INF/lib/cas-server-core-5.1.0-RC3.jar:org/apereo/cas/DefaultCentralAuthenticationService.class */
public class DefaultCentralAuthenticationService extends AbstractCentralAuthenticationService {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultCentralAuthenticationService.class);
    private static final long serialVersionUID = -8943828074939533986L;

    public DefaultCentralAuthenticationService(TicketRegistry ticketRegistry, TicketFactory ticketFactory, ServicesManager servicesManager, LogoutManager logoutManager, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, ContextualAuthenticationPolicyFactory<ServiceContext> contextualAuthenticationPolicyFactory, PrincipalFactory principalFactory, CipherExecutor<String, String> cipherExecutor) {
        super(ticketRegistry, ticketFactory, servicesManager, logoutManager, authenticationServiceSelectionPlan, contextualAuthenticationPolicyFactory, principalFactory, cipherExecutor);
    }

    @Override // org.apereo.cas.CentralAuthenticationService
    @Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
    @Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
    @Audit(action = "TICKET_GRANTING_TICKET_DESTROYED", actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public List<LogoutRequest> destroyTicketGrantingTicket(String str) {
        try {
            LOGGER.debug("Removing ticket [{}] from registry...", str);
            TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) getTicket(str, TicketGrantingTicket.class);
            LOGGER.debug("Ticket found. Processing logout requests and then deleting the ticket...");
            AuthenticationCredentialsLocalBinder.bindCurrent(ticketGrantingTicket.getAuthentication());
            List<LogoutRequest> performLogout = this.logoutManager.performLogout(ticketGrantingTicket);
            this.ticketRegistry.deleteTicket(str);
            doPublishEvent(new CasTicketGrantingTicketDestroyedEvent(this, ticketGrantingTicket));
            return performLogout;
        } catch (InvalidTicketException e) {
            LOGGER.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", str);
            return Collections.emptyList();
        }
    }

    @Override // org.apereo.cas.CentralAuthenticationService
    @Timed(name = "GRANT_SERVICE_TICKET_TIMER")
    @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public ServiceTicket grantServiceTicket(String str, Service service, AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) getTicket(str, TicketGrantingTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service, findServiceBy, ticketGrantingTicket);
        Authentication evaluatePossibilityOfMixedPrincipals = evaluatePossibilityOfMixedPrincipals(authenticationResult, ticketGrantingTicket);
        RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, service, ticketGrantingTicket);
        evaluateProxiedServiceIfNeeded(service, ticketGrantingTicket, findServiceBy);
        getAuthenticationSatisfiedByPolicy(evaluatePossibilityOfMixedPrincipals, new ServiceContext(service, findServiceBy));
        Authentication authentication = ticketGrantingTicket.getRoot().getAuthentication();
        AuthenticationCredentialsLocalBinder.bindCurrent(authentication);
        Principal principal = authentication.getPrincipal();
        ServiceTicket serviceTicket = (ServiceTicket) ((ServiceTicketFactory) this.ticketFactory.get(ServiceTicket.class)).create(ticketGrantingTicket, service, authenticationResult != null && authenticationResult.isCredentialProvided());
        this.ticketRegistry.updateTicket(ticketGrantingTicket);
        this.ticketRegistry.addTicket(serviceTicket);
        LOGGER.info("Granted ticket [{}] for service [{}] and principal [{}]", serviceTicket.getId(), service.getId(), principal.getId());
        doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, serviceTicket));
        return serviceTicket;
    }

    @Override // org.apereo.cas.CentralAuthenticationService
    @Timed(name = "GRANT_PROXY_TICKET_TIMER")
    @Counted(name = "GRANT_PROXY_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_PROXY_TICKET_METER")
    @Audit(action = "PROXY_TICKET", actionResolverName = "GRANT_PROXY_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_TICKET_RESOURCE_RESOLVER")
    public ProxyTicket grantProxyTicket(String str, Service service) throws AbstractTicketException {
        ProxyGrantingTicket proxyGrantingTicket = (ProxyGrantingTicket) getTicket(str, ProxyGrantingTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        try {
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service, findServiceBy, proxyGrantingTicket);
            RegisteredServiceAccessStrategyUtils.ensureServiceSsoAccessIsAllowed(findServiceBy, service, proxyGrantingTicket);
            evaluateProxiedServiceIfNeeded(service, proxyGrantingTicket, findServiceBy);
            getAuthenticationSatisfiedByPolicy(proxyGrantingTicket.getRoot().getAuthentication(), new ServiceContext(service, findServiceBy));
            Authentication authentication = proxyGrantingTicket.getRoot().getAuthentication();
            AuthenticationCredentialsLocalBinder.bindCurrent(authentication);
            Principal principal = authentication.getPrincipal();
            ProxyTicket proxyTicket = (ProxyTicket) ((ProxyTicketFactory) this.ticketFactory.get(ProxyTicket.class)).create(proxyGrantingTicket, service);
            this.ticketRegistry.updateTicket(proxyGrantingTicket);
            this.ticketRegistry.addTicket(proxyTicket);
            LOGGER.info("Granted ticket [{}] for service [{}] for user [{}]", proxyTicket.getId(), service.getId(), principal.getId());
            doPublishEvent(new CasProxyTicketGrantedEvent(this, proxyGrantingTicket, proxyTicket));
            return proxyTicket;
        } catch (PrincipalException e) {
            throw new UnauthorizedSsoServiceException();
        }
    }

    @Override // org.apereo.cas.CentralAuthenticationService
    @Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
    @Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    public ProxyGrantingTicket createProxyGrantingTicket(String str, AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        AuthenticationCredentialsLocalBinder.bindCurrent(authenticationResult.getAuthentication());
        ServiceTicket serviceTicket = (ServiceTicket) this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (serviceTicket == null || serviceTicket.isExpired()) {
            LOGGER.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(serviceTicket.getService());
        RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(serviceTicket, authenticationResult, findServiceBy);
        if (!findServiceBy.getProxyPolicy().isAllowedToProxy()) {
            LOGGER.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
            throw new UnauthorizedProxyingException();
        }
        ProxyGrantingTicket create = ((ProxyGrantingTicketFactory) this.ticketFactory.get(ProxyGrantingTicket.class)).create(serviceTicket, authenticationResult.getAuthentication());
        LOGGER.debug("Generated proxy granting ticket [{}] based off of [{}]", create, str);
        this.ticketRegistry.addTicket(create);
        doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, create));
        return create;
    }

    @Override // org.apereo.cas.CentralAuthenticationService
    @Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
    @Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "VALIDATE_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Assertion validateServiceTicket(String str, Service service) throws AbstractTicketException {
        if (!isTicketAuthenticityVerified(str)) {
            LOGGER.info("Service ticket [{}] is not a valid ticket issued by CAS.", str);
            throw new InvalidTicketException(str);
        }
        ServiceTicket serviceTicket = (ServiceTicket) this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (serviceTicket == null) {
            LOGGER.info("Service ticket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        try {
            synchronized (serviceTicket) {
                if (serviceTicket.isExpired()) {
                    LOGGER.info("ServiceTicket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!serviceTicket.isValidFor(service)) {
                    LOGGER.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", str, serviceTicket.getService().getId(), service);
                    throw new UnrecognizableServiceForServiceTicketValidationException(serviceTicket.getService());
                }
            }
            Service resolveServiceFromAuthenticationRequest = resolveServiceFromAuthenticationRequest(service);
            LOGGER.debug("Resolved service [{}] from the authentication request", resolveServiceFromAuthenticationRequest);
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(resolveServiceFromAuthenticationRequest);
            LOGGER.debug("Located registered service definition [{}] from [{}] to handle validation request", findServiceBy, resolveServiceFromAuthenticationRequest);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(resolveServiceFromAuthenticationRequest, findServiceBy);
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(serviceTicket.getGrantingTicket().getRoot().getAuthentication(), new ServiceContext(resolveServiceFromAuthenticationRequest, findServiceBy));
            Principal principal = authenticationSatisfiedByPolicy.getPrincipal();
            RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = findServiceBy.getAttributeReleasePolicy();
            LOGGER.debug("Attribute policy [{}] is associated with service [{}]", attributeReleasePolicy, findServiceBy);
            Principal createPrincipal = this.principalFactory.createPrincipal(findServiceBy.getUsernameAttributeProvider().resolveUsername(principal, resolveServiceFromAuthenticationRequest), attributeReleasePolicy != null ? attributeReleasePolicy.getAttributes(principal, findServiceBy) : new HashMap<>());
            AuthenticationBuilder newInstance = DefaultAuthenticationBuilder.newInstance(authenticationSatisfiedByPolicy);
            newInstance.setPrincipal(createPrincipal);
            Authentication build = newInstance.build();
            AuthenticationCredentialsLocalBinder.bindCurrent(build);
            ImmutableAssertion immutableAssertion = new ImmutableAssertion(build, serviceTicket.getGrantingTicket().getChainedAuthentications(), resolveServiceFromAuthenticationRequest, serviceTicket.isFromNewLogin());
            doPublishEvent(new CasServiceTicketValidatedEvent(this, serviceTicket, immutableAssertion));
            if (serviceTicket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
            } else {
                this.ticketRegistry.updateTicket(serviceTicket);
            }
            return immutableAssertion;
        } catch (Throwable th) {
            if (serviceTicket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
            } else {
                this.ticketRegistry.updateTicket(serviceTicket);
            }
            throw th;
        }
    }

    @Override // org.apereo.cas.CentralAuthenticationService
    @Timed(name = "CREATE_TICKET_GRANTING_TICKET_TIMER")
    @Counted(name = "CREATE_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "CREATE_TICKET_GRANTING_TICKET_METER")
    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public TicketGrantingTicket createTicketGrantingTicket(AuthenticationResult authenticationResult) throws AuthenticationException, AbstractTicketException {
        Authentication authentication = authenticationResult.getAuthentication();
        Service service = authenticationResult.getService();
        AuthenticationCredentialsLocalBinder.bindCurrent(authentication);
        if (service != null) {
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service, this.servicesManager.findServiceBy(service), authentication);
        }
        TicketGrantingTicket create = ((TicketGrantingTicketFactory) this.ticketFactory.get(TicketGrantingTicket.class)).create(authentication);
        this.ticketRegistry.addTicket(create);
        doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, create));
        return create;
    }

    private static Authentication evaluatePossibilityOfMixedPrincipals(AuthenticationResult authenticationResult, TicketGrantingTicket ticketGrantingTicket) throws MixedPrincipalException {
        Authentication authentication = null;
        if (authenticationResult != null) {
            authentication = authenticationResult.getAuthentication();
            if (authentication != null) {
                Authentication authentication2 = ticketGrantingTicket.getAuthentication();
                if (!authentication.getPrincipal().equals(authentication2.getPrincipal())) {
                    throw new MixedPrincipalException(authentication, authentication.getPrincipal(), authentication2.getPrincipal());
                }
            }
        }
        return authentication;
    }
}
