package org.apereo.cas.authentication;

import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.Set;
import org.apereo.cas.authentication.policy.AnyAuthenticationPolicy;
import org.apereo.cas.authentication.principal.NullPrincipal;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.events.authentication.CasAuthenticationPolicyFailureEvent;
import org.apereo.cas.support.events.authentication.CasAuthenticationTransactionFailureEvent;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-5.1.0-RC3.jar:org/apereo/cas/authentication/PolicyBasedAuthenticationManager.class */
public class PolicyBasedAuthenticationManager extends AbstractAuthenticationManager {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PolicyBasedAuthenticationManager.class);
    protected final AuthenticationPolicy authenticationPolicy;

    public PolicyBasedAuthenticationManager(AuthenticationEventExecutionPlan authenticationEventExecutionPlan, AuthenticationHandlerResolver authenticationHandlerResolver, AuthenticationPolicy authenticationPolicy, boolean z) {
        super(authenticationEventExecutionPlan, authenticationHandlerResolver, z);
        this.authenticationPolicy = authenticationPolicy;
    }

    public PolicyBasedAuthenticationManager(AuthenticationEventExecutionPlan authenticationEventExecutionPlan, ServicesManager servicesManager) {
        this(authenticationEventExecutionPlan, servicesManager, new AnyAuthenticationPolicy(false));
    }

    public PolicyBasedAuthenticationManager(AuthenticationEventExecutionPlan authenticationEventExecutionPlan, ServicesManager servicesManager, AuthenticationPolicy authenticationPolicy) {
        super(authenticationEventExecutionPlan, new RegisteredServiceAuthenticationHandlerResolver(servicesManager), false);
        this.authenticationPolicy = authenticationPolicy;
    }

    @Override // org.apereo.cas.authentication.AbstractAuthenticationManager
    protected AuthenticationBuilder authenticateInternal(AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        Collection<Credential> credentials = authenticationTransaction.getCredentials();
        DefaultAuthenticationBuilder defaultAuthenticationBuilder = new DefaultAuthenticationBuilder(NullPrincipal.getInstance());
        credentials.stream().forEach(credential -> {
            defaultAuthenticationBuilder.addCredential(new BasicCredentialMetaData(credential));
        });
        Set<AuthenticationHandler> authenticationHandlersForThisTransaction = getAuthenticationHandlersForThisTransaction(authenticationTransaction);
        Assert.notNull(authenticationHandlersForThisTransaction, "Resolved authentication handlers for this transaction cannot be null");
        if (authenticationHandlersForThisTransaction.isEmpty()) {
            LOGGER.warn("Resolved authentication handlers for this transaction are empty");
        }
        if (!credentials.stream().anyMatch(credential2 -> {
            if (authenticationHandlersForThisTransaction.stream().filter(authenticationHandler -> {
                return authenticationHandler.supports(credential2);
            }).anyMatch(authenticationHandler2 -> {
                try {
                    authenticateAndResolvePrincipal(defaultAuthenticationBuilder, credential2, getPrincipalResolverLinkedToHandlerIfAny(authenticationHandler2, authenticationTransaction), authenticationHandler2);
                    return this.authenticationPolicy.isSatisfiedBy(defaultAuthenticationBuilder.build());
                } catch (GeneralSecurityException e) {
                    LOGGER.info("[{}] failed authenticating [{}]", authenticationHandler2.getName(), credential2);
                    LOGGER.debug("[{}] exception details: [{}]", authenticationHandler2.getName(), e.getMessage());
                    defaultAuthenticationBuilder.addFailure(authenticationHandler2.getName(), e.getClass());
                    return false;
                } catch (PreventedException e2) {
                    LOGGER.error("[{}]: [{}]  (Details: [{}])", authenticationHandler2.getName(), e2.getMessage(), e2.getCause().getMessage());
                    defaultAuthenticationBuilder.addFailure(authenticationHandler2.getName(), e2.getClass());
                    return false;
                }
            })) {
                return true;
            }
            LOGGER.warn("Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [{}] of type [{}], which suggests a configuration problem.", credential2, credential2.getClass().getSimpleName());
            return false;
        })) {
            evaluateProducedAuthenticationContext(defaultAuthenticationBuilder, authenticationTransaction);
        }
        return defaultAuthenticationBuilder;
    }

    protected void evaluateProducedAuthenticationContext(AuthenticationBuilder authenticationBuilder, AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        if (authenticationBuilder.getSuccesses().isEmpty()) {
            publishEvent(new CasAuthenticationTransactionFailureEvent(this, authenticationBuilder.getFailures(), authenticationTransaction.getCredentials()));
            throw new AuthenticationException(authenticationBuilder.getFailures(), authenticationBuilder.getSuccesses());
        }
        LOGGER.debug("Executing authentication policy [{}]", this.authenticationPolicy);
        Authentication build = authenticationBuilder.build();
        if (this.authenticationPolicy.isSatisfiedBy(build)) {
            return;
        }
        publishEvent(new CasAuthenticationPolicyFailureEvent(this, authenticationBuilder.getFailures(), authenticationTransaction, build));
        throw new AuthenticationException(authenticationBuilder.getFailures(), authenticationBuilder.getSuccesses());
    }
}
