package org.apereo.cas.services;

import java.util.HashMap;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResult;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-services-5.1.0.jar:org/apereo/cas/services/RegisteredServiceAccessStrategyUtils.class */
public final class RegisteredServiceAccessStrategyUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RegisteredServiceAccessStrategyUtils.class);

    private RegisteredServiceAccessStrategyUtils() {
    }

    public static void ensureServiceAccessIsAllowed(RegisteredService registeredService) {
        ensureServiceAccessIsAllowed(registeredService != null ? registeredService.getName() : "", registeredService);
    }

    public static void ensureServiceAccessIsAllowed(String str, RegisteredService registeredService) {
        if (registeredService == null) {
            String format = String.format("Unauthorized Service Access. Service [%s] is not found in service registry.", str);
            LOGGER.warn(format);
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, format);
        }
        if (registeredService.getAccessStrategy().isServiceAccessAllowed()) {
            return;
        }
        String format2 = String.format("Unauthorized Service Access. Service [%s] is not enabled in service registry.", str);
        LOGGER.warn(format2);
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, format2);
    }

    public static void ensureServiceAccessIsAllowed(Service service, RegisteredService registeredService) {
        ensureServiceAccessIsAllowed(service.getId(), registeredService);
    }

    public static void ensurePrincipalAccessIsAllowedForService(Service service, RegisteredService registeredService, Authentication authentication) throws UnauthorizedServiceException, PrincipalException {
        ensureServiceAccessIsAllowed(service, registeredService);
        Principal principal = authentication.getPrincipal();
        if (registeredService.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principal.getId(), registeredService.getAttributeReleasePolicy().getAttributes(principal, service, registeredService))) {
            return;
        }
        LOGGER.warn("Cannot grant access to service [{}] because it is not authorized for use by [{}].", service.getId(), principal);
        HashMap hashMap = new HashMap();
        hashMap.put(UnauthorizedServiceForPrincipalException.class.getSimpleName(), UnauthorizedServiceForPrincipalException.class);
        throw new PrincipalException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, hashMap, new HashMap());
    }

    public static void ensurePrincipalAccessIsAllowedForService(ServiceTicket serviceTicket, RegisteredService registeredService, TicketGrantingTicket ticketGrantingTicket) throws UnauthorizedServiceException, PrincipalException {
        ensurePrincipalAccessIsAllowedForService(serviceTicket.getService(), registeredService, ticketGrantingTicket.getAuthentication());
    }

    public static void ensurePrincipalAccessIsAllowedForService(Service service, RegisteredService registeredService, TicketGrantingTicket ticketGrantingTicket) throws UnauthorizedServiceException, PrincipalException {
        ensurePrincipalAccessIsAllowedForService(service, registeredService, ticketGrantingTicket.getRoot().getAuthentication());
    }

    public static void ensurePrincipalAccessIsAllowedForService(ServiceTicket serviceTicket, AuthenticationResult authenticationResult, RegisteredService registeredService) throws UnauthorizedServiceException, PrincipalException {
        ensurePrincipalAccessIsAllowedForService(serviceTicket.getService(), registeredService, authenticationResult.getAuthentication());
    }

    public static void ensureServiceSsoAccessIsAllowed(RegisteredService registeredService, Service service, TicketGrantingTicket ticketGrantingTicket) {
        if (!registeredService.getAccessStrategy().isServiceAccessAllowedForSso()) {
            LOGGER.debug("Service [{}] is configured to not use SSO", service.getId());
            if (ticketGrantingTicket.getProxiedBy() != null) {
                LOGGER.warn("ServiceManagement: Service [{}] is not allowed to use SSO for proxying.", service.getId());
                throw new UnauthorizedSsoServiceException();
            }
            if (ticketGrantingTicket.getProxiedBy() == null && ticketGrantingTicket.getCountOfUses() > 0) {
                LOGGER.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
                throw new UnauthorizedSsoServiceException();
            }
        }
        LOGGER.debug("Current authentication via ticket [{}] allows service [{}] to participate in the existing SSO session", ticketGrantingTicket.getId(), service.getId());
    }
}
