package org.apereo.cas.web.flow;

import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.adaptive.UnauthorizedAuthenticationException;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.web.flow.actions.AbstractAuthenticationAction;
import org.apereo.cas.web.support.WebUtils;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.exception.http.HttpAction;
import org.pac4j.core.http.adapter.JEEHttpActionAdapter;
import org.pac4j.core.util.Pac4jConstants;
import org.pac4j.oauth.exception.OAuthCredentialsException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.engine.support.TransitionExecutingFlowExecutionExceptionHandler;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pac4j-webflow-6.3.7.4.jar:org/apereo/cas/web/flow/DelegatedClientAuthenticationAction.class */
public class DelegatedClientAuthenticationAction extends AbstractAuthenticationAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DelegatedClientAuthenticationAction.class);
    private final DelegatedClientAuthenticationConfigurationContext configContext;

    public DelegatedClientAuthenticationAction(DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext) {
        super(delegatedClientAuthenticationConfigurationContext.getInitialAuthenticationAttemptWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getServiceTicketRequestWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getAdaptiveAuthenticationPolicy());
        this.configContext = delegatedClientAuthenticationConfigurationContext;
    }

    public static Optional<ModelAndView> hasDelegationRequestFailed(HttpServletRequest httpServletRequest, int i) {
        Map<String, String[]> parameterMap = httpServletRequest.getParameterMap();
        Stream of = Stream.of((Object[]) new String[]{"error", "error_code", OAuthCredentialsException.ERROR_DESCRIPTION, "error_message"});
        Objects.requireNonNull(parameterMap);
        if (!of.anyMatch((v1) -> {
            return r1.containsKey(v1);
        })) {
            return Optional.empty();
        }
        HashMap hashMap = new HashMap();
        if (parameterMap.containsKey("error_code")) {
            hashMap.put("code", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_code")));
        } else {
            hashMap.put("code", Integer.valueOf(i));
        }
        hashMap.put("error", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error")));
        hashMap.put("reason", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter(OAuthCredentialsException.ERROR_REASON)));
        if (parameterMap.containsKey(OAuthCredentialsException.ERROR_DESCRIPTION)) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter(OAuthCredentialsException.ERROR_DESCRIPTION)));
        } else if (parameterMap.containsKey("error_message")) {
            hashMap.put("description", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter("error_message")));
        }
        hashMap.put("service", httpServletRequest.getAttribute("service"));
        hashMap.put("client", StringEscapeUtils.escapeHtml4(httpServletRequest.getParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER)));
        LOGGER.debug("Delegation request has failed. Details are [{}]", hashMap);
        return Optional.of(new ModelAndView(CasWebflowConstants.STATE_ID_PAC4J_STOP_WEBFLOW, hashMap));
    }

    protected static boolean isLogoutRequest(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(Pac4jConstants.LOGOUT_ENDPOINT_PARAMETER) != null;
    }

    @Override // org.apereo.cas.web.flow.actions.AbstractAuthenticationAction, org.springframework.webflow.action.AbstractAction
    public Event doExecute(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, this.configContext.getSessionStore());
        try {
            String retrieveClientName = retrieveClientName(jEEContext);
            LOGGER.trace("Delegated authentication is handled by client name [{}]", retrieveClientName);
            Service service = (Service) null;
            if (!isLogoutRequest(httpServletRequestFromExternalWebflowContext) && singleSignOnSessionExists(requestContext) && StringUtils.isNotBlank(retrieveClientName)) {
                LOGGER.trace("Found existing single sign-on session");
                service = populateContextWithService(requestContext, jEEContext, retrieveClientName);
                if (singleSignOnSessionAuthorizedForService(requestContext)) {
                    LOGGER.debug("Skipping delegation and routing back to CAS authentication flow with providers [{}]", this.configContext.getDelegatedClientIdentityProvidersFunction().apply(requestContext));
                    return super.doExecute(requestContext);
                }
                LOGGER.debug("Single sign-on session in unauthorized for service [{}]", resolveServiceFromRequestContext(requestContext));
                this.configContext.getCentralAuthenticationService().deleteTicket(WebUtils.getTicketGrantingTicketId(requestContext));
            }
            if (hasDelegationRequestFailed(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext.getStatus()).isPresent()) {
                throw new IllegalArgumentException("Delegated authentication has failed with client " + retrieveClientName);
            }
            if (StringUtils.isNotBlank(retrieveClientName)) {
                if (service == null) {
                    service = populateContextWithService(requestContext, jEEContext, retrieveClientName);
                }
                populateContextWithClientCredential(findDelegatedClientByName(httpServletRequestFromExternalWebflowContext, retrieveClientName, service), jEEContext, requestContext);
                return super.doExecute(requestContext);
            }
            LOGGER.trace("Delegated authentication providers are finalized as [{}]", this.configContext.getDelegatedClientIdentityProvidersFunction().apply(requestContext));
            WebUtils.createCredential(requestContext);
            if (httpServletResponseFromExternalWebflowContext.getStatus() == HttpStatus.UNAUTHORIZED.value()) {
                throw new UnauthorizedAuthenticationException("Authentication is not authorized: " + httpServletResponseFromExternalWebflowContext.getStatus());
            }
            return error();
        } catch (UnauthorizedServiceException e) {
            LOGGER.warn(e.getMessage(), (Throwable) e);
            throw e;
        } catch (HttpAction e2) {
            FunctionUtils.doIf(LOGGER.isDebugEnabled(), obj -> {
                LOGGER.debug(e2.getMessage(), (Throwable) e2);
            }, obj2 -> {
                LOGGER.info(e2.getMessage());
            }).accept(e2);
            JEEHttpActionAdapter.INSTANCE.adapt(e2, jEEContext);
            return isLogoutRequest(httpServletRequestFromExternalWebflowContext) ? error() : success();
        } catch (Exception e3) {
            LoggingUtils.error(LOGGER, e3);
            return stopWebflow(e3, requestContext);
        }
    }

    protected String retrieveClientName(WebContext webContext) {
        return webContext.getRequestParameter(Pac4jConstants.DEFAULT_CLIENT_NAME_PARAMETER).orElse(null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.webflow.action.AbstractAction
    public Event doPreExecute(RequestContext requestContext) throws Exception {
        if (this.configContext.getCasProperties().getAuthn().getPac4j().isReplicateSessions() && this.configContext.getCasProperties().getSessionReplication().getCookie().isAutoConfigureCookiePath()) {
            String contextPath = requestContext.getExternalContext().getContextPath();
            String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
            String cookiePath = this.configContext.getCookieGenerator().getCookiePath();
            if (StringUtils.isBlank(cookiePath)) {
                LOGGER.debug("Setting path for cookies for distributed session cookie generator to: [{}]", str);
                this.configContext.getCookieGenerator().setCookiePath(str);
            } else {
                LOGGER.trace("Delegated authentication cookie domain is [{}] with path [{}]", this.configContext.getCookieGenerator().getCookieDomain(), cookiePath);
            }
        }
        return super.doPreExecute(requestContext);
    }

    protected Service populateContextWithService(RequestContext requestContext, JEEContext jEEContext, String str) {
        Service restoreAuthenticationRequestInContext = restoreAuthenticationRequestInContext(requestContext, jEEContext, str);
        Service resolveService = this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(restoreAuthenticationRequestInContext);
        LOGGER.trace("Authentication is resolved by service request from [{}]", restoreAuthenticationRequestInContext);
        RegisteredService findServiceBy = this.configContext.getServicesManager().findServiceBy(resolveService);
        LOGGER.trace("Located registered service [{}] mapped to resolved service [{}]", findServiceBy, resolveService);
        WebUtils.putRegisteredService(requestContext, findServiceBy);
        WebUtils.putServiceIntoFlowScope(requestContext, restoreAuthenticationRequestInContext);
        return restoreAuthenticationRequestInContext;
    }

    protected void populateContextWithClientCredential(BaseClient<Credentials> baseClient, JEEContext jEEContext, RequestContext requestContext) {
        LOGGER.debug("Fetching credentials from delegated client [{}]", baseClient);
        ClientCredential clientCredential = new ClientCredential(getCredentialsFromDelegatedClient(jEEContext, baseClient), baseClient.getName());
        LOGGER.info("Credentials are successfully authenticated using the delegated client [{}]", baseClient.getName());
        WebUtils.putCredential(requestContext, clientCredential);
    }

    protected Credentials getCredentialsFromDelegatedClient(JEEContext jEEContext, BaseClient<Credentials> baseClient) {
        Optional<Credentials> credentials = baseClient.getCredentials(jEEContext);
        LOGGER.debug("Retrieved credentials from client as [{}]", credentials);
        if (credentials.isEmpty()) {
            throw new IllegalArgumentException("Unable to determine credentials from the context with client " + baseClient.getName());
        }
        return credentials.get();
    }

    protected BaseClient<Credentials> findDelegatedClientByName(HttpServletRequest httpServletRequest, String str, Service service) {
        Optional<Client> findClient = this.configContext.getClients().findClient(str);
        if (findClient.isEmpty()) {
            LOGGER.warn("Delegated client [{}] can not be located", str);
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "");
        }
        BaseClient<Credentials> baseClient = (BaseClient) BaseClient.class.cast(findClient.get());
        LOGGER.debug("Delegated authentication client is [{}] with service [{}]", baseClient, service);
        if (service != null) {
            httpServletRequest.setAttribute("service", service.getId());
            if (!isDelegatedClientAuthorizedForService(baseClient, service)) {
                LOGGER.warn("Delegated client [{}] is not authorized by service [{}]", baseClient, service);
                throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "");
            }
        }
        baseClient.init();
        return baseClient;
    }

    protected Event stopWebflow(Exception exc, RequestContext requestContext) {
        requestContext.getFlashScope().put(TransitionExecutingFlowExecutionExceptionHandler.ROOT_CAUSE_EXCEPTION_ATTRIBUTE, exc);
        return new Event(this, CasWebflowConstants.TRANSITION_ID_STOP, new LocalAttributeMap("error", exc));
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, JEEContext jEEContext, String str) {
        Optional<Client> findClient;
        if (isLogoutRequest(jEEContext.getNativeRequest())) {
            return null;
        }
        try {
            findClient = this.configContext.getClients().findClient(str);
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
        }
        if (findClient.isPresent()) {
            return this.configContext.getDelegatedClientWebflowManager().retrieve(requestContext, jEEContext, (Client) BaseClient.class.cast(findClient.get()));
        }
        LOGGER.warn("Unable to locate client [{}] in registered clients", str);
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "");
    }

    protected boolean singleSignOnSessionAuthorizedForService(RequestContext requestContext) {
        Service resolveServiceFromRequestContext = resolveServiceFromRequestContext(requestContext);
        Boolean bool = (Boolean) getSingleSignOnAuthenticationFrom(requestContext).map(authentication -> {
            return Boolean.valueOf(this.configContext.getDelegatedAuthenticationAccessStrategyHelper().isDelegatedClientAuthorizedForAuthentication(authentication, resolveServiceFromRequestContext));
        }).orElse(Boolean.FALSE);
        SingleSignOnParticipationStrategy singleSignOnParticipationStrategy = this.configContext.getSingleSignOnParticipationStrategy();
        return bool.booleanValue() && singleSignOnParticipationStrategy.supports(requestContext) && singleSignOnParticipationStrategy.isParticipating(requestContext);
    }

    protected boolean singleSignOnSessionExists(RequestContext requestContext) {
        try {
            Optional<Authentication> singleSignOnAuthenticationFrom = getSingleSignOnAuthenticationFrom(requestContext);
            if (singleSignOnAuthenticationFrom.isPresent()) {
                LOGGER.trace("Located a valid ticket-granting ticket. Examining existing single sign-on session strategies...");
                Authentication authentication = singleSignOnAuthenticationFrom.get();
                AuthenticationResultBuilder establishAuthenticationContextFromInitial = this.configContext.getAuthenticationSystemSupport().establishAuthenticationContextFromInitial(authentication);
                LOGGER.trace("Recording and tracking initial authentication results in the request context");
                WebUtils.putAuthenticationResultBuilder(establishAuthenticationContextFromInitial, requestContext);
                WebUtils.putAuthentication(authentication, requestContext);
                SingleSignOnParticipationStrategy singleSignOnParticipationStrategy = this.configContext.getSingleSignOnParticipationStrategy();
                if (singleSignOnParticipationStrategy.supports(requestContext)) {
                    if (singleSignOnParticipationStrategy.isParticipating(requestContext)) {
                        return true;
                    }
                }
                return false;
            }
        } catch (AbstractTicketException e) {
            LOGGER.trace("Could not retrieve ticket id [{}] from registry.", e.getMessage());
        }
        LOGGER.trace("Ticket-granting ticket found in the webflow context is invalid or has expired");
        return false;
    }

    private Service resolveServiceFromRequestContext(RequestContext requestContext) {
        return this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(WebUtils.getService(requestContext));
    }

    private Optional<Authentication> getSingleSignOnAuthenticationFrom(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            LOGGER.trace("No ticket-granting ticket could be located in the webflow context");
            return Optional.empty();
        }
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) this.configContext.getCentralAuthenticationService().getTicket(ticketGrantingTicketId, TicketGrantingTicket.class);
        if (ticketGrantingTicket == null || ticketGrantingTicket.isExpired()) {
            return Optional.empty();
        }
        LOGGER.trace("Located a valid ticket-granting ticket");
        return Optional.of(ticketGrantingTicket.getAuthentication());
    }

    private boolean isDelegatedClientAuthorizedForService(Client<Credentials> client, Service service) {
        return this.configContext.getDelegatedAuthenticationAccessStrategyHelper().isDelegatedClientAuthorizedForService(client, service);
    }

    @Generated
    public DelegatedClientAuthenticationConfigurationContext getConfigContext() {
        return this.configContext;
    }
}
