package org.apereo.cas.oidc.profile;

import java.util.Collection;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Stream;
import lombok.Generated;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcProperties;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.oidc.claims.BaseOidcScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.claims.OidcCustomScopeAttributeReleasePolicy;
import org.apereo.cas.oidc.scopes.OidcAttributeReleasePolicyFactory;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext;
import org.apereo.cas.support.oauth.profile.DefaultOAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.ReflectionUtils;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.ClassUtils;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/profile/OidcProfileScopeToAttributesFilter.class */
public class OidcProfileScopeToAttributesFilter extends DefaultOAuth20ProfileScopeToAttributesFilter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcProfileScopeToAttributesFilter.class);
    private final Map<String, BaseOidcScopeAttributeReleasePolicy> attributeReleasePolicies = new LinkedHashMap();
    private final PrincipalFactory principalFactory;
    private final CasConfigurationProperties casProperties;
    private final Collection<OidcCustomScopeAttributeReleasePolicy> userScopes;

    public OidcProfileScopeToAttributesFilter(PrincipalFactory principalFactory, CasConfigurationProperties casConfigurationProperties, OidcAttributeReleasePolicyFactory oidcAttributeReleasePolicyFactory) {
        this.principalFactory = principalFactory;
        this.casProperties = casConfigurationProperties;
        this.userScopes = oidcAttributeReleasePolicyFactory.getUserDefinedScopes();
        configureAttributeReleasePoliciesByScope();
    }

    @Override // org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter
    public Principal filter(Service service, Principal principal, RegisteredService registeredService, OAuth20AccessToken oAuth20AccessToken) {
        Principal filter = super.filter(service, principal, registeredService, oAuth20AccessToken);
        if (!(registeredService instanceof OidcRegisteredService)) {
            return filter;
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet(oAuth20AccessToken.getScopes());
        if (!linkedHashSet.contains(OidcConstants.StandardScopes.OPENID.getScope())) {
            LOGGER.warn("Request does not indicate a scope [{}] that can identify an OpenID Connect request. This is a REQUIRED scope that MUST be present in the request. Given its absence, CAS will not process any attribute claims and will return the authenticated principal as is.", linkedHashSet);
            return this.principalFactory.createPrincipal(principal.getId());
        }
        linkedHashSet.retainAll(this.casProperties.getAuthn().getOidc().getDiscovery().getScopes());
        LOGGER.debug("Collection of scopes filtered based on discovery settings are [{}]", linkedHashSet);
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) registeredService;
        Map<String, List<Object>> attributesAllowedForService = getAttributesAllowedForService(linkedHashSet, filter, service, oidcRegisteredService, oAuth20AccessToken);
        LOGGER.debug("Collection of attributes filtered by scopes [{}] are [{}]", linkedHashSet, attributesAllowedForService);
        filterAttributesByAccessTokenRequestedClaims(oidcRegisteredService, oAuth20AccessToken, filter, attributesAllowedForService);
        LOGGER.debug("Final collection of attributes are [{}]", attributesAllowedForService);
        return this.principalFactory.createPrincipal(principal.getId(), attributesAllowedForService);
    }

    protected void filterAttributesByAccessTokenRequestedClaims(OidcRegisteredService oidcRegisteredService, OAuth20AccessToken oAuth20AccessToken, Principal principal, Map<String, List<Object>> map) {
        Set<String> parseUserInfoRequestClaims = OAuth20Utils.parseUserInfoRequestClaims(oAuth20AccessToken);
        if (parseUserInfoRequestClaims.isEmpty()) {
            LOGGER.trace("No userinfo requested claims are available");
            return;
        }
        Map<String, List<Object>> attributes = oAuth20AccessToken.getTicketGrantingTicket().getAuthentication().getPrincipal().getAttributes();
        LOGGER.debug("Requested user-info claims [{}] are compared against principal attributes [{}]", parseUserInfoRequestClaims, attributes);
        Stream<String> stream = parseUserInfoRequestClaims.stream();
        Objects.requireNonNull(attributes);
        stream.filter((v1) -> {
            return r1.containsKey(v1);
        }).forEach(str -> {
            map.put(str, (List) attributes.get(str));
        });
    }

    protected Map<String, List<Object>> filterAttributesByScope(Collection<String> collection, Principal principal, Service service, RegisteredService registeredService, OAuth20AccessToken oAuth20AccessToken) {
        if (collection.isEmpty()) {
            Map<String, List<Object>> attributes = principal.getAttributes();
            LOGGER.trace("No defined scopes are available to instruct attribute release policies for [{}]. CAS will authorize the collection of resolved attributes [{}] for release to [{}]", registeredService.getServiceId(), attributes, service.getId());
            return attributes;
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Stream<String> distinct = collection.stream().distinct();
        Map<String, BaseOidcScopeAttributeReleasePolicy> map = this.attributeReleasePolicies;
        Objects.requireNonNull(map);
        Stream<R> map2 = distinct.filter((v1) -> {
            return r1.containsKey(v1);
        }).map(str -> {
            BaseOidcScopeAttributeReleasePolicy baseOidcScopeAttributeReleasePolicy = this.attributeReleasePolicies.get(str);
            Map<String, List<Object>> attributes2 = baseOidcScopeAttributeReleasePolicy.getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(registeredService).service(service).principal(principal).build());
            LOGGER.debug("Calculated attributes [{}] via attribute release policy [{}]", attributes2, baseOidcScopeAttributeReleasePolicy.getName());
            return attributes2;
        });
        Objects.requireNonNull(linkedHashMap);
        map2.forEach(linkedHashMap::putAll);
        return linkedHashMap;
    }

    protected void configureAttributeReleasePoliciesByScope() {
        OidcProperties oidc = this.casProperties.getAuthn().getOidc();
        ReflectionUtils.findSubclassesInPackage(BaseOidcScopeAttributeReleasePolicy.class, BaseOidcScopeAttributeReleasePolicy.class.getPackage().getName()).forEach(Unchecked.consumer(cls -> {
            if (ClassUtils.hasConstructor(cls, new Class[0])) {
                BaseOidcScopeAttributeReleasePolicy baseOidcScopeAttributeReleasePolicy = (BaseOidcScopeAttributeReleasePolicy) cls.getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                if (!oidc.getDiscovery().getScopes().contains(baseOidcScopeAttributeReleasePolicy.getScopeType())) {
                    LOGGER.debug("OpenID Connect scope [{}] is not configured for use and will be ignored", baseOidcScopeAttributeReleasePolicy.getScopeType());
                } else {
                    LOGGER.trace("Found standard OpenID Connect scope [{}] to filter attributes", baseOidcScopeAttributeReleasePolicy.getScopeType());
                    this.attributeReleasePolicies.put(baseOidcScopeAttributeReleasePolicy.getScopeType(), baseOidcScopeAttributeReleasePolicy);
                }
            }
        }));
        if (this.userScopes.isEmpty()) {
            return;
        }
        LOGGER.debug("Configuring attributes release policies for user-defined scopes [{}]", this.userScopes);
        this.userScopes.forEach(oidcCustomScopeAttributeReleasePolicy -> {
            this.attributeReleasePolicies.put(oidcCustomScopeAttributeReleasePolicy.getScopeName(), oidcCustomScopeAttributeReleasePolicy);
        });
    }

    /* JADX WARN: Type inference failed for: r0v10, types: [org.apereo.cas.services.RegisteredServiceAttributeReleasePolicyContext$RegisteredServiceAttributeReleasePolicyContextBuilder] */
    private Map<String, List<Object>> getAttributesAllowedForService(Collection<String> collection, Principal principal, Service service, OidcRegisteredService oidcRegisteredService, OAuth20AccessToken oAuth20AccessToken) {
        Set<String> scopes = oidcRegisteredService.getScopes();
        LOGGER.trace("Scopes assigned to service definition [{}] are [{}]", oidcRegisteredService.getName(), scopes);
        if (scopes.isEmpty() || (scopes.size() == 1 && scopes.contains(OidcConstants.StandardScopes.OPENID.getScope()))) {
            LOGGER.trace("Service definition [{}] invokes the assigned attribute release policy without using scopes", oidcRegisteredService.getName());
            return oidcRegisteredService.getAttributeReleasePolicy().getAttributes(RegisteredServiceAttributeReleasePolicyContext.builder().registeredService(oidcRegisteredService).service(service).principal(principal).build());
        }
        collection.retainAll(scopes);
        LOGGER.trace("Service definition [{}] will filter attributes based on scopes [{}]", oidcRegisteredService.getName(), collection);
        return filterAttributesByScope(collection, principal, service, oidcRegisteredService, oAuth20AccessToken);
    }
}
