package org.apereo.cas.azure.ad.authentication;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.microsoft.aad.msal4j.ClientCredentialFactory;
import com.microsoft.aad.msal4j.ClientCredentialParameters;
import com.microsoft.aad.msal4j.ConfidentialClientApplication;
import com.microsoft.aad.msal4j.IAuthenticationResult;
import com.microsoft.aad.msal4j.PublicClientApplication;
import com.microsoft.aad.msal4j.UserNamePasswordParameters;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.configuration.model.support.azuread.AzureActiveDirectoryAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.serialization.JacksonObjectMapperFactory;
import org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver;
import org.hjson.JsonValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;

/* loaded from: input_file:org/apereo/cas/azure/ad/authentication/AzureActiveDirectoryAuthenticationHandler.class */
public class AzureActiveDirectoryAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AzureActiveDirectoryAuthenticationHandler.class);
    private static final ObjectMapper MAPPER = JacksonObjectMapperFactory.builder().singleValueAsArray(true).build().toObjectMapper();
    private final AzureActiveDirectoryAuthenticationProperties properties;

    public AzureActiveDirectoryAuthenticationHandler(ServicesManager servicesManager, PrincipalFactory principalFactory, AzureActiveDirectoryAuthenticationProperties azureActiveDirectoryAuthenticationProperties) {
        super(azureActiveDirectoryAuthenticationProperties.getName(), servicesManager, principalFactory, Integer.valueOf(azureActiveDirectoryAuthenticationProperties.getOrder()));
        this.properties = azureActiveDirectoryAuthenticationProperties;
    }

    private String getUserInfoFromGraph(IAuthenticationResult iAuthenticationResult, String str) throws Exception {
        URL url = new URI(StringUtils.appendIfMissing(this.properties.getResource(), "/", new CharSequence[0]) + "v1.0/users/" + str).toURL();
        HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
        httpURLConnection.setRequestMethod("GET");
        httpURLConnection.setRequestProperty("Authorization", "Bearer " + iAuthenticationResult.accessToken());
        httpURLConnection.setRequestProperty("Accept", "application/json");
        LOGGER.debug("Fetching user info from [{}] using access token [{}]", url.toExternalForm(), iAuthenticationResult.accessToken());
        int responseCode = httpURLConnection.getResponseCode();
        if (HttpStatus.valueOf(responseCode).is2xxSuccessful()) {
            return IOUtils.toString(httpURLConnection.getInputStream(), StandardCharsets.UTF_8);
        }
        throw new FailedLoginException(String.format("Failed: status %s with message: %s", Integer.valueOf(responseCode), httpURLConnection.getResponseMessage()));
    }

    protected IAuthenticationResult getAccessTokenFromUserCredentials(String str, String str2) throws Exception {
        String resolve = SpringExpressionLanguageValueResolver.getInstance().resolve(this.properties.getClientId());
        Set commaDelimitedListToSet = org.springframework.util.StringUtils.commaDelimitedListToSet(this.properties.getScope());
        if (!StringUtils.isNotBlank(this.properties.getClientSecret())) {
            PublicClientApplication build = PublicClientApplication.builder(resolve).authority(this.properties.getLoginUrl()).validateAuthority(true).build();
            UserNamePasswordParameters build2 = UserNamePasswordParameters.builder(commaDelimitedListToSet, str, str2.toCharArray()).tenant(SpringExpressionLanguageValueResolver.getInstance().resolve(this.properties.getTenant())).build();
            LOGGER.debug("Acquiring token for [{}] with tenant [{}] scopes [{}]", new Object[]{str, this.properties.getTenant(), commaDelimitedListToSet});
            return (IAuthenticationResult) build.acquireToken(build2).get();
        }
        ConfidentialClientApplication build3 = ConfidentialClientApplication.builder(resolve, ClientCredentialFactory.createFromSecret(SpringExpressionLanguageValueResolver.getInstance().resolve(this.properties.getClientSecret()))).authority(this.properties.getLoginUrl()).validateAuthority(true).build();
        String concat = StringUtils.appendIfMissing(this.properties.getResource(), "/", new CharSequence[0]).concat(".default");
        ClientCredentialParameters build4 = ClientCredentialParameters.builder(Set.of(concat)).tenant(this.properties.getTenant()).build();
        LOGGER.debug("Acquiring token for [{}] with tenant [{}] for resource [{}]", new Object[]{str, this.properties.getTenant(), concat});
        return (IAuthenticationResult) build3.acquireToken(build4).get();
    }

    protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential usernamePasswordCredential, String str) throws Throwable {
        try {
            String username = usernamePasswordCredential.getUsername();
            LOGGER.trace("Fetching token for [{}]", username);
            IAuthenticationResult accessTokenFromUserCredentials = getAccessTokenFromUserCredentials(username, usernamePasswordCredential.toPassword());
            LOGGER.debug("Retrieved token [{}] for [{}]", accessTokenFromUserCredentials.accessToken(), username);
            String userInfoFromGraph = getUserInfoFromGraph(accessTokenFromUserCredentials, username);
            LOGGER.trace("Retrieved user info [{}]", userInfoFromGraph);
            Map map = (Map) MAPPER.readValue(JsonValue.readHjson(userInfoFromGraph).toString(), Map.class);
            HashMap hashMap = new HashMap(map.size());
            map.forEach((str2, obj) -> {
                ArrayList arrayList = (ArrayList) CollectionUtils.toCollection(obj, ArrayList.class);
                if (arrayList.isEmpty()) {
                    return;
                }
                hashMap.put(str2, arrayList);
            });
            Principal createPrincipal = this.principalFactory.createPrincipal(username, hashMap);
            LOGGER.debug("Created principal for id [{}] and [{}] attributes", username, hashMap);
            return createHandlerResult(usernamePasswordCredential, createPrincipal, new ArrayList());
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            throw new FailedLoginException("Invalid credentials: " + e.getMessage());
        }
    }
}
