package org.apereo.cas.web.flow.actions;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.DelegatedAuthenticationCandidateProfile;
import org.apereo.cas.authentication.principal.DelegatedClientAuthenticationCredentialResolver;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.model.support.replication.SessionReplicationProperties;
import org.apereo.cas.logout.slo.SingleLogoutContinuation;
import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationFailureEvaluator;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.cas.web.flow.DelegatedAuthenticationSingleSignOnEvaluator;
import org.apereo.cas.web.flow.DelegatedClientAuthenticationConfigurationContext;
import org.apereo.cas.web.flow.DelegatedClientAuthenticationWebflowManager;
import org.apereo.cas.web.flow.DelegationWebflowUtils;
import org.apereo.cas.web.support.WebUtils;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.client.BaseClient;
import org.pac4j.core.client.Client;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.http.AutomaticFormPostAction;
import org.pac4j.core.exception.http.HttpAction;
import org.pac4j.core.exception.http.WithContentAction;
import org.pac4j.jee.context.JEEContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;
import org.springframework.http.HttpMethod;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/apereo/cas/web/flow/actions/DelegatedClientAuthenticationAction.class */
public class DelegatedClientAuthenticationAction extends AbstractAuthenticationAction {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DelegatedClientAuthenticationAction.class);
    protected final DelegatedClientAuthenticationConfigurationContext configContext;
    private final DelegatedClientAuthenticationWebflowManager delegatedClientAuthenticationWebflowManager;
    private final DelegatedClientAuthenticationFailureEvaluator failureEvaluator;
    private final DelegatedAuthenticationSingleSignOnEvaluator ssoEvaluator;

    public DelegatedClientAuthenticationAction(DelegatedClientAuthenticationConfigurationContext delegatedClientAuthenticationConfigurationContext, DelegatedClientAuthenticationWebflowManager delegatedClientAuthenticationWebflowManager, DelegatedClientAuthenticationFailureEvaluator delegatedClientAuthenticationFailureEvaluator) {
        super(delegatedClientAuthenticationConfigurationContext.getInitialAuthenticationAttemptWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getServiceTicketRequestWebflowEventResolver(), delegatedClientAuthenticationConfigurationContext.getAdaptiveAuthenticationPolicy());
        this.configContext = delegatedClientAuthenticationConfigurationContext;
        this.failureEvaluator = delegatedClientAuthenticationFailureEvaluator;
        this.delegatedClientAuthenticationWebflowManager = delegatedClientAuthenticationWebflowManager;
        this.ssoEvaluator = new DelegatedAuthenticationSingleSignOnEvaluator(delegatedClientAuthenticationConfigurationContext);
    }

    protected Event doExecuteInternal(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        JEEContext jEEContext = new JEEContext(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext);
        String retrieveClientName = retrieveClientName(jEEContext);
        Service restoreAuthenticationRequestInContext = StringUtils.isNotBlank(retrieveClientName) ? restoreAuthenticationRequestInContext(requestContext, retrieveClientName) : null;
        Optional<ClientCredential> extractClientCredential = extractClientCredential(requestContext, retrieveClientName);
        boolean isLogoutRequest = isLogoutRequest(extractClientCredential);
        try {
            LOGGER.trace("Delegated authentication is handled by client name [{}]", retrieveClientName);
            if (StringUtils.isNotBlank(retrieveClientName) && !isLogoutRequest && !DelegationWebflowUtils.hasDelegatedClientAuthenticationCandidateProfile(requestContext) && this.ssoEvaluator.singleSignOnSessionExists(requestContext)) {
                LOGGER.trace("Found an existing single sign-on session");
                restoreAuthenticationRequestInContext = populateContextWithService(requestContext, restoreAuthenticationRequestInContext);
                if (this.ssoEvaluator.singleSignOnSessionAuthorizedForService(requestContext)) {
                    LOGGER.debug("Skipping delegation and routing back to CAS authentication flow with providers [{}]", this.configContext.getDelegatedClientIdentityProvidersProducer().produce(requestContext));
                    return super.doExecuteInternal(requestContext);
                }
                Service resolveServiceFromRequestContext = this.ssoEvaluator.resolveServiceFromRequestContext(requestContext);
                LOGGER.debug("Single sign-on session in unauthorized for service [{}]", resolveServiceFromRequestContext);
                removeTicketGrantingTicketIfAny(requestContext, retrieveClientName, resolveServiceFromRequestContext);
            } else if (StringUtils.isNotBlank(retrieveClientName) && !isLogoutRequest(extractClientCredential)) {
                LOGGER.debug("Single sign-on session in inactive for service [{}]", restoreAuthenticationRequestInContext);
                removeTicketGrantingTicketIfAny(requestContext, retrieveClientName, restoreAuthenticationRequestInContext);
            }
            if (this.failureEvaluator.evaluate(httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext.getStatus()).isPresent()) {
                throw new IllegalArgumentException("Delegated authentication has failed with client " + retrieveClientName);
            }
            if (DelegationWebflowUtils.hasDelegatedClientAuthenticationCandidateProfile(requestContext)) {
                WebUtils.putCredential(requestContext, new ClientCredential(retrieveClientName, ((DelegatedAuthenticationCandidateProfile) DelegationWebflowUtils.getDelegatedClientAuthenticationCandidateProfile(requestContext, DelegatedAuthenticationCandidateProfile.class)).toUserProfile(retrieveClientName)));
                return super.doExecuteInternal(requestContext);
            }
            if (!extractClientCredential.isPresent()) {
                if (!StringUtils.isNotBlank(retrieveClientName)) {
                    return getFinalEvent();
                }
                String formatted = "Client %s failed to validate credentials".formatted(retrieveClientName);
                LoggingUtils.error(LOGGER, formatted);
                return stopWebflow(new AuthenticationException(formatted), requestContext);
            }
            Service populateContextWithService = populateContextWithService(requestContext, restoreAuthenticationRequestInContext);
            BaseClient findDelegatedClientByName = findDelegatedClientByName(retrieveClientName);
            verifyClientIsAuthorizedForService(requestContext, populateContextWithService, findDelegatedClientByName);
            DelegationWebflowUtils.putDelegatedAuthenticationClientName(requestContext, findDelegatedClientByName.getName());
            if (isLogoutRequest) {
                throw findDelegatedClientByName.processLogout(new CallContext(jEEContext, this.configContext.getSessionStore()), extractClientCredential.get().getCredentials());
            }
            return finalizeDelegatedClientAuthentication(requestContext, extractClientCredential.get());
        } catch (HttpAction e) {
            FunctionUtils.doIf(LOGGER.isDebugEnabled(), obj -> {
                LOGGER.debug(e.getMessage(), e);
            }, obj2 -> {
                LOGGER.info(e.getMessage());
            }).accept(e);
            SingleLogoutContinuation.SingleLogoutContinuationBuilder builder = SingleLogoutContinuation.builder();
            extractClientCredential.ifPresent(clientCredential -> {
                builder.context(CollectionUtils.wrap(ClientCredential.class.getName(), clientCredential.getClientName()));
            });
            if (e instanceof AutomaticFormPostAction) {
                AutomaticFormPostAction automaticFormPostAction = e;
                builder.method(HttpMethod.POST).url(automaticFormPostAction.getUrl()).data(automaticFormPostAction.getData());
            }
            if (e instanceof WithContentAction) {
                builder.content(((WithContentAction) e).getContent());
            }
            jEEContext.setRequestAttribute(SingleLogoutContinuation.class.getName(), builder.build());
            return isLogoutRequest(extractClientCredential) ? getLogoutEvent(e) : success();
        } catch (UnauthorizedServiceException e2) {
            LOGGER.warn(e2.getMessage(), e2);
            throw e2;
        } catch (Throwable th) {
            LoggingUtils.error(LOGGER, th);
            return stopWebflow(th, requestContext);
        }
    }

    private void removeTicketGrantingTicketIfAny(RequestContext requestContext, String str, Service service) throws Exception {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (ticketGrantingTicketId != null) {
            this.configContext.getTicketRegistry().deleteTicket(ticketGrantingTicketId);
            verifyClientIsAuthorizedForService(requestContext, service, findDelegatedClientByName(str));
        }
    }

    private static boolean isLogoutRequest(Optional<ClientCredential> optional) {
        return optional.isPresent() && !optional.get().getCredentials().isForAuthentication();
    }

    protected Optional<ClientCredential> extractClientCredential(RequestContext requestContext, String str) {
        return (Optional) FunctionUtils.doIfNotBlank(str, () -> {
            BaseClient findDelegatedClientByName = findDelegatedClientByName(str);
            DelegationWebflowUtils.putDelegatedAuthenticationClientName(requestContext, findDelegatedClientByName.getName());
            ClientCredential credential = WebUtils.getCredential(requestContext);
            return credential instanceof ClientCredential ? Optional.of(credential) : populateContextWithClientCredential(findDelegatedClientByName, requestContext);
        }, Optional::empty);
    }

    protected Event finalizeDelegatedClientAuthentication(RequestContext requestContext, ClientCredential clientCredential) throws Throwable {
        ArrayList arrayList = new ArrayList(this.configContext.getApplicationContext().getBeansOfType(DelegatedClientAuthenticationCredentialResolver.class).values());
        AnnotationAwareOrderComparator.sortIfNecessary(arrayList);
        List list = (List) arrayList.stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).filter(delegatedClientAuthenticationCredentialResolver -> {
            return delegatedClientAuthenticationCredentialResolver.supports(clientCredential);
        }).map(Unchecked.function(delegatedClientAuthenticationCredentialResolver2 -> {
            return delegatedClientAuthenticationCredentialResolver2.resolve(requestContext, clientCredential);
        })).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return super.doExecuteInternal(requestContext);
        }
        DelegationWebflowUtils.putDelegatedClientAuthenticationResolvedCredentials(requestContext, list);
        return new Event(this, "select");
    }

    private Event getLogoutEvent(HttpAction httpAction) {
        return new Event(this, "logout", new LocalAttributeMap("action", httpAction));
    }

    private Event getFinalEvent() {
        return new Event(this, "generate");
    }

    protected String retrieveClientName(WebContext webContext) {
        return (String) this.configContext.getDelegatedClientNameExtractor().extract(webContext).orElse("");
    }

    protected Event doPreExecute(RequestContext requestContext) throws Exception {
        SessionReplicationProperties sessionReplication = this.configContext.getCasProperties().getAuthn().getPac4j().getCore().getSessionReplication();
        if (sessionReplication.isReplicateSessions() && sessionReplication.getCookie().isAutoConfigureCookiePath()) {
            String contextPath = requestContext.getExternalContext().getContextPath();
            String str = StringUtils.isNotBlank(contextPath) ? contextPath + "/" : "/";
            String cookiePath = this.configContext.getDelegatedClientDistributedSessionCookieGenerator().getCookiePath();
            if (StringUtils.isBlank(cookiePath)) {
                LOGGER.debug("Setting path for cookies for distributed session cookie generator to: [{}]", str);
                this.configContext.getDelegatedClientDistributedSessionCookieGenerator().setCookiePath(str);
            } else {
                LOGGER.trace("Delegated authentication cookie domain is [{}] with path [{}]", this.configContext.getDelegatedClientDistributedSessionCookieGenerator().getCookieDomain(), cookiePath);
            }
        }
        return super.doPreExecute(requestContext);
    }

    protected Service populateContextWithService(RequestContext requestContext, Service service) throws Throwable {
        if (service != null) {
            Service resolveService = this.configContext.getAuthenticationRequestServiceSelectionStrategies().resolveService(service);
            LOGGER.trace("Authentication is resolved by service request from [{}]", service);
            RegisteredService findServiceBy = this.configContext.getServicesManager().findServiceBy(resolveService);
            LOGGER.trace("Located registered service [{}] mapped to resolved service [{}]", findServiceBy, resolveService);
            WebUtils.putRegisteredService(requestContext, findServiceBy);
            WebUtils.putServiceIntoFlowScope(requestContext, service);
        }
        return service;
    }

    protected Optional<ClientCredential> populateContextWithClientCredential(BaseClient baseClient, RequestContext requestContext) {
        return this.configContext.getCredentialExtractors().stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).map(delegatedAuthenticationCredentialExtractor -> {
            return delegatedAuthenticationCredentialExtractor.extract(baseClient, requestContext);
        }).flatMap((v0) -> {
            return v0.stream();
        }).findFirst();
    }

    protected BaseClient findDelegatedClientByName(String str) {
        Optional findClient = this.configContext.getIdentityProviders().findClient(str);
        if (findClient.isEmpty()) {
            LOGGER.warn("Delegated client [{}] can not be located", str);
            throw UnauthorizedServiceException.denied("Denied: %s".formatted(str));
        }
        BaseClient baseClient = (BaseClient) findClient.get();
        baseClient.init();
        return baseClient;
    }

    private void verifyClientIsAuthorizedForService(RequestContext requestContext, Service service, BaseClient baseClient) {
        LOGGER.debug("Delegated authentication client is [{}] with service [{}]", baseClient, service);
        if (service != null) {
            WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext).setAttribute("service", service);
        }
        if (isDelegatedClientAuthorizedForService(baseClient, service, requestContext)) {
            return;
        }
        LOGGER.error("Delegated client [{}] is not authorized by service [{}]", baseClient, service);
        throw UnauthorizedServiceException.denied("Denied: %s".formatted(service));
    }

    protected Event stopWebflow(Throwable th, RequestContext requestContext) {
        requestContext.getFlashScope().put("rootCauseException", th);
        return new Event(this, "stop", new LocalAttributeMap("error", th));
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, String str) {
        try {
            Optional findClient = this.configContext.getIdentityProviders().findClient(str);
            Class<BaseClient> cls = BaseClient.class;
            Objects.requireNonNull(BaseClient.class);
            return this.delegatedClientAuthenticationWebflowManager.retrieve(requestContext, new JEEContext(WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext), WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext)), (BaseClient) findClient.map((v1) -> {
                return r1.cast(v1);
            }).orElseThrow(() -> {
                return new IllegalArgumentException("Unable to find client " + str + " to restore authentication context");
            }));
        } catch (Throwable th) {
            LoggingUtils.error(LOGGER, th);
            throw UnauthorizedServiceException.denied("Denied: %s".formatted(str));
        }
    }

    protected boolean isDelegatedClientAuthorizedForService(Client client, Service service, RequestContext requestContext) {
        return this.configContext.getDelegatedClientIdentityProviderAuthorizers().stream().allMatch(Unchecked.predicate(delegatedClientIdentityProviderAuthorizer -> {
            return delegatedClientIdentityProviderAuthorizer.isDelegatedClientAuthorizedForService(client, service, requestContext);
        }));
    }

    @Generated
    public DelegatedClientAuthenticationConfigurationContext getConfigContext() {
        return this.configContext;
    }

    @Generated
    public DelegatedClientAuthenticationWebflowManager getDelegatedClientAuthenticationWebflowManager() {
        return this.delegatedClientAuthenticationWebflowManager;
    }

    @Generated
    public DelegatedClientAuthenticationFailureEvaluator getFailureEvaluator() {
        return this.failureEvaluator;
    }

    @Generated
    public DelegatedAuthenticationSingleSignOnEvaluator getSsoEvaluator() {
        return this.ssoEvaluator;
    }
}
