package org.apereo.cas.web.flow.passwordless;

import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.api.PasswordlessAuthenticationPreProcessor;
import org.apereo.cas.api.PasswordlessUserAccount;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.MutableCredential;
import org.apereo.cas.authentication.SurrogateAuthenticationPrincipalBuilder;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.authentication.surrogate.SurrogateCredentialTrait;
import org.apereo.cas.impl.token.PasswordlessAuthenticationToken;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/web/flow/passwordless/SurrogatePasswordlessAuthenticationPreProcessor.class */
public class SurrogatePasswordlessAuthenticationPreProcessor implements PasswordlessAuthenticationPreProcessor {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SurrogatePasswordlessAuthenticationPreProcessor.class);
    private final ServicesManager servicesManager;
    private final SurrogateAuthenticationPrincipalBuilder surrogatePrincipalBuilder;
    private final SurrogateAuthenticationService surrogateAuthenticationService;

    public AuthenticationResultBuilder process(AuthenticationResultBuilder authenticationResultBuilder, PasswordlessUserAccount passwordlessUserAccount, Service service, Credential credential, PasswordlessAuthenticationToken passwordlessAuthenticationToken) throws Throwable {
        LOGGER.debug("Evaluating passwordless authentication token [{}] issued for [{}]", passwordlessAuthenticationToken, passwordlessUserAccount);
        if (passwordlessAuthenticationToken.getProperties().containsKey(SurrogatePasswordlessAuthenticationRequestParser.PROPERTY_SURROGATE_USERNAME) && (credential instanceof MutableCredential)) {
            MutableCredential mutableCredential = (MutableCredential) credential;
            String str = (String) passwordlessAuthenticationToken.getProperties().get(SurrogatePasswordlessAuthenticationRequestParser.PROPERTY_SURROGATE_USERNAME);
            Principal principal = (Principal) authenticationResultBuilder.getInitialAuthentication().map((v0) -> {
                return v0.getPrincipal();
            }).orElseThrow();
            LOGGER.debug("Evaluating principal [{}] authorization to impersonate [{}]", principal, str);
            if (this.surrogateAuthenticationService.canImpersonate(str, principal, Optional.ofNullable(service))) {
                mutableCredential.getCredentialMetadata().addTrait(new SurrogateCredentialTrait(str));
                RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
                LOGGER.debug("Principal [{}] is authorized to impersonate [{}]", principal, str);
                return (AuthenticationResultBuilder) this.surrogatePrincipalBuilder.buildSurrogateAuthenticationResult(authenticationResultBuilder, mutableCredential, findServiceBy).orElse(authenticationResultBuilder);
            }
        }
        return authenticationResultBuilder;
    }

    @Generated
    public SurrogatePasswordlessAuthenticationPreProcessor(ServicesManager servicesManager, SurrogateAuthenticationPrincipalBuilder surrogateAuthenticationPrincipalBuilder, SurrogateAuthenticationService surrogateAuthenticationService) {
        this.servicesManager = servicesManager;
        this.surrogatePrincipalBuilder = surrogateAuthenticationPrincipalBuilder;
        this.surrogateAuthenticationService = surrogateAuthenticationService;
    }
}
