package org.apereo.cas.authentication;

import java.util.Map;
import javax.security.auth.login.CredentialNotFoundException;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.events.AbstractCasEvent;
import org.apereo.cas.support.events.authentication.surrogate.CasSurrogateAuthenticationFailureEvent;
import org.apereo.cas.support.events.authentication.surrogate.CasSurrogateAuthenticationSuccessfulEvent;
import org.apereo.cas.util.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEventPublisher;

/* loaded from: input_file:org/apereo/cas/authentication/SurrogateAuthenticationPostProcessor.class */
public class SurrogateAuthenticationPostProcessor implements AuthenticationPostProcessor {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(SurrogateAuthenticationPostProcessor.class);
    private final SurrogateAuthenticationService surrogateAuthenticationService;
    private final ServicesManager servicesManager;
    private final ApplicationEventPublisher applicationEventPublisher;
    private final AuditableExecution registeredServiceAccessStrategyEnforcer;
    private final AuditableExecution surrogateEligibilityAuditableExecution;
    private final SurrogatePrincipalBuilder surrogatePrincipalBuilder;

    public void process(AuthenticationBuilder authenticationBuilder, AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        Authentication build = authenticationBuilder.build();
        Principal principal = build.getPrincipal();
        String surrogateUsername = ((SurrogateUsernamePasswordCredential) authenticationTransaction.getPrimaryCredential().get()).getSurrogateUsername();
        try {
            if (StringUtils.isBlank(surrogateUsername)) {
                LOGGER.error("No surrogate username was specified as part of the credential");
                throw new CredentialNotFoundException("Missing surrogate username in credential");
            }
            LOGGER.debug("Authenticated [{}] will be checked for surrogate eligibility next for [{}]...", principal, surrogateUsername);
            if (authenticationTransaction.getService() != null) {
                this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().service(authenticationTransaction.getService()).authentication(build).registeredService(this.servicesManager.findServiceBy(authenticationTransaction.getService())).retrievePrincipalAttributesFromReleasePolicy(Boolean.FALSE).build()).throwExceptionIfNeeded();
            }
            if (!this.surrogateAuthenticationService.canAuthenticateAs(surrogateUsername, principal, authenticationTransaction.getService())) {
                LOGGER.error("Principal [{}] is unable/unauthorized to authenticate as [{}]", principal, surrogateUsername);
                throw new FailedLoginException();
            }
            LOGGER.debug("Principal [{}] is authorized to authenticate as [{}]", principal, surrogateUsername);
            publishSuccessEvent(principal, surrogateUsername);
            this.surrogateEligibilityAuditableExecution.execute(AuditableContext.builder().service(authenticationTransaction.getService()).authentication(build).properties(CollectionUtils.wrap("targetUserId", surrogateUsername, "eligible", Boolean.TRUE)).build());
        } catch (Exception e) {
            publishFailureEvent(principal, surrogateUsername);
            Map wrap = CollectionUtils.wrap(getClass().getSimpleName(), new SurrogateAuthenticationException("Principal " + principal + " is unauthorized to authenticate as " + surrogateUsername));
            this.surrogateEligibilityAuditableExecution.execute(AuditableContext.builder().service(authenticationTransaction.getService()).authentication(build).build());
            throw new AuthenticationException(wrap);
        }
    }

    public boolean supports(Credential credential) {
        return credential.getClass().equals(SurrogateUsernamePasswordCredential.class);
    }

    private void publishFailureEvent(Principal principal, String str) {
        publishEvent(new CasSurrogateAuthenticationFailureEvent(this, principal, str));
    }

    private void publishSuccessEvent(Principal principal, String str) {
        publishEvent(new CasSurrogateAuthenticationSuccessfulEvent(this, principal, str));
    }

    private void publishEvent(AbstractCasEvent abstractCasEvent) {
        if (this.applicationEventPublisher != null) {
            this.applicationEventPublisher.publishEvent(abstractCasEvent);
        }
    }

    @Generated
    public SurrogateAuthenticationPostProcessor(SurrogateAuthenticationService surrogateAuthenticationService, ServicesManager servicesManager, ApplicationEventPublisher applicationEventPublisher, AuditableExecution auditableExecution, AuditableExecution auditableExecution2, SurrogatePrincipalBuilder surrogatePrincipalBuilder) {
        this.surrogateAuthenticationService = surrogateAuthenticationService;
        this.servicesManager = servicesManager;
        this.applicationEventPublisher = applicationEventPublisher;
        this.registeredServiceAccessStrategyEnforcer = auditableExecution;
        this.surrogateEligibilityAuditableExecution = auditableExecution2;
        this.surrogatePrincipalBuilder = surrogatePrincipalBuilder;
    }
}
