package org.apereo.cas.web.flow.resolver.impl;

import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CasProtocolConstants;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationException;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationSystemSupport;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.MultifactorAuthenticationProviderSelector;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.util.CookieGenerator;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-webflow-5.1.4.jar:org/apereo/cas/web/flow/resolver/impl/ServiceTicketRequestWebflowEventResolver.class */
public class ServiceTicketRequestWebflowEventResolver extends AbstractCasWebflowEventResolver {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) ServiceTicketRequestWebflowEventResolver.class);

    public ServiceTicketRequestWebflowEventResolver(AuthenticationSystemSupport authenticationSystemSupport, CentralAuthenticationService centralAuthenticationService, ServicesManager servicesManager, TicketRegistrySupport ticketRegistrySupport, CookieGenerator cookieGenerator, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, MultifactorAuthenticationProviderSelector multifactorAuthenticationProviderSelector) {
        super(authenticationSystemSupport, centralAuthenticationService, servicesManager, ticketRegistrySupport, cookieGenerator, authenticationServiceSelectionPlan, multifactorAuthenticationProviderSelector);
    }

    @Override // org.apereo.cas.web.flow.resolver.CasWebflowEventResolver
    public Set<Event> resolveInternal(RequestContext requestContext) {
        if (!isRequestAskingForServiceTicket(requestContext)) {
            return null;
        }
        LOGGER.debug("Authentication request is asking for service tickets");
        return CollectionUtils.wrapSet(grantServiceTicket(requestContext));
    }

    protected boolean isRequestAskingForServiceTicket(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        LOGGER.debug("Located ticket-granting ticket [{}] from the request context", ticketGrantingTicketId);
        WebApplicationService service = WebUtils.getService(requestContext);
        LOGGER.debug("Located service [{}] from the request context", service);
        String str = requestContext.getRequestParameters().get(CasProtocolConstants.PARAMETER_RENEW);
        LOGGER.debug("Provided value for [{}] request parameter is [{}]", CasProtocolConstants.PARAMETER_RENEW, str);
        if (StringUtils.isNotBlank(ticketGrantingTicketId) && service != null) {
            Authentication authenticationFrom = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicketId);
            if (StringUtils.isNotBlank(str)) {
                LOGGER.debug("Request identifies itself as one asking for service tickets. Checking for authentication context validity...");
                if (authenticationFrom != null) {
                    LOGGER.debug("Existing authentication context linked to ticket-granting ticket [{}] is valid. CAS should begin to issue service tickets for [{}] once credentials are renewed", ticketGrantingTicketId, service);
                    return false;
                }
                LOGGER.debug("Existing authentication context linked to ticket-granting ticket [{}] is NOT valid. CAS will not issue service tickets for [{}] just yet without renewing the authentication context", ticketGrantingTicketId, service);
                return false;
            }
        }
        LOGGER.debug("Request is not eligible to be issued service tickets just yet");
        return false;
    }

    protected Event grantServiceTicket(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        Credential credentialFromContext = getCredentialFromContext(requestContext);
        try {
            WebApplicationService service = WebUtils.getService(requestContext);
            Authentication authenticationFrom = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicketId);
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
            if (authenticationFrom != null && findServiceBy != null) {
                LOGGER.debug("Enforcing access strategy policies for registered service [{}] and principal [{}]", findServiceBy, authenticationFrom.getPrincipal());
                RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service, findServiceBy, authenticationFrom);
            }
            WebUtils.putServiceTicketInRequestScope(requestContext, this.centralAuthenticationService.grantServiceTicket(ticketGrantingTicketId, service, this.authenticationSystemSupport.handleAndFinalizeSingleAuthenticationTransaction(service, credentialFromContext)));
            WebUtils.putWarnCookieIfRequestParameterPresent(this.warnCookieGenerator, requestContext);
            return newEvent("warn");
        } catch (AuthenticationException | AbstractTicketException e) {
            return newEvent(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE, e);
        }
    }
}
