package org.apereo.cas.web.flow;

import java.util.List;
import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationCredentialsThreadLocalBinder;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.principal.ClientCredential;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategy;
import org.apereo.cas.services.RegisteredServiceDelegatedAuthenticationPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.ticket.registry.TicketRegistrySupport;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pac4j-core-6.2.8.jar:org/apereo/cas/web/flow/DelegatedAuthenticationSingleSignOnParticipationStrategy.class */
public class DelegatedAuthenticationSingleSignOnParticipationStrategy implements SingleSignOnParticipationStrategy {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DelegatedAuthenticationSingleSignOnParticipationStrategy.class);
    private final ServicesManager servicesManager;
    private final AuthenticationServiceSelectionPlan serviceSelectionStrategy;
    private final TicketRegistrySupport ticketRegistrySupport;

    @Override // org.apereo.cas.web.flow.SingleSignOnParticipationStrategy
    public boolean isParticipating(RequestContext requestContext) {
        RegisteredServiceAccessStrategy accessStrategy;
        RegisteredService determineRegisteredService = determineRegisteredService(requestContext);
        if (determineRegisteredService == null || (accessStrategy = determineRegisteredService.getAccessStrategy()) == null || accessStrategy.getDelegatedAuthenticationPolicy() == null) {
            return true;
        }
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            return true;
        }
        Authentication currentAuthentication = AuthenticationCredentialsThreadLocalBinder.getCurrentAuthentication();
        try {
            Authentication authenticationFrom = this.ticketRegistrySupport.getAuthenticationFrom(ticketGrantingTicketId);
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationFrom);
            RegisteredServiceDelegatedAuthenticationPolicy delegatedAuthenticationPolicy = accessStrategy.getDelegatedAuthenticationPolicy();
            Map<String, List<Object>> attributes = authenticationFrom.getAttributes();
            if (!attributes.containsKey(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME)) {
                boolean z = !delegatedAuthenticationPolicy.isProviderRequired();
                AuthenticationCredentialsThreadLocalBinder.bindCurrent(currentAuthentication);
                return z;
            }
            Optional<Object> firstElement = CollectionUtils.firstElement(attributes.get(ClientCredential.AUTHENTICATION_ATTRIBUTE_CLIENT_NAME));
            if (!firstElement.isPresent()) {
                return false;
            }
            String obj = firstElement.get().toString();
            LOGGER.debug("Evaluating delegated access strategy for client [{}] and service [{}]", obj, determineRegisteredService);
            boolean isProviderAllowed = delegatedAuthenticationPolicy.isProviderAllowed(obj, determineRegisteredService);
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(currentAuthentication);
            return isProviderAllowed;
        } finally {
            AuthenticationCredentialsThreadLocalBinder.bindCurrent(currentAuthentication);
        }
    }

    @Override // org.apereo.cas.web.flow.SingleSignOnParticipationStrategy
    public boolean supports(RequestContext requestContext) {
        RegisteredServiceAccessStrategy accessStrategy;
        RegisteredService determineRegisteredService = determineRegisteredService(requestContext);
        return (determineRegisteredService == null || (accessStrategy = determineRegisteredService.getAccessStrategy()) == null || accessStrategy.getDelegatedAuthenticationPolicy() == null) ? false : true;
    }

    @Override // org.apereo.cas.web.flow.SingleSignOnParticipationStrategy, org.springframework.core.Ordered
    public int getOrder() {
        return 0;
    }

    private RegisteredService determineRegisteredService(RequestContext requestContext) {
        RegisteredService registeredService = WebUtils.getRegisteredService(requestContext);
        if (registeredService != null) {
            return registeredService;
        }
        Service resolveService = this.serviceSelectionStrategy.resolveService(WebUtils.getService(requestContext));
        if (resolveService != null) {
            return this.servicesManager.findServiceBy(resolveService);
        }
        return null;
    }

    @Generated
    public DelegatedAuthenticationSingleSignOnParticipationStrategy(ServicesManager servicesManager, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, TicketRegistrySupport ticketRegistrySupport) {
        this.servicesManager = servicesManager;
        this.serviceSelectionStrategy = authenticationServiceSelectionPlan;
        this.ticketRegistrySupport = ticketRegistrySupport;
    }
}
