package org.apereo.cas.authentication;

import com.codahale.metrics.annotation.Counted;
import com.codahale.metrics.annotation.Metered;
import com.codahale.metrics.annotation.Timed;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.GeneralSecurityException;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.exceptions.UnresolvedPrincipalException;
import org.apereo.cas.authentication.principal.NullPrincipal;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.support.events.authentication.CasAuthenticationPolicyFailureEvent;
import org.apereo.cas.support.events.authentication.CasAuthenticationPrincipalResolvedEvent;
import org.apereo.cas.support.events.authentication.CasAuthenticationTransactionFailureEvent;
import org.apereo.cas.support.events.authentication.CasAuthenticationTransactionStartedEvent;
import org.apereo.cas.support.events.authentication.CasAuthenticationTransactionSuccessfulEvent;
import org.apereo.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-api-5.3.16.jar:org/apereo/cas/authentication/PolicyBasedAuthenticationManager.class */
public class PolicyBasedAuthenticationManager implements AuthenticationManager {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) PolicyBasedAuthenticationManager.class);
    private final AuthenticationEventExecutionPlan authenticationEventExecutionPlan;
    private final boolean principalResolutionFailureFatal;
    private final ApplicationEventPublisher eventPublisher;

    protected void invokeAuthenticationPostProcessors(AuthenticationBuilder authenticationBuilder, AuthenticationTransaction authenticationTransaction) {
        LOGGER.debug("Invoking authentication post processors for authentication transaction");
        Iterator it = ((Collection) this.authenticationEventExecutionPlan.getAuthenticationPostProcessors(authenticationTransaction).stream().filter(authenticationPostProcessor -> {
            Stream<Credential> stream = authenticationTransaction.getCredentials().stream();
            Objects.requireNonNull(authenticationPostProcessor);
            return stream.filter(authenticationPostProcessor::supports).findFirst().isPresent();
        }).collect(Collectors.toList())).iterator();
        while (it.hasNext()) {
            ((AuthenticationPostProcessor) it.next()).process(authenticationBuilder, authenticationTransaction);
        }
    }

    protected void populateAuthenticationMetadataAttributes(AuthenticationBuilder authenticationBuilder, AuthenticationTransaction authenticationTransaction) {
        LOGGER.debug("Invoking authentication metadata populators for authentication transaction");
        getAuthenticationMetadataPopulatorsForTransaction(authenticationTransaction).forEach(authenticationMetaDataPopulator -> {
            Stream<Credential> stream = authenticationTransaction.getCredentials().stream();
            Objects.requireNonNull(authenticationMetaDataPopulator);
            stream.filter(authenticationMetaDataPopulator::supports).forEach(credential -> {
                authenticationMetaDataPopulator.populateAttributes(authenticationBuilder, authenticationTransaction);
            });
        });
    }

    protected void addAuthenticationMethodAttribute(AuthenticationBuilder authenticationBuilder, Authentication authentication) {
        authentication.getSuccesses().values().forEach(authenticationHandlerExecutionResult -> {
            authenticationBuilder.addAttribute("authenticationMethod", authenticationHandlerExecutionResult.getHandlerName());
        });
    }

    protected Principal resolvePrincipal(AuthenticationHandler authenticationHandler, PrincipalResolver principalResolver, Credential credential, Principal principal) {
        if (!principalResolver.supports(credential)) {
            LOGGER.warn("[{}] is configured to use [{}] but it does not support [{}], which suggests a configuration problem.", authenticationHandler.getName(), principalResolver, credential);
            return null;
        }
        try {
            Principal resolve = principalResolver.resolve(credential, Optional.ofNullable(principal), Optional.ofNullable(authenticationHandler));
            LOGGER.debug("[{}] resolved [{}] from [{}]", principalResolver, resolve, credential);
            return resolve;
        } catch (Exception e) {
            LOGGER.error("[{}] failed to resolve principal from [{}]", principalResolver, credential, e);
            return null;
        }
    }

    @Override // org.apereo.cas.authentication.AuthenticationManager
    @Timed(name = "AUTHENTICATE_TIMER")
    @Counted(name = "AUTHENTICATE_COUNT", monotonic = true)
    @Metered(name = "AUTHENTICATE_METER")
    @Audit(action = "AUTHENTICATION", actionResolverName = "AUTHENTICATION_RESOLVER", resourceResolverName = "AUTHENTICATION_RESOURCE_RESOLVER")
    public Authentication authenticate(AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        if (!invokeAuthenticationPreProcessors(authenticationTransaction)) {
            LOGGER.warn("An authentication pre-processor could not successfully process the authentication transaction");
            throw new AuthenticationException("Authentication pre-processor has failed to process transaction");
        }
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticationTransaction.getCredentials());
        AuthenticationBuilder authenticateInternal = authenticateInternal(authenticationTransaction);
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(authenticateInternal);
        addAuthenticationMethodAttribute(authenticateInternal, authenticateInternal.build());
        populateAuthenticationMetadataAttributes(authenticateInternal, authenticationTransaction);
        invokeAuthenticationPostProcessors(authenticateInternal, authenticationTransaction);
        Authentication build = authenticateInternal.build();
        Principal principal = build.getPrincipal();
        if (principal instanceof NullPrincipal) {
            throw new UnresolvedPrincipalException(build);
        }
        LOGGER.info("Authenticated principal [{}] with attributes [{}] via credentials [{}].", principal.getId(), principal.getAttributes(), authenticationTransaction.getCredentials());
        AuthenticationCredentialsThreadLocalBinder.bindCurrent(build);
        return build;
    }

    protected boolean invokeAuthenticationPreProcessors(AuthenticationTransaction authenticationTransaction) {
        LOGGER.debug("Invoking authentication pre processors for authentication transaction");
        boolean z = true;
        Iterator it = ((Collection) this.authenticationEventExecutionPlan.getAuthenticationPreProcessors(authenticationTransaction).stream().filter(authenticationPreProcessor -> {
            Stream<Credential> stream = authenticationTransaction.getCredentials().stream();
            Objects.requireNonNull(authenticationPreProcessor);
            return stream.filter(authenticationPreProcessor::supports).findFirst().isPresent();
        }).collect(Collectors.toList())).iterator();
        while (z && it.hasNext()) {
            z = ((AuthenticationPreProcessor) it.next()).process(authenticationTransaction);
        }
        return z;
    }

    protected void authenticateAndResolvePrincipal(AuthenticationBuilder authenticationBuilder, Credential credential, PrincipalResolver principalResolver, AuthenticationHandler authenticationHandler) throws GeneralSecurityException, PreventedException {
        publishEvent(new CasAuthenticationTransactionStartedEvent(this, credential));
        AuthenticationHandlerExecutionResult authenticate = authenticationHandler.authenticate(credential);
        String name = authenticationHandler.getName();
        authenticationBuilder.addSuccess(name, authenticate);
        LOGGER.debug("Authentication handler [{}] successfully authenticated [{}]", name, credential);
        publishEvent(new CasAuthenticationTransactionSuccessfulEvent(this, credential));
        Principal principal = authenticate.getPrincipal();
        String simpleName = principalResolver != null ? principalResolver.getClass().getSimpleName() : "N/A";
        if (principalResolver == null) {
            LOGGER.debug("No principal resolution is configured for [{}]. Falling back to handler principal [{}]", name, principal);
        } else {
            principal = resolvePrincipal(authenticationHandler, principalResolver, credential, principal);
            if (principal == null) {
                if (this.principalResolutionFailureFatal) {
                    LOGGER.warn("Principal resolution handled by [{}] produced a null principal for: [{}]CAS is configured to treat principal resolution failures as fatal.", simpleName, credential);
                    throw new UnresolvedPrincipalException();
                }
                LOGGER.warn("Principal resolution handled by [{}] produced a null principal. This is likely due to misconfiguration or missing attributes; CAS will attempt to use the principal produced by the authentication handler, if any.", principalResolver.getClass().getSimpleName());
            }
        }
        if (principal == null) {
            LOGGER.warn("Principal resolution for authentication by [{}] produced a null principal.", name);
        } else {
            authenticationBuilder.setPrincipal(principal);
        }
        LOGGER.debug("Final principal resolved for this authentication event is [{}]", principal);
        publishEvent(new CasAuthenticationPrincipalResolvedEvent(this, principal));
    }

    protected Set<AuthenticationHandler> getAuthenticationHandlersForThisTransaction(AuthenticationTransaction authenticationTransaction) {
        Set<AuthenticationHandler> authenticationHandlersForTransaction = this.authenticationEventExecutionPlan.getAuthenticationHandlersForTransaction(authenticationTransaction);
        LOGGER.debug("Candidate/Registered authentication handlers for this transaction are [{}]", authenticationHandlersForTransaction);
        Collection<AuthenticationHandlerResolver> authenticationHandlerResolvers = this.authenticationEventExecutionPlan.getAuthenticationHandlerResolvers(authenticationTransaction);
        LOGGER.debug("Authentication handler resolvers for this transaction are [{}]", authenticationHandlerResolvers);
        Set<AuthenticationHandler> set = (Set) authenticationHandlerResolvers.stream().filter(authenticationHandlerResolver -> {
            return authenticationHandlerResolver.supports(authenticationHandlersForTransaction, authenticationTransaction);
        }).map(authenticationHandlerResolver2 -> {
            return authenticationHandlerResolver2.resolve(authenticationHandlersForTransaction, authenticationTransaction);
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toCollection(LinkedHashSet::new));
        if (set.isEmpty()) {
            LOGGER.debug("Authentication handler resolvers produced no candidate authentication handler. Using the default handler resolver instead...");
            DefaultAuthenticationHandlerResolver defaultAuthenticationHandlerResolver = new DefaultAuthenticationHandlerResolver();
            if (defaultAuthenticationHandlerResolver.supports(authenticationHandlersForTransaction, authenticationTransaction)) {
                set.addAll(defaultAuthenticationHandlerResolver.resolve(authenticationHandlersForTransaction, authenticationTransaction));
            }
        }
        if (set.isEmpty()) {
            throw new GeneralSecurityException("No authentication handlers could be resolved to support the authentication transaction");
        }
        LOGGER.debug("Resolved and finalized authentication handlers to carry out this authentication transaction are [{}]", set);
        return set;
    }

    protected PrincipalResolver getPrincipalResolverLinkedToHandlerIfAny(AuthenticationHandler authenticationHandler, AuthenticationTransaction authenticationTransaction) {
        return this.authenticationEventExecutionPlan.getPrincipalResolverForAuthenticationTransaction(authenticationHandler, authenticationTransaction);
    }

    protected Collection<AuthenticationMetaDataPopulator> getAuthenticationMetadataPopulatorsForTransaction(AuthenticationTransaction authenticationTransaction) {
        return this.authenticationEventExecutionPlan.getAuthenticationMetadataPopulators(authenticationTransaction);
    }

    protected void publishEvent(ApplicationEvent applicationEvent) {
        if (this.eventPublisher != null) {
            this.eventPublisher.publishEvent(applicationEvent);
        }
    }

    protected AuthenticationBuilder authenticateInternal(AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        Collection<Credential> credentials = authenticationTransaction.getCredentials();
        LOGGER.debug("Authentication credentials provided for this transaction are [{}]", credentials);
        if (credentials.isEmpty()) {
            LOGGER.error("Resolved authentication handlers for this transaction are empty");
            throw new AuthenticationException("Resolved credentials for this transaction are empty");
        }
        DefaultAuthenticationBuilder defaultAuthenticationBuilder = new DefaultAuthenticationBuilder(NullPrincipal.getInstance());
        credentials.forEach(credential -> {
            defaultAuthenticationBuilder.addCredential(new BasicCredentialMetaData(credential));
        });
        Set<AuthenticationHandler> authenticationHandlersForThisTransaction = getAuthenticationHandlersForThisTransaction(authenticationTransaction);
        LOGGER.debug("Candidate resolved authentication handlers for this transaction are [{}]", authenticationHandlersForThisTransaction);
        if (authenticationHandlersForThisTransaction.isEmpty()) {
            LOGGER.error("Resolved authentication handlers for this transaction are empty");
            throw new AuthenticationException(defaultAuthenticationBuilder.getFailures(), defaultAuthenticationBuilder.getSuccesses());
        }
        try {
            AuthenticationCredentialsThreadLocalBinder.clearInProgressAuthentication();
            for (Credential credential2 : credentials) {
                LOGGER.debug("Attempting to authenticate credential [{}]", credential2);
                Iterator<AuthenticationHandler> it = authenticationHandlersForThisTransaction.iterator();
                boolean z = true;
                while (z && it.hasNext()) {
                    AuthenticationHandler next = it.next();
                    if (next.supports(credential2)) {
                        try {
                            PrincipalResolver principalResolverLinkedToHandlerIfAny = getPrincipalResolverLinkedToHandlerIfAny(next, authenticationTransaction);
                            LOGGER.debug("Attempting authentication of [{}] using [{}]", credential2.getId(), next.getName());
                            authenticateAndResolvePrincipal(defaultAuthenticationBuilder, credential2, principalResolverLinkedToHandlerIfAny, next);
                            AuthenticationCredentialsThreadLocalBinder.bindInProgress(defaultAuthenticationBuilder.build());
                            z = !evaluateAuthenticationPolicies(defaultAuthenticationBuilder.build(), authenticationTransaction).getKey().booleanValue();
                        } catch (Exception e) {
                            LOGGER.error("Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [{}] of type [{}]. Examine the configuration to ensure a method of authentication is defined and analyze CAS logs at DEBUG level to trace the authentication event.", credential2, credential2.getClass().getSimpleName());
                            handleAuthenticationException(e, next.getName(), defaultAuthenticationBuilder);
                            z = true;
                        }
                    } else {
                        LOGGER.debug("Authentication handler [{}] does not support the credential type [{}]. Trying next...", next.getName(), credential2);
                    }
                }
            }
            evaluateFinalAuthentication(defaultAuthenticationBuilder, authenticationTransaction);
            AuthenticationCredentialsThreadLocalBinder.clearInProgressAuthentication();
            return defaultAuthenticationBuilder;
        } catch (Throwable th) {
            AuthenticationCredentialsThreadLocalBinder.clearInProgressAuthentication();
            throw th;
        }
    }

    protected void evaluateFinalAuthentication(AuthenticationBuilder authenticationBuilder, AuthenticationTransaction authenticationTransaction) throws AuthenticationException {
        if (authenticationBuilder.getSuccesses().isEmpty()) {
            publishEvent(new CasAuthenticationTransactionFailureEvent(this, authenticationBuilder.getFailures(), authenticationTransaction.getCredentials()));
            throw new AuthenticationException(authenticationBuilder.getFailures(), authenticationBuilder.getSuccesses());
        }
        Authentication build = authenticationBuilder.build();
        Pair<Boolean, Set<Throwable>> evaluateAuthenticationPolicies = evaluateAuthenticationPolicies(build, authenticationTransaction);
        if (evaluateAuthenticationPolicies.getKey().booleanValue()) {
            return;
        }
        publishEvent(new CasAuthenticationPolicyFailureEvent(this, authenticationBuilder.getFailures(), authenticationTransaction, build));
        evaluateAuthenticationPolicies.getValue().forEach(th -> {
            handleAuthenticationException(th, th.getClass().getSimpleName(), authenticationBuilder);
        });
        throw new AuthenticationException(authenticationBuilder.getFailures(), authenticationBuilder.getSuccesses());
    }

    protected Pair<Boolean, Set<Throwable>> evaluateAuthenticationPolicies(Authentication authentication, AuthenticationTransaction authenticationTransaction) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        this.authenticationEventExecutionPlan.getAuthenticationPolicies(authenticationTransaction).forEach(authenticationPolicy -> {
            try {
                String simpleName = authenticationPolicy.getClass().getSimpleName();
                LOGGER.debug("Executing authentication policy [{}]", simpleName);
                if (!authenticationPolicy.isSatisfiedBy(authentication)) {
                    linkedHashSet.add(new AuthenticationException("Unable to satisfy authentication policy " + simpleName));
                }
            } catch (GeneralSecurityException e) {
                LOGGER.debug(e.getMessage(), (Throwable) e);
                linkedHashSet.add(e.getCause());
            } catch (Exception e2) {
                LOGGER.debug(e2.getMessage(), (Throwable) e2);
                linkedHashSet.add(e2);
            }
        });
        return Pair.of(Boolean.valueOf(linkedHashSet.isEmpty()), linkedHashSet);
    }

    protected void handleAuthenticationException(Throwable th, String str, AuthenticationBuilder authenticationBuilder) {
        Throwable th2 = th;
        if (th instanceof UndeclaredThrowableException) {
            th2 = ((UndeclaredThrowableException) th).getUndeclaredThrowable();
        }
        StringBuilder sb = new StringBuilder(StringUtils.defaultString(th2.getMessage()));
        if (th2.getCause() != null) {
            sb.append(" / ").append(th2.getCause().getMessage());
        }
        if (th2 instanceof GeneralSecurityException) {
            LOGGER.debug("[{}] exception details: [{}].", str, sb);
            authenticationBuilder.addFailure(str, th2);
        } else {
            LOGGER.error("[{}]: [{}]", str, sb);
            authenticationBuilder.addFailure(str, th2);
        }
    }

    @Generated
    public PolicyBasedAuthenticationManager(AuthenticationEventExecutionPlan authenticationEventExecutionPlan, boolean z, ApplicationEventPublisher applicationEventPublisher) {
        this.authenticationEventExecutionPlan = authenticationEventExecutionPlan;
        this.principalResolutionFailureFatal = z;
        this.eventPublisher = applicationEventPublisher;
    }

    @Generated
    public AuthenticationEventExecutionPlan getAuthenticationEventExecutionPlan() {
        return this.authenticationEventExecutionPlan;
    }

    @Generated
    public boolean isPrincipalResolutionFailureFatal() {
        return this.principalResolutionFailureFatal;
    }

    @Generated
    public ApplicationEventPublisher getEventPublisher() {
        return this.eventPublisher;
    }
}
