package org.apereo.cas.authentication;

import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apereo.cas.services.MultifactorAuthenticationProvider;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceMultifactorPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.Pair;
import org.apereo.inspektr.aspect.TraceLogAspect;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.internal.AroundClosure;
import org.aspectj.runtime.reflect.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cloud.context.config.annotation.RefreshScope;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.core.OrderComparator;
import org.springframework.stereotype.Component;

@RefreshScope
@Component("authenticationContextValidator")
/* loaded from: input_file:org/apereo/cas/authentication/AuthenticationContextValidator.class */
public class AuthenticationContextValidator {
    private transient Logger logger = LoggerFactory.getLogger(getClass());

    @Value("${cas.mfa.authn.ctx.attribute:authnContextClass}")
    private String authenticationContextAttribute;

    @Autowired
    @Qualifier("servicesManager")
    private ServicesManager servicesManager;

    @Value("${cas.mfa.failure.mode:CLOSED}")
    private String globalFailureMode;

    @Autowired
    private ConfigurableApplicationContext applicationContext;
    private static final JoinPoint.StaticPart ajc$tjp_0 = null;
    private static final JoinPoint.StaticPart ajc$tjp_1 = null;

    /* loaded from: input_file:org/apereo/cas/authentication/AuthenticationContextValidator$AjcClosure1.class */
    public class AjcClosure1 extends AroundClosure {
        public AjcClosure1(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return AuthenticationContextValidator.getAuthenticationContextAttribute_aroundBody0((AuthenticationContextValidator) objArr2[0], (JoinPoint) objArr2[1]);
        }
    }

    /* loaded from: input_file:org/apereo/cas/authentication/AuthenticationContextValidator$AjcClosure3.class */
    public class AjcClosure3 extends AroundClosure {
        public AjcClosure3(Object[] objArr) {
            super(objArr);
        }

        public Object run(Object[] objArr) {
            Object[] objArr2 = ((AroundClosure) this).state;
            return AuthenticationContextValidator.validate_aroundBody2((AuthenticationContextValidator) objArr2[0], (Authentication) objArr2[1], (String) objArr2[2], (RegisteredService) objArr2[3], (JoinPoint) objArr2[4]);
        }
    }

    public String getAuthenticationContextAttribute() {
        return (String) TraceLogAspect.aspectOf().traceMethod(new AjcClosure1(new Object[]{this, Factory.makeJP(ajc$tjp_0, this, this)}).linkClosureAndJoinPoint(69648));
    }

    public void setAuthenticationContextAttribute(String str) {
        this.authenticationContextAttribute = str;
    }

    public Pair<Boolean, Optional<MultifactorAuthenticationProvider>> validate(Authentication authentication, String str, RegisteredService registeredService) {
        return (Pair) TraceLogAspect.aspectOf().traceMethod(new AjcClosure3(new Object[]{this, authentication, str, registeredService, Factory.makeJP(ajc$tjp_1, this, this, new Object[]{authentication, str, registeredService})}).linkClosureAndJoinPoint(69648));
    }

    private Map<String, MultifactorAuthenticationProvider> getAllMultifactorAuthenticationProvidersFromApplicationContext() {
        try {
            return this.applicationContext.getBeansOfType(MultifactorAuthenticationProvider.class);
        } catch (Exception unused) {
            this.logger.warn("Could not locate beans of type {} in the application context", MultifactorAuthenticationProvider.class);
            return null;
        }
    }

    private Collection<MultifactorAuthenticationProvider> getSatisfiedAuthenticationProviders(Authentication authentication, Collection<MultifactorAuthenticationProvider> collection) {
        Set convertValueToCollection = CollectionUtils.convertValueToCollection(authentication.getAttributes().get(this.authenticationContextAttribute));
        if (convertValueToCollection == null || convertValueToCollection.isEmpty()) {
            this.logger.debug("No authentication context could be determined based on authentication attribute {}", this.authenticationContextAttribute);
            return null;
        }
        convertValueToCollection.stream().forEach(obj -> {
            collection.removeIf(multifactorAuthenticationProvider -> {
                return !multifactorAuthenticationProvider.getId().equals(obj);
            });
        });
        this.logger.debug("Found {} providers that may satisfy the context", Integer.valueOf(collection.size()));
        return collection;
    }

    private static Optional<MultifactorAuthenticationProvider> locateRequestedProvider(Collection<MultifactorAuthenticationProvider> collection, String str) {
        return collection.stream().filter(multifactorAuthenticationProvider -> {
            return multifactorAuthenticationProvider.getId().equals(str);
        }).findFirst();
    }

    private RegisteredServiceMultifactorPolicy.FailureModes getMultifactorFailureModeForService(RegisteredService registeredService) {
        RegisteredServiceMultifactorPolicy multifactorPolicy = registeredService.getMultifactorPolicy();
        return (multifactorPolicy == null || multifactorPolicy.getFailureMode() == null) ? RegisteredServiceMultifactorPolicy.FailureModes.valueOf(this.globalFailureMode) : multifactorPolicy.getFailureMode();
    }

    static {
        ajc$preClinit();
    }

    static final String getAuthenticationContextAttribute_aroundBody0(AuthenticationContextValidator authenticationContextValidator, JoinPoint joinPoint) {
        return authenticationContextValidator.authenticationContextAttribute;
    }

    static final Pair validate_aroundBody2(AuthenticationContextValidator authenticationContextValidator, Authentication authentication, String str, RegisteredService registeredService, JoinPoint joinPoint) {
        Set convertValueToCollection = CollectionUtils.convertValueToCollection(authentication.getAttributes().get(authenticationContextValidator.authenticationContextAttribute));
        authenticationContextValidator.logger.debug("Attempting to match requested authentication context {} against {}", str, convertValueToCollection);
        Map<String, MultifactorAuthenticationProvider> allMultifactorAuthenticationProvidersFromApplicationContext = authenticationContextValidator.getAllMultifactorAuthenticationProvidersFromApplicationContext();
        if (allMultifactorAuthenticationProvidersFromApplicationContext == null) {
            authenticationContextValidator.logger.debug("No providers have been configured");
            return new Pair(false, Optional.empty());
        }
        Optional<MultifactorAuthenticationProvider> locateRequestedProvider = locateRequestedProvider(allMultifactorAuthenticationProvidersFromApplicationContext.values(), str);
        if (!locateRequestedProvider.isPresent()) {
            authenticationContextValidator.logger.debug("Requested authentication provider cannot be recognized.");
            return new Pair(false, Optional.empty());
        }
        if (convertValueToCollection.stream().filter(obj -> {
            return obj.toString().equals(str);
        }).count() > 0) {
            authenticationContextValidator.logger.debug("Requested authentication context {} is satisfied", str);
            return new Pair(true, locateRequestedProvider);
        }
        Collection<MultifactorAuthenticationProvider> satisfiedAuthenticationProviders = authenticationContextValidator.getSatisfiedAuthenticationProviders(authentication, allMultifactorAuthenticationProvidersFromApplicationContext.values());
        if (satisfiedAuthenticationProviders == null) {
            authenticationContextValidator.logger.debug("No satisfied multifactor authentication providers are recorded in the current authentication context.");
            return new Pair(false, locateRequestedProvider);
        }
        if (!satisfiedAuthenticationProviders.isEmpty()) {
            MultifactorAuthenticationProvider[] multifactorAuthenticationProviderArr = (MultifactorAuthenticationProvider[]) satisfiedAuthenticationProviders.toArray(new MultifactorAuthenticationProvider[0]);
            OrderComparator.sortIfNecessary(multifactorAuthenticationProviderArr);
            Optional findFirst = Arrays.stream(multifactorAuthenticationProviderArr).filter(multifactorAuthenticationProvider -> {
                return multifactorAuthenticationProvider.equals(locateRequestedProvider.get()) || multifactorAuthenticationProvider.getOrder() >= ((MultifactorAuthenticationProvider) locateRequestedProvider.get()).getOrder();
            }).findFirst();
            if (findFirst.isPresent()) {
                authenticationContextValidator.logger.debug("Current provider {} already satisfies the authentication requirements of {}; proceed with flow normally.", findFirst.get(), locateRequestedProvider);
                return new Pair(true, locateRequestedProvider);
            }
        }
        authenticationContextValidator.logger.debug("No multifactor providers could be located to satisfy the requested context for {}", locateRequestedProvider);
        RegisteredServiceMultifactorPolicy.FailureModes multifactorFailureModeForService = authenticationContextValidator.getMultifactorFailureModeForService(registeredService);
        if (multifactorFailureModeForService == RegisteredServiceMultifactorPolicy.FailureModes.PHANTOM && !locateRequestedProvider.get().verify(registeredService)) {
            authenticationContextValidator.logger.debug("Service {} is configured to use a {} failure mode for multifactor authentication policy. Since provider {} is unavailable at the moment, CAS will knowingly allow [{}] as a satisfied criteria of the present authentication context", new Object[]{registeredService.getServiceId(), multifactorFailureModeForService, locateRequestedProvider, str});
            return new Pair(true, locateRequestedProvider);
        }
        if (multifactorFailureModeForService != RegisteredServiceMultifactorPolicy.FailureModes.OPEN || locateRequestedProvider.get().verify(registeredService)) {
            return new Pair(false, locateRequestedProvider);
        }
        authenticationContextValidator.logger.debug("Service {} is configured to use a {} failure mode for multifactor authentication policy and since provider {} is unavailable at the moment, CAS will consider the authentication satisfied without the presence of {}", new Object[]{registeredService.getServiceId(), multifactorFailureModeForService, locateRequestedProvider, str});
        return new Pair(true, satisfiedAuthenticationProviders.stream().findFirst());
    }

    private static void ajc$preClinit() {
        Factory factory = new Factory("AuthenticationContextValidator.java", AuthenticationContextValidator.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "getAuthenticationContextAttribute", "org.apereo.cas.authentication.AuthenticationContextValidator", "", "", "", "java.lang.String"), 52);
        ajc$tjp_1 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "validate", "org.apereo.cas.authentication.AuthenticationContextValidator", "org.apereo.cas.authentication.Authentication:java.lang.String:org.apereo.cas.services.RegisteredService", "authentication:requestedContext:service", "", "org.apereo.cas.util.Pair"), 69);
    }
}
