package org.apereo.cas.authentication.handler;

import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import lombok.Generated;
import org.apereo.cas.authentication.AuthenticationHandler;
import org.apereo.cas.authentication.AuthenticationHandlerResolver;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.AuthenticationTransaction;
import org.apereo.cas.authentication.MultifactorAuthenticationHandler;
import org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAuthenticationPolicy;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedSsoServiceException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-api-6.4.3.jar:org/apereo/cas/authentication/handler/RegisteredServiceAuthenticationHandlerResolver.class */
public class RegisteredServiceAuthenticationHandlerResolver implements AuthenticationHandlerResolver {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RegisteredServiceAuthenticationHandlerResolver.class);
    protected final ServicesManager servicesManager;
    protected final AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan;
    private int order;

    private static Set<AuthenticationHandler> filterExcludedAuthenticationHandlers(Set<AuthenticationHandler> set, Service service, RegisteredService registeredService) {
        Set<String> excludedAuthenticationHandlers = registeredService.getAuthenticationPolicy().getExcludedAuthenticationHandlers();
        LOGGER.debug("Authentication transaction excludes [{}] for service [{}]", excludedAuthenticationHandlers, service);
        LinkedHashSet linkedHashSet = new LinkedHashSet(set);
        LOGGER.debug("Candidate authentication handlers examined for this transaction are [{}]", linkedHashSet);
        if (!excludedAuthenticationHandlers.isEmpty()) {
            Iterator it = linkedHashSet.iterator();
            while (it.hasNext()) {
                String name = ((AuthenticationHandler) it.next()).getName();
                if (excludedAuthenticationHandlers.contains(name)) {
                    LOGGER.debug("Authentication handler [{}] is excluded for this transaction and is removed", name);
                    it.remove();
                }
            }
        }
        LOGGER.info("Final authentication handlers after exclusion rules are [{}]", linkedHashSet);
        return linkedHashSet;
    }

    private static Set<AuthenticationHandler> filterRequiredAuthenticationHandlers(Set<AuthenticationHandler> set, Service service, RegisteredService registeredService) {
        Set<String> requiredAuthenticationHandlers = registeredService.getAuthenticationPolicy().getRequiredAuthenticationHandlers();
        LOGGER.debug("Authentication transaction requires [{}] for service [{}]", requiredAuthenticationHandlers, service);
        LinkedHashSet linkedHashSet = new LinkedHashSet(set);
        LOGGER.debug("Candidate authentication handlers examined for this transaction are [{}]", linkedHashSet);
        if (!requiredAuthenticationHandlers.isEmpty()) {
            Iterator it = linkedHashSet.iterator();
            while (it.hasNext()) {
                AuthenticationHandler authenticationHandler = (AuthenticationHandler) it.next();
                String name = authenticationHandler.getName();
                if (((authenticationHandler instanceof MultifactorAuthenticationHandler) || (authenticationHandler instanceof HttpBasedServiceCredentialsAuthenticationHandler) || requiredAuthenticationHandlers.contains(name)) ? false : true) {
                    it.remove();
                    LOGGER.debug("Authentication handler [{}] is removed", name);
                }
            }
        }
        LOGGER.info("Final authentication handlers after inclusion rules are [{}]", linkedHashSet);
        return linkedHashSet;
    }

    @Override // org.apereo.cas.authentication.AuthenticationHandlerResolver
    public Set<AuthenticationHandler> resolve(Set<AuthenticationHandler> set, AuthenticationTransaction authenticationTransaction) {
        Service resolveService = this.authenticationServiceSelectionPlan.resolveService(authenticationTransaction.getService());
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(resolveService);
        return filterExcludedAuthenticationHandlers(filterRequiredAuthenticationHandlers(set, resolveService, findServiceBy), resolveService, findServiceBy);
    }

    @Override // org.apereo.cas.authentication.AuthenticationHandlerResolver
    public boolean supports(Set<AuthenticationHandler> set, AuthenticationTransaction authenticationTransaction) {
        Service resolveService = this.authenticationServiceSelectionPlan.resolveService(authenticationTransaction.getService());
        if (resolveService == null) {
            return false;
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(resolveService);
        LOGGER.trace("Located registered service definition [{}] for this authentication transaction", findServiceBy);
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.warn("Service [{}] is not allowed to use SSO.", resolveService);
            throw new UnauthorizedSsoServiceException();
        }
        RegisteredServiceAuthenticationPolicy authenticationPolicy = findServiceBy.getAuthenticationPolicy();
        return (authenticationPolicy.getRequiredAuthenticationHandlers().isEmpty() && authenticationPolicy.getExcludedAuthenticationHandlers().isEmpty()) ? false : true;
    }

    @Generated
    public RegisteredServiceAuthenticationHandlerResolver(ServicesManager servicesManager, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan) {
        this.servicesManager = servicesManager;
        this.authenticationServiceSelectionPlan = authenticationServiceSelectionPlan;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public AuthenticationServiceSelectionPlan getAuthenticationServiceSelectionPlan() {
        return this.authenticationServiceSelectionPlan;
    }

    @Override // org.apereo.cas.authentication.AuthenticationHandlerResolver, org.springframework.core.Ordered
    @Generated
    public int getOrder() {
        return this.order;
    }

    @Generated
    public void setOrder(int i) {
        this.order = i;
    }
}
