package org.apereo.cas.authentication.support;

import com.google.common.base.Predicates;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.ProtocolAttributeEncoder;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.services.RegisteredServicePublicKeyCipherExecutor;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-services-authentication-6.4.6.jar:org/apereo/cas/authentication/support/DefaultCasProtocolAttributeEncoder.class */
public class DefaultCasProtocolAttributeEncoder extends AbstractProtocolAttributeEncoder {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultCasProtocolAttributeEncoder.class);
    private final CipherExecutor<String, String> cacheCredentialCipherExecutor;

    public DefaultCasProtocolAttributeEncoder(ServicesManager servicesManager, CipherExecutor<String, String> cipherExecutor) {
        this(servicesManager, new RegisteredServicePublicKeyCipherExecutor(), cipherExecutor);
    }

    public DefaultCasProtocolAttributeEncoder(ServicesManager servicesManager, RegisteredServiceCipherExecutor registeredServiceCipherExecutor, CipherExecutor<String, String> cipherExecutor) {
        super(servicesManager, registeredServiceCipherExecutor);
        this.cacheCredentialCipherExecutor = cipherExecutor;
    }

    private static void sanitizeAndTransformAttributeNames(Map<String, Object> map, WebApplicationService webApplicationService) {
        if (webApplicationService != null && webApplicationService.getFormat() != null && !webApplicationService.getFormat().isEncodingNecessary()) {
            LOGGER.trace("Skipping attribute name sanitization for [{}]", webApplicationService);
            return;
        }
        LOGGER.trace("Sanitizing attribute names in preparation of the final validation response");
        Set set = (Set) map.keySet().stream().filter(DefaultCasProtocolAttributeEncoder::getSanitizingAttributeNamePredicate).map(str -> {
            Object obj = map.get(str);
            LOGGER.trace("Encoding attribute [{}] with value(s) [{}]", str, obj);
            return Pair.of(ProtocolAttributeEncoder.encodeAttribute(str), obj);
        }).collect(Collectors.toSet());
        if (set.isEmpty()) {
            return;
        }
        LOGGER.info("Found [{}] attribute(s) that need to be sanitized/encoded.", Integer.valueOf(set.size()));
        map.keySet().removeIf(DefaultCasProtocolAttributeEncoder::getSanitizingAttributeNamePredicate);
        set.forEach(pair -> {
            String str2 = (String) pair.getKey();
            LOGGER.trace("Sanitized attribute name to be [{}]", str2);
            map.put(str2, transformAttributeValueIfNecessary(pair.getValue()));
        });
    }

    private static boolean getSanitizingAttributeNamePredicate(String str) {
        return str.contains(":") || str.contains("@");
    }

    private static void sanitizeAndTransformAttributeValues(Map<String, Object> map) {
        LOGGER.trace("Sanitizing attribute values in preparation of the final validation response");
        map.forEach((str, obj) -> {
            CollectionUtils.toCollection(obj).stream().filter(obj -> {
                return getBinaryAttributeValuePredicate().test(obj);
            }).forEach(obj2 -> {
                map.put(str, transformAttributeValueIfNecessary(obj2));
            });
        });
    }

    private static Object transformAttributeValueIfNecessary(Object obj) {
        return getBinaryAttributeValuePredicate().test(obj) ? EncodingUtils.encodeBase64((byte[]) obj) : obj;
    }

    private static Predicate<Object> getBinaryAttributeValuePredicate() {
        return Predicates.instanceOf(byte[].class);
    }

    protected void encodeAndEncryptCredentialPassword(Map<String, Object> map, Map<String, String> map2, RegisteredServiceCipherExecutor registeredServiceCipherExecutor, RegisteredService registeredService) {
        if (map2.containsKey("credential")) {
            String decode = this.cacheCredentialCipherExecutor.decode((CipherExecutor<String, String>) map2.get("credential"), ArrayUtils.EMPTY_OBJECT_ARRAY);
            map2.remove("credential");
            if (StringUtils.isNotBlank(decode)) {
                map2.put("credential", decode);
            }
        }
        encryptAndEncodeAndPutIntoAttributesMap(map, map2, "credential", registeredServiceCipherExecutor, registeredService);
    }

    protected void encodeAndEncryptProxyGrantingTicket(Map<String, Object> map, Map<String, String> map2, RegisteredServiceCipherExecutor registeredServiceCipherExecutor, RegisteredService registeredService) {
        encryptAndEncodeAndPutIntoAttributesMap(map, map2, "proxyGrantingTicket", registeredServiceCipherExecutor, registeredService);
        encryptAndEncodeAndPutIntoAttributesMap(map, map2, "pgtIou", registeredServiceCipherExecutor, registeredService);
    }

    protected void encryptAndEncodeAndPutIntoAttributesMap(Map<String, Object> map, Map<String, String> map2, String str, RegisteredServiceCipherExecutor registeredServiceCipherExecutor, RegisteredService registeredService) {
        String remove = map2.remove(str);
        if (!StringUtils.isNotBlank(remove)) {
            LOGGER.trace("[{}] is not available as a cached model attribute to encrypt...", str);
            return;
        }
        LOGGER.trace("Retrieved [{}] as a cached model attribute...", str);
        String encode = registeredServiceCipherExecutor.encode(remove, Optional.of(registeredService));
        if (!StringUtils.isNotBlank(encode)) {
            LOGGER.warn("Attribute [{}] cannot be encoded and is removed from the collection of attributes", str);
        } else {
            map.put(str, encode);
            LOGGER.trace("Encrypted and encoded [{}] as an attribute to [{}].", str, encode);
        }
    }

    @Override // org.apereo.cas.authentication.support.AbstractProtocolAttributeEncoder
    protected void encodeAttributesInternal(Map<String, Object> map, Map<String, String> map2, RegisteredServiceCipherExecutor registeredServiceCipherExecutor, RegisteredService registeredService, WebApplicationService webApplicationService) {
        encodeAndEncryptCredentialPassword(map, map2, registeredServiceCipherExecutor, registeredService);
        encodeAndEncryptProxyGrantingTicket(map, map2, registeredServiceCipherExecutor, registeredService);
        sanitizeAndTransformAttributeNames(map, webApplicationService);
        sanitizeAndTransformAttributeValues(map);
    }
}
