package org.apereo.cas.services.util;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.Generated;
import org.apereo.cas.CasProtocolConstants;
import org.apereo.cas.services.RegisteredServiceAccessStrategyRequest;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.nativex.CasRuntimeHintsRegistrar;
import org.apereo.cas.util.scripting.ExecutableCompiledScript;
import org.apereo.cas.util.scripting.ExecutableCompiledScriptFactory;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-services-api-7.2.0-RC4.jar:org/apereo/cas/services/util/RegisteredServiceAccessStrategyEvaluator.class */
public class RegisteredServiceAccessStrategyEvaluator implements Function<RegisteredServiceAccessStrategyRequest, Boolean> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RegisteredServiceAccessStrategyEvaluator.class);
    private Map<String, Set<String>> requiredAttributes;
    private Map<String, Set<String>> rejectedAttributes;
    private boolean caseInsensitive;
    private boolean requireAllAttributes;

    @Generated
    /* loaded from: input_file:WEB-INF/lib/cas-server-core-services-api-7.2.0-RC4.jar:org/apereo/cas/services/util/RegisteredServiceAccessStrategyEvaluator$RegisteredServiceAccessStrategyEvaluatorBuilder.class */
    public static abstract class RegisteredServiceAccessStrategyEvaluatorBuilder<C extends RegisteredServiceAccessStrategyEvaluator, B extends RegisteredServiceAccessStrategyEvaluatorBuilder<C, B>> {

        @Generated
        private boolean requiredAttributes$set;

        @Generated
        private Map<String, Set<String>> requiredAttributes$value;

        @Generated
        private boolean rejectedAttributes$set;

        @Generated
        private Map<String, Set<String>> rejectedAttributes$value;

        @Generated
        private boolean caseInsensitive;

        @Generated
        private boolean requireAllAttributes$set;

        @Generated
        private boolean requireAllAttributes$value;

        @Generated
        public B requiredAttributes(Map<String, Set<String>> map) {
            this.requiredAttributes$value = map;
            this.requiredAttributes$set = true;
            return self();
        }

        @Generated
        public B rejectedAttributes(Map<String, Set<String>> map) {
            this.rejectedAttributes$value = map;
            this.rejectedAttributes$set = true;
            return self();
        }

        @Generated
        public B caseInsensitive(boolean z) {
            this.caseInsensitive = z;
            return self();
        }

        @Generated
        public B requireAllAttributes(boolean z) {
            this.requireAllAttributes$value = z;
            this.requireAllAttributes$set = true;
            return self();
        }

        @Generated
        protected abstract B self();

        @Generated
        public abstract C build();

        @Generated
        public String toString() {
            return "RegisteredServiceAccessStrategyEvaluator.RegisteredServiceAccessStrategyEvaluatorBuilder(requiredAttributes$value=" + String.valueOf(this.requiredAttributes$value) + ", rejectedAttributes$value=" + String.valueOf(this.rejectedAttributes$value) + ", caseInsensitive=" + this.caseInsensitive + ", requireAllAttributes$value=" + this.requireAllAttributes$value + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Generated
    /* loaded from: input_file:WEB-INF/lib/cas-server-core-services-api-7.2.0-RC4.jar:org/apereo/cas/services/util/RegisteredServiceAccessStrategyEvaluator$RegisteredServiceAccessStrategyEvaluatorBuilderImpl.class */
    public static final class RegisteredServiceAccessStrategyEvaluatorBuilderImpl extends RegisteredServiceAccessStrategyEvaluatorBuilder<RegisteredServiceAccessStrategyEvaluator, RegisteredServiceAccessStrategyEvaluatorBuilderImpl> {
        @Generated
        private RegisteredServiceAccessStrategyEvaluatorBuilderImpl() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apereo.cas.services.util.RegisteredServiceAccessStrategyEvaluator.RegisteredServiceAccessStrategyEvaluatorBuilder
        @Generated
        public RegisteredServiceAccessStrategyEvaluatorBuilderImpl self() {
            return this;
        }

        @Override // org.apereo.cas.services.util.RegisteredServiceAccessStrategyEvaluator.RegisteredServiceAccessStrategyEvaluatorBuilder
        @Generated
        public RegisteredServiceAccessStrategyEvaluator build() {
            return new RegisteredServiceAccessStrategyEvaluator(this);
        }
    }

    @Override // java.util.function.Function
    public Boolean apply(RegisteredServiceAccessStrategyRequest registeredServiceAccessStrategyRequest) {
        if ((this.rejectedAttributes == null || this.rejectedAttributes.isEmpty()) && (this.requiredAttributes == null || this.requiredAttributes.isEmpty())) {
            LOGGER.trace("Skipping access strategy policy, since no attributes rules are defined");
            return true;
        }
        if (!enoughAttributesAvailableToProcess(registeredServiceAccessStrategyRequest)) {
            LOGGER.debug("Access is denied. There are not enough attributes available to satisfy requirements");
            return false;
        }
        if (doRejectedAttributesRefusePrincipalAccess(registeredServiceAccessStrategyRequest)) {
            LOGGER.debug("Access is denied. The principal carries attributes that would reject service access");
            return false;
        }
        if (doRequiredAttributesAllowPrincipalAccess(registeredServiceAccessStrategyRequest, this.requiredAttributes)) {
            return true;
        }
        LOGGER.debug("Access is denied. The principal does not have the required attributes [{}]", this.requiredAttributes);
        return false;
    }

    protected boolean doRequiredAttributesAllowPrincipalAccess(RegisteredServiceAccessStrategyRequest registeredServiceAccessStrategyRequest, Map<String, Set<String>> map) {
        LOGGER.debug("These required attributes [{}] are examined against [{}] before service can proceed.", map, registeredServiceAccessStrategyRequest.getAttributes());
        return map.isEmpty() || requiredAttributesFoundInMap(registeredServiceAccessStrategyRequest, map);
    }

    protected boolean doRejectedAttributesRefusePrincipalAccess(RegisteredServiceAccessStrategyRequest registeredServiceAccessStrategyRequest) {
        LOGGER.debug("These rejected attributes [{}] are examined against [{}] before service can proceed.", this.rejectedAttributes, registeredServiceAccessStrategyRequest.getAttributes());
        return !this.rejectedAttributes.isEmpty() && requiredAttributesFoundInMap(registeredServiceAccessStrategyRequest, this.rejectedAttributes);
    }

    protected boolean enoughAttributesAvailableToProcess(RegisteredServiceAccessStrategyRequest registeredServiceAccessStrategyRequest) {
        if (!enoughRequiredAttributesAvailableToProcess(registeredServiceAccessStrategyRequest.getAttributes(), this.requiredAttributes)) {
            return false;
        }
        if (registeredServiceAccessStrategyRequest.getAttributes().size() >= this.rejectedAttributes.size()) {
            return true;
        }
        LOGGER.debug("The size of the principal attributes that are [{}] does not match defined rejected attributes, which means the principal is not carrying enough data to grant authorization", registeredServiceAccessStrategyRequest.getAttributes());
        return false;
    }

    protected boolean enoughRequiredAttributesAvailableToProcess(Map<String, List<Object>> map, Map<String, Set<String>> map2) {
        if (map.isEmpty() && !map2.isEmpty()) {
            LOGGER.debug("No principal attributes are found to satisfy defined attribute requirements");
            return false;
        }
        if (map.size() >= map2.size()) {
            return true;
        }
        LOGGER.debug("The size of the principal attributes that are [{}] does not match defined required attributes, which indicates the principal is not carrying enough data to grant authorization", map);
        return false;
    }

    protected boolean requiredAttributesFoundInMap(RegisteredServiceAccessStrategyRequest registeredServiceAccessStrategyRequest, Map<String, Set<String>> map) {
        Set set = (Set) map.keySet().stream().filter(str -> {
            return registeredServiceAccessStrategyRequest.getAttributes().containsKey(str);
        }).collect(Collectors.toSet());
        LOGGER.debug("Difference of checking required attributes: [{}]", set);
        if (this.requireAllAttributes && set.size() < map.size()) {
            return false;
        }
        Predicate predicate = Unchecked.predicate(str2 -> {
            return requiredAttributeFound(str2, registeredServiceAccessStrategyRequest, map);
        });
        return this.requireAllAttributes ? set.stream().allMatch(predicate) : set.stream().anyMatch(predicate);
    }

    protected boolean requiredAttributeFound(String str, RegisteredServiceAccessStrategyRequest registeredServiceAccessStrategyRequest, Map<String, Set<String>> map) throws Throwable {
        Set<String> set = map.get(str);
        Set<Object> collection = CollectionUtils.toCollection(registeredServiceAccessStrategyRequest.getAttributes().get(str));
        Optional<ExecutableCompiledScriptFactory> findExecutableCompiledScriptFactory = ExecutableCompiledScriptFactory.findExecutableCompiledScriptFactory();
        ArrayList arrayList = new ArrayList();
        for (String str2 : set) {
            if (findExecutableCompiledScriptFactory.isPresent() && findExecutableCompiledScriptFactory.get().isInlineScript(str2) && CasRuntimeHintsRegistrar.notInNativeImage()) {
                ExecutableCompiledScript fromScript = findExecutableCompiledScriptFactory.get().fromScript(findExecutableCompiledScriptFactory.get().getInlineScript(str2).orElseThrow());
                try {
                    Map<String, Object> wrap = CollectionUtils.wrap("principalId", registeredServiceAccessStrategyRequest.getPrincipalId(), "currentValues", collection, CasProtocolConstants.VALIDATION_CAS_MODEL_ATTRIBUTE_NAME_ATTRIBUTES, registeredServiceAccessStrategyRequest.getAttributes(), "logger", LOGGER);
                    fromScript.setBinding(wrap);
                    arrayList.add(fromScript.execute(wrap.values().toArray(), Boolean.class));
                    if (fromScript != null) {
                        fromScript.close();
                    }
                } catch (Throwable th) {
                    if (fromScript != null) {
                        try {
                            fromScript.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } else {
                Pattern createPattern = RegexUtils.createPattern(str2, this.caseInsensitive ? 2 : 0);
                LOGGER.debug("Checking [{}] against [{}] with pattern [{}] for attribute [{}]", set, collection, createPattern, str);
                if (createPattern.equals(RegexUtils.MATCH_NOTHING_PATTERN)) {
                    Stream<Object> stream = collection.stream();
                    Objects.requireNonNull(set);
                    arrayList.add(Boolean.valueOf(stream.anyMatch(set::contains)));
                } else {
                    arrayList.add(Boolean.valueOf(collection.stream().map((v0) -> {
                        return v0.toString();
                    }).anyMatch(createPattern.asPredicate())));
                }
            }
        }
        return arrayList.contains(true);
    }

    @Generated
    private static Map<String, Set<String>> $default$requiredAttributes() {
        return new HashMap(0);
    }

    @Generated
    private static Map<String, Set<String>> $default$rejectedAttributes() {
        return new HashMap(0);
    }

    @Generated
    private static boolean $default$requireAllAttributes() {
        return true;
    }

    @Generated
    protected RegisteredServiceAccessStrategyEvaluator(RegisteredServiceAccessStrategyEvaluatorBuilder<?, ?> registeredServiceAccessStrategyEvaluatorBuilder) {
        if (((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).requiredAttributes$set) {
            this.requiredAttributes = ((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).requiredAttributes$value;
        } else {
            this.requiredAttributes = $default$requiredAttributes();
        }
        if (((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).rejectedAttributes$set) {
            this.rejectedAttributes = ((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).rejectedAttributes$value;
        } else {
            this.rejectedAttributes = $default$rejectedAttributes();
        }
        this.caseInsensitive = ((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).caseInsensitive;
        if (((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).requireAllAttributes$set) {
            this.requireAllAttributes = ((RegisteredServiceAccessStrategyEvaluatorBuilder) registeredServiceAccessStrategyEvaluatorBuilder).requireAllAttributes$value;
        } else {
            this.requireAllAttributes = $default$requireAllAttributes();
        }
    }

    @Generated
    public static RegisteredServiceAccessStrategyEvaluatorBuilder<?, ?> builder() {
        return new RegisteredServiceAccessStrategyEvaluatorBuilderImpl();
    }

    @Generated
    public Map<String, Set<String>> getRequiredAttributes() {
        return this.requiredAttributes;
    }

    @Generated
    public Map<String, Set<String>> getRejectedAttributes() {
        return this.rejectedAttributes;
    }

    @Generated
    public boolean isCaseInsensitive() {
        return this.caseInsensitive;
    }

    @Generated
    public boolean isRequireAllAttributes() {
        return this.requireAllAttributes;
    }
}
