package org.apereo.cas.web.support.mgmr;

import com.google.common.base.Splitter;
import jakarta.servlet.http.HttpServletRequest;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.adaptive.geo.GeoLocationResponse;
import org.apereo.cas.authentication.adaptive.geo.GeoLocationService;
import org.apereo.cas.configuration.model.support.cookie.PinnableCookieProperties;
import org.apereo.cas.multitenancy.TenantExtractor;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.crypto.CipherExecutorResolver;
import org.apereo.cas.util.http.HttpRequestUtils;
import org.apereo.cas.web.cookie.CookieSameSitePolicy;
import org.apereo.cas.web.support.InvalidCookieException;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-cookie-api-7.3.0-RC2.jar:org/apereo/cas/web/support/mgmr/DefaultCasCookieValueManager.class */
public class DefaultCasCookieValueManager extends EncryptedCookieValueManager {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultCasCookieValueManager.class);
    private static final char COOKIE_FIELD_SEPARATOR = '@';
    private static final int COOKIE_FIELDS_LENGTH = 3;
    private static final long serialVersionUID = -2696352696382374584L;
    private final PinnableCookieProperties cookieProperties;
    private final ObjectProvider<GeoLocationService> geoLocationService;

    public DefaultCasCookieValueManager(CipherExecutorResolver cipherExecutorResolver, TenantExtractor tenantExtractor, ObjectProvider<GeoLocationService> objectProvider, CookieSameSitePolicy cookieSameSitePolicy, PinnableCookieProperties pinnableCookieProperties) {
        super(cipherExecutorResolver, tenantExtractor, cookieSameSitePolicy);
        this.geoLocationService = objectProvider;
        this.cookieProperties = pinnableCookieProperties;
    }

    @Override // org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager
    protected String buildCompoundCookieValue(String str, HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder(str);
        if (this.cookieProperties.isPinToSession()) {
            ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
            if (clientInfo != null) {
                sb.append('@').append(this.cookieProperties.isGeoLocateClientSession() ? getClientGeoLocation(clientInfo) : clientInfo.getClientIpAddress());
            }
            String httpServletRequestUserAgent = HttpRequestUtils.getHttpServletRequestUserAgent(httpServletRequest);
            if (StringUtils.isBlank(httpServletRequestUserAgent)) {
                throw new IllegalStateException("Request does not specify a user-agent");
            }
            sb.append('@').append(httpServletRequestUserAgent);
        } else {
            LOGGER.trace("Cookie session-pinning is disabled");
        }
        return sb.toString();
    }

    private String getClientGeoLocation(ClientInfo clientInfo) {
        Optional findFirst = this.geoLocationService.stream().map(geoLocationService -> {
            GeoLocationResponse locate = geoLocationService.locate(clientInfo.getClientIpAddress());
            return (locate == null || locate.getAddresses() == null || locate.getAddresses().isEmpty()) ? clientInfo.getClientIpAddress() : org.springframework.util.StringUtils.collectionToCommaDelimitedString(locate.getAddresses());
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).findFirst();
        Objects.requireNonNull(clientInfo);
        return (String) findFirst.orElseGet(clientInfo::getClientIpAddress);
    }

    @Override // org.apereo.cas.web.support.mgmr.EncryptedCookieValueManager
    protected String obtainValueFromCompoundCookie(String str, HttpServletRequest httpServletRequest) {
        List<String> splitToList = Splitter.on(String.valueOf('@')).splitToList(str);
        String str2 = (String) splitToList.getFirst();
        if (!this.cookieProperties.isPinToSession()) {
            LOGGER.trace("Cookie session-pinning is disabled. Returning cookie value as it was provided");
            return str2;
        }
        if (splitToList.size() != 3) {
            throw new InvalidCookieException("Invalid cookie. Required fields are missing");
        }
        String str3 = splitToList.get(1);
        String str4 = splitToList.get(2);
        if (Stream.of((Object[]) new String[]{str2, str3, str4}).anyMatch((v0) -> {
            return StringUtils.isBlank(v0);
        })) {
            throw new InvalidCookieException("Invalid cookie. Required fields are empty");
        }
        ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
        if (clientInfo == null) {
            String formatted = "Unable to match required remote address %s because client ip at time of cookie creation is unknown".formatted(str3);
            LOGGER.warn(formatted);
            throw new InvalidCookieException(formatted);
        }
        if (this.cookieProperties.isGeoLocateClientSession()) {
            String clientGeoLocation = getClientGeoLocation(clientInfo);
            if (!str3.equals(clientGeoLocation)) {
                String formatted2 = "Invalid cookie. Required remote address %s does not match %s".formatted(str3, clientGeoLocation);
                LOGGER.warn(formatted2);
                throw new InvalidCookieException(formatted2);
            }
        } else {
            String clientIpAddress = clientInfo.getClientIpAddress();
            if (!str3.equals(clientIpAddress)) {
                if (StringUtils.isBlank(this.cookieProperties.getAllowedIpAddressesPattern()) || !RegexUtils.find(this.cookieProperties.getAllowedIpAddressesPattern(), clientIpAddress)) {
                    String formatted3 = "Invalid cookie. Required remote address %s does not match %s".formatted(str3, clientIpAddress);
                    LOGGER.warn(formatted3);
                    throw new InvalidCookieException(formatted3);
                }
                LOGGER.debug("Required remote address [{}] does not match [{}], but it's authorized to proceed", str3, clientIpAddress);
            }
        }
        String httpServletRequestUserAgent = HttpRequestUtils.getHttpServletRequestUserAgent(httpServletRequest);
        if (str4.equals(httpServletRequestUserAgent)) {
            return str2;
        }
        String formatted4 = "Invalid cookie. Required user-agent %s does not match %s".formatted(str4, httpServletRequestUserAgent);
        LOGGER.warn(formatted4);
        throw new InvalidCookieException(formatted4);
    }
}
