package org.apereo.cas.services;

import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.audit.AuditActionResolvers;
import org.apereo.cas.audit.AuditResourceResolvers;
import org.apereo.cas.audit.AuditableActions;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecutionResult;
import org.apereo.cas.audit.BaseAuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredServicePrincipalAccessStrategyEnforcer;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.apereo.inspektr.audit.annotation.Audit;
import org.jooq.lambda.Unchecked;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ConfigurableApplicationContext;
import org.springframework.core.annotation.AnnotationAwareOrderComparator;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-services-api-7.3.0-RC2.jar:org/apereo/cas/services/RegisteredServiceAccessStrategyAuditableEnforcer.class */
public class RegisteredServiceAccessStrategyAuditableEnforcer extends BaseAuditableExecution {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RegisteredServiceAccessStrategyAuditableEnforcer.class);
    private final ConfigurableApplicationContext applicationContext;
    private final RegisteredServicePrincipalAccessStrategyEnforcer principalAccessStrategyEnforcer;

    private Optional<AuditableExecutionResult> byServiceTicketAndAuthnResultAndRegisteredService(AuditableContext auditableContext) {
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        if (!auditableContext.getServiceTicket().isPresent() || !auditableContext.getAuthenticationResult().isPresent() || !registeredService.isPresent()) {
            return Optional.empty();
        }
        AuditableExecutionResult of = AuditableExecutionResult.of(auditableContext);
        try {
            ServiceTicket orElseThrow = auditableContext.getServiceTicket().orElseThrow();
            ensurePrincipalAccessIsAllowedForService(registeredService.get(), orElseThrow.getService(), auditableContext.getAuthenticationResult().orElseThrow().getAuthentication());
        } catch (Throwable th) {
            of.setException(th);
        }
        return Optional.of(of);
    }

    /* JADX WARN: Type inference failed for: r0v20, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    private Optional<AuditableExecutionResult> byServiceAndRegisteredServiceAndTicketGrantingTicket(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        Optional<TicketGrantingTicket> ticketGrantingTicket = auditableContext.getTicketGrantingTicket();
        if (!service.isPresent() || !registeredService.isPresent() || !ticketGrantingTicket.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).ticketGrantingTicket(ticketGrantingTicket.get()).build();
        try {
            ensurePrincipalAccessIsAllowedForService(registeredService2, service2, ticketGrantingTicket.get().getRoot().getAuthentication());
        } catch (Throwable th) {
            build.setException(th);
        }
        return Optional.of(build);
    }

    /* JADX WARN: Type inference failed for: r1v3, types: [org.apereo.cas.services.RegisteredServicePrincipalAccessStrategyEnforcer$PrincipalAccessStrategyContext$PrincipalAccessStrategyContextBuilder] */
    protected void ensurePrincipalAccessIsAllowedForService(RegisteredService registeredService, Service service, Authentication authentication) throws Throwable {
        this.principalAccessStrategyEnforcer.authorize(RegisteredServicePrincipalAccessStrategyEnforcer.PrincipalAccessStrategyContext.builder().registeredService(registeredService).principalId(authentication.getPrincipal().getId()).principalAttributes(CollectionUtils.merge(authentication.getAttributes(), authentication.getPrincipal().getAttributes())).service(service).applicationContext(this.applicationContext).build());
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v9, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byRegisteredService(AuditableContext auditableContext) {
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        if (!registeredService.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(auditableContext.getService().orElse(null)).authentication(auditableContext.getAuthentication().orElse(null)).build();
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService2);
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byServiceAndRegisteredService(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        if (!service.isPresent() || !registeredService.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).build();
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service2, registeredService2);
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    /* JADX WARN: Type inference failed for: r0v23, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    /* JADX WARN: Type inference failed for: r1v4, types: [org.apereo.cas.services.RegisteredServicePrincipalAccessStrategyEnforcer$PrincipalAccessStrategyContext$PrincipalAccessStrategyContextBuilder] */
    private Optional<AuditableExecutionResult> byServiceAndRegisteredServiceAndPrincipal(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        Optional<Principal> principal = auditableContext.getPrincipal();
        if (!service.isPresent() || !registeredService.isPresent() || !principal.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        Principal principal2 = principal.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).build();
        try {
            this.principalAccessStrategyEnforcer.authorize(RegisteredServicePrincipalAccessStrategyEnforcer.PrincipalAccessStrategyContext.builder().registeredService(registeredService2).principalId(principal2.getId()).principalAttributes(principal2.getAttributes()).service(service2).applicationContext(this.applicationContext).build());
        } catch (Throwable th) {
            build.setException(th);
        }
        return Optional.of(build);
    }

    /* JADX WARN: Type inference failed for: r0v23, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    private Optional<AuditableExecutionResult> byServiceAndRegisteredServiceAndAuthentication(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        Optional<Authentication> authentication = auditableContext.getAuthentication();
        if (!service.isPresent() || !registeredService.isPresent() || !authentication.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        Authentication authentication2 = authentication.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).authentication(authentication2).build();
        try {
            ensurePrincipalAccessIsAllowedForService(registeredService2, service2, authentication2);
        } catch (Throwable th) {
            build.setException(th);
        }
        return Optional.of(build);
    }

    @Override // org.apereo.cas.audit.BaseAuditableExecution, org.apereo.cas.audit.AuditableExecution
    @Audit(action = AuditableActions.SERVICE_ACCESS_ENFORCEMENT, actionResolverName = AuditActionResolvers.SERVICE_ACCESS_ENFORCEMENT_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.SERVICE_ACCESS_ENFORCEMENT_RESOURCE_RESOLVER)
    public AuditableExecutionResult execute(AuditableContext auditableContext) {
        return byExternalAccessStrategyEnforcers(auditableContext).or(() -> {
            return byServiceTicketAndAuthnResultAndRegisteredService(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredServiceAndTicketGrantingTicket(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredServiceAndPrincipal(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredServiceAndAuthentication(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredService(auditableContext);
        }).or(() -> {
            return byRegisteredService(auditableContext);
        }).orElseGet(() -> {
            AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(auditableContext.getRegisteredService().orElse(null)).service(auditableContext.getService().orElse(null)).authentication(auditableContext.getAuthentication().orElse(null)).build();
            build.setException(UnauthorizedServiceException.denied("Unauthorized"));
            LOGGER.warn("Service is not registered in the service registry. Service is [{}] and registered service is [{}]", build.getService().orElse(null), build.getRegisteredService().orElse(null));
            return build;
        });
    }

    protected Optional<AuditableExecutionResult> byExternalAccessStrategyEnforcers(AuditableContext auditableContext) {
        return this.applicationContext.getBeansOfType(RegisteredServiceAccessStrategyEnforcer.class).values().stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).sorted(AnnotationAwareOrderComparator.INSTANCE).map(Unchecked.function(registeredServiceAccessStrategyEnforcer -> {
            return registeredServiceAccessStrategyEnforcer.execute(auditableContext);
        })).filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter((v0) -> {
            return v0.isExecutionFailure();
        }).findFirst();
    }

    @Generated
    public RegisteredServiceAccessStrategyAuditableEnforcer(ConfigurableApplicationContext configurableApplicationContext, RegisteredServicePrincipalAccessStrategyEnforcer registeredServicePrincipalAccessStrategyEnforcer) {
        this.applicationContext = configurableApplicationContext;
        this.principalAccessStrategyEnforcer = registeredServicePrincipalAccessStrategyEnforcer;
    }
}
