package org.apereo.cas.validation;

import java.util.ArrayList;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.pac4j.core.client.Client;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-pac4j-core-6.5.3.jar:org/apereo/cas/validation/DelegatedAuthenticationAccessStrategyHelper.class */
public class DelegatedAuthenticationAccessStrategyHelper {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DelegatedAuthenticationAccessStrategyHelper.class);
    private final ServicesManager servicesManager;
    private final AuditableExecution delegatedAuthenticationPolicyEnforcer;

    public boolean isDelegatedClientAuthorizedForService(Client client, Service service, HttpServletRequest httpServletRequest) {
        return isDelegatedClientAuthorizedFor(client.getName(), service, httpServletRequest);
    }

    public boolean isDelegatedClientAuthorizedForAuthentication(Authentication authentication, Service service, HttpServletRequest httpServletRequest) {
        return isDelegatedClientAuthorizedFor(getClientNameFromAuthentication(authentication), service, httpServletRequest);
    }

    public static String getClientNameFromAuthentication(Authentication authentication) {
        return (String) CollectionUtils.firstElement(authentication.getAttributes().getOrDefault("clientName", new ArrayList(0))).map((v0) -> {
            return v0.toString();
        }).orElse("");
    }

    /* JADX WARN: Type inference failed for: r0v19, types: [org.apereo.cas.audit.AuditableContext$AuditableContextBuilder] */
    public boolean isDelegatedClientAuthorizedFor(String str, Service service, HttpServletRequest httpServletRequest) {
        if (service == null || StringUtils.isBlank(service.getId())) {
            LOGGER.debug("Can not evaluate delegated authentication policy without a service");
            return true;
        }
        if (StringUtils.isBlank(str)) {
            LOGGER.debug("No client is provided to enforce authorization for delegated authentication. SSO session may have been established without delegated authentication");
            return true;
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        if (findServiceBy == null || !findServiceBy.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.warn("Service access for [{}] is denied", findServiceBy);
            return false;
        }
        LOGGER.trace("Located registered service definition [{}] matching [{}]", findServiceBy, service);
        if (this.delegatedAuthenticationPolicyEnforcer.execute(AuditableContext.builder().registeredService(findServiceBy).properties(CollectionUtils.wrap(Client.class.getSimpleName(), str)).build()).isExecutionFailure()) {
            LOGGER.warn("Delegated authentication policy for [{}] refuses access to client [{}]", findServiceBy.getServiceId(), str);
            return false;
        }
        LOGGER.debug("Delegated authentication policy for [{}] allows for using client [{}]", findServiceBy, str);
        return true;
    }

    @Generated
    public DelegatedAuthenticationAccessStrategyHelper(ServicesManager servicesManager, AuditableExecution auditableExecution) {
        this.servicesManager = servicesManager;
        this.delegatedAuthenticationPolicyEnforcer = auditableExecution;
    }
}
