package org.apereo.cas.services;

import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.audit.AuditActionResolvers;
import org.apereo.cas.audit.AuditResourceResolvers;
import org.apereo.cas.audit.AuditableActions;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecutionResult;
import org.apereo.cas.audit.BaseAuditableExecution;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.PrincipalException;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.ticket.ServiceTicket;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.scripting.WatchableGroovyScriptResource;
import org.apereo.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-services-api-6.5.8.jar:org/apereo/cas/services/RegisteredServiceAccessStrategyAuditableEnforcer.class */
public class RegisteredServiceAccessStrategyAuditableEnforcer extends BaseAuditableExecution {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RegisteredServiceAccessStrategyAuditableEnforcer.class);
    private final WatchableGroovyScriptResource accessStrategyScriptResource;

    public RegisteredServiceAccessStrategyAuditableEnforcer(CasConfigurationProperties casConfigurationProperties) {
        Resource location = casConfigurationProperties.getAccessStrategy().getGroovy().getLocation();
        this.accessStrategyScriptResource = location != null ? new WatchableGroovyScriptResource(location) : null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Optional<AuditableExecutionResult> byServiceTicketAndAuthnResultAndRegisteredService(AuditableContext auditableContext) {
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        if (!auditableContext.getServiceTicket().isPresent() || !auditableContext.getAuthenticationResult().isPresent() || !registeredService.isPresent()) {
            return Optional.empty();
        }
        AuditableExecutionResult of = AuditableExecutionResult.of(auditableContext);
        try {
            ServiceTicket orElseThrow = auditableContext.getServiceTicket().orElseThrow();
            Authentication authentication = auditableContext.getAuthenticationResult().orElseThrow().getAuthentication();
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(orElseThrow.getService(), registeredService.get(), authentication.getPrincipal().getId(), CollectionUtils.merge(authentication.getAttributes(), authentication.getPrincipal().getAttributes()));
        } catch (PrincipalException | UnauthorizedServiceException e) {
            of.setException(e);
        }
        return Optional.of(of);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v20, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byServiceAndRegisteredServiceAndTicketGrantingTicket(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        Optional<TicketGrantingTicket> ticketGrantingTicket = auditableContext.getTicketGrantingTicket();
        if (!service.isPresent() || !registeredService.isPresent() || !ticketGrantingTicket.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).ticketGrantingTicket(ticketGrantingTicket.get()).build();
        try {
            Authentication authentication = ticketGrantingTicket.get().getRoot().getAuthentication();
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service2, registeredService2, authentication.getPrincipal().getId(), CollectionUtils.merge(authentication.getAttributes(), authentication.getPrincipal().getAttributes()));
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v9, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byRegisteredService(AuditableContext auditableContext) {
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        if (!registeredService.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(auditableContext.getService().orElse(null)).authentication(auditableContext.getAuthentication().orElse(null)).build();
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService2);
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byServiceAndRegisteredService(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        if (!service.isPresent() || !registeredService.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).build();
        try {
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service2, registeredService2);
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    /* JADX WARN: Type inference failed for: r0v23, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byServiceAndRegisteredServiceAndPrincipal(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        Optional<Principal> principal = auditableContext.getPrincipal();
        if (!service.isPresent() || !registeredService.isPresent() || !principal.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        Principal principal2 = principal.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).build();
        try {
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service2, registeredService2, principal2.getId(), principal2.getAttributes());
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Type inference failed for: r0v23, types: [org.apereo.cas.audit.AuditableExecutionResult$AuditableExecutionResultBuilder] */
    public static Optional<AuditableExecutionResult> byServiceAndRegisteredServiceAndAuthentication(AuditableContext auditableContext) {
        Optional<Service> service = auditableContext.getService();
        Optional<RegisteredService> registeredService = auditableContext.getRegisteredService();
        Optional<Authentication> authentication = auditableContext.getAuthentication();
        if (!service.isPresent() || !registeredService.isPresent() || !authentication.isPresent()) {
            return Optional.empty();
        }
        RegisteredService registeredService2 = registeredService.get();
        Service service2 = service.get();
        Authentication authentication2 = authentication.get();
        AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(registeredService2).service(service2).authentication(authentication2).build();
        try {
            RegisteredServiceAccessStrategyUtils.ensurePrincipalAccessIsAllowedForService(service2, registeredService2, authentication2.getPrincipal().getId(), CollectionUtils.merge(authentication2.getAttributes(), authentication2.getPrincipal().getAttributes()));
        } catch (PrincipalException | UnauthorizedServiceException e) {
            build.setException(e);
        }
        return Optional.of(build);
    }

    @Override // org.apereo.cas.audit.BaseAuditableExecution, org.apereo.cas.audit.AuditableExecution
    @Audit(action = AuditableActions.SERVICE_ACCESS_ENFORCEMENT, actionResolverName = AuditActionResolvers.SERVICE_ACCESS_ENFORCEMENT_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.SERVICE_ACCESS_ENFORCEMENT_RESOURCE_RESOLVER)
    public AuditableExecutionResult execute(AuditableContext auditableContext) {
        return byExternalGroovyScript(auditableContext).or(() -> {
            return byServiceTicketAndAuthnResultAndRegisteredService(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredServiceAndTicketGrantingTicket(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredServiceAndPrincipal(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredServiceAndAuthentication(auditableContext);
        }).or(() -> {
            return byServiceAndRegisteredService(auditableContext);
        }).or(() -> {
            return byRegisteredService(auditableContext);
        }).orElseGet(() -> {
            AuditableExecutionResult build = AuditableExecutionResult.builder().registeredService(auditableContext.getRegisteredService().orElse(null)).service(auditableContext.getService().orElse(null)).authentication(auditableContext.getAuthentication().orElse(null)).build();
            build.setException(new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "Service unauthorized"));
            return build;
        });
    }

    protected Optional<AuditableExecutionResult> byExternalGroovyScript(AuditableContext auditableContext) {
        return this.accessStrategyScriptResource != null ? Optional.ofNullable((AuditableExecutionResult) this.accessStrategyScriptResource.execute(new Object[]{auditableContext, LOGGER}, AuditableExecutionResult.class, true)) : Optional.empty();
    }
}
