package org.apereo.cas.support.saml.web.idp.delegation;

import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.tuple.Pair;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer;
import org.apereo.cas.support.saml.OpenSamlConfigBean;
import org.apereo.cas.support.saml.SamlIdPUtils;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.IDPList;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.redirect.RedirectionActionBuilder;
import org.pac4j.saml.client.SAML2Client;
import org.pac4j.saml.context.SAML2ConfigurationContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-saml-idp-web-6.6.14.jar:org/apereo/cas/support/saml/web/idp/delegation/SamlIdPDelegatedClientAuthenticationRequestCustomizer.class */
public class SamlIdPDelegatedClientAuthenticationRequestCustomizer implements DelegatedClientAuthenticationRequestCustomizer {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SamlIdPDelegatedClientAuthenticationRequestCustomizer.class);
    private final SessionStore sessionStore;
    private final OpenSamlConfigBean openSamlConfigBean;

    @Override // org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer
    public void customize(IndirectClient indirectClient, WebContext webContext) {
        Optional<U> map = SamlIdPUtils.retrieveSamlRequest(webContext, this.sessionStore, this.openSamlConfigBean, AuthnRequest.class).map((v0) -> {
            return v0.getLeft();
        });
        Class<AuthnRequest> cls = AuthnRequest.class;
        Objects.requireNonNull(AuthnRequest.class);
        map.map((v1) -> {
            return r1.cast(v1);
        }).ifPresent(authnRequest -> {
            LOGGER.debug("Retrieved the SAML2 authentication request from [{}]", SamlIdPUtils.getIssuerFromSamlObject(authnRequest));
            if (authnRequest.isForceAuthn().booleanValue()) {
                customizeForceAuthnRequest(indirectClient, webContext, authnRequest);
            }
            if (authnRequest.isPassive().booleanValue()) {
                customizePassiveAuthnRequest(indirectClient, webContext);
            }
            customizeAuthnContextClass(indirectClient, webContext, authnRequest);
        });
    }

    @Override // org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer
    public boolean isAuthorized(WebContext webContext, IndirectClient indirectClient, WebApplicationService webApplicationService) {
        Optional<Pair<? extends RequestAbstractType, MessageContext>> retrieveSamlRequest = SamlIdPUtils.retrieveSamlRequest(webContext, this.sessionStore, this.openSamlConfigBean, AuthnRequest.class);
        if (retrieveSamlRequest.isEmpty()) {
            LOGGER.trace("No SAML2 authentication request found in session store");
            return true;
        }
        AuthnRequest authnRequest = (AuthnRequest) retrieveSamlRequest.get().getLeft();
        LOGGER.trace("Retrieved the SAML2 authentication request from [{}]", SamlIdPUtils.getIssuerFromSamlObject(authnRequest));
        IDPList iDPList = authnRequest.getScoping() != null ? authnRequest.getScoping().getIDPList() : null;
        List list = (List) ((iDPList == null || iDPList.getIDPEntrys() == null) ? List.of() : iDPList.getIDPEntrys()).stream().map((v0) -> {
            return v0.getProviderID();
        }).collect(Collectors.toList());
        LOGGER.debug("Scoped identity providers are [{}] to examine against client [{}]", list, indirectClient.getName());
        if (!supports(indirectClient, webContext)) {
            return true;
        }
        SAML2Client sAML2Client = (SAML2Client) indirectClient;
        LOGGER.debug("Comparing [{}] against scoped identity providers [{}]", sAML2Client.getIdentityProviderResolvedEntityId(), list);
        return list.isEmpty() || list.contains(sAML2Client.getIdentityProviderResolvedEntityId());
    }

    @Override // org.apereo.cas.pac4j.client.DelegatedClientAuthenticationRequestCustomizer
    public boolean supports(IndirectClient indirectClient, WebContext webContext) {
        return indirectClient instanceof SAML2Client;
    }

    protected void customizeAuthnContextClass(IndirectClient indirectClient, WebContext webContext, AuthnRequest authnRequest) {
        RequestedAuthnContext requestedAuthnContext = authnRequest.getRequestedAuthnContext();
        if (requestedAuthnContext == null || requestedAuthnContext.getAuthnContextClassRefs() == null || requestedAuthnContext.getAuthnContextClassRefs().isEmpty()) {
            return;
        }
        webContext.setRequestAttribute(SAML2ConfigurationContext.REQUEST_ATTR_AUTHN_CONTEXT_CLASS_REFS, (List) requestedAuthnContext.getAuthnContextClassRefs().stream().map((v0) -> {
            return v0.getURI();
        }).collect(Collectors.toList()));
        Optional.ofNullable(requestedAuthnContext.getComparison()).ifPresent(authnContextComparisonTypeEnumeration -> {
            webContext.setRequestAttribute(SAML2ConfigurationContext.REQUEST_ATTR_COMPARISON_TYPE, authnContextComparisonTypeEnumeration.name());
        });
    }

    protected void customizePassiveAuthnRequest(IndirectClient indirectClient, WebContext webContext) {
        webContext.setRequestAttribute(RedirectionActionBuilder.ATTRIBUTE_PASSIVE, true);
    }

    protected void customizeForceAuthnRequest(IndirectClient indirectClient, WebContext webContext, AuthnRequest authnRequest) {
        webContext.setRequestAttribute("ForceAuthn", true);
    }

    @Generated
    public SamlIdPDelegatedClientAuthenticationRequestCustomizer(SessionStore sessionStore, OpenSamlConfigBean openSamlConfigBean) {
        this.sessionStore = sessionStore;
        this.openSamlConfigBean = openSamlConfigBean;
    }
}
