package org.apereo.cas.validation;

import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationEventExecutionPlan;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ConfigurableApplicationContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-validation-api-6.6.0.jar:org/apereo/cas/validation/AuthenticationPolicyAwareServiceTicketValidationAuthorizer.class */
public class AuthenticationPolicyAwareServiceTicketValidationAuthorizer implements ServiceTicketValidationAuthorizer {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) AuthenticationPolicyAwareServiceTicketValidationAuthorizer.class);
    private final ServicesManager servicesManager;
    private final AuthenticationEventExecutionPlan authenticationEventExecutionPlan;
    private final ConfigurableApplicationContext applicationContext;

    @Override // org.apereo.cas.validation.ServiceTicketValidationAuthorizer
    public void authorize(HttpServletRequest httpServletRequest, Service service, Assertion assertion) {
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(service, this.servicesManager.findServiceBy(service));
        LOGGER.debug("Evaluating service [{}] to ensure required authentication handlers can satisfy assertion", service);
        Authentication primaryAuthentication = assertion.getPrimaryAuthentication();
        Map<String, List<Object>> attributes = primaryAuthentication.getAttributes();
        if (!attributes.containsKey("successfulAuthenticationHandlers")) {
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "");
        }
        Set<Object> collection = CollectionUtils.toCollection(attributes.get("successfulAuthenticationHandlers"));
        Set set = (Set) this.authenticationEventExecutionPlan.getAuthenticationHandlers().stream().filter(authenticationHandler -> {
            return collection.contains(authenticationHandler.getName());
        }).collect(Collectors.toSet());
        this.authenticationEventExecutionPlan.getAuthenticationPolicies(primaryAuthentication).forEach(authenticationPolicy -> {
            try {
                LOGGER.trace("Executing authentication policy [{}]", authenticationPolicy.getClass().getSimpleName());
                if (authenticationPolicy.isSatisfiedBy(primaryAuthentication, set, this.applicationContext, Optional.of(assertion)).isSuccess()) {
                } else {
                    throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "");
                }
            } catch (Exception e) {
                LoggingUtils.error(LOGGER, e);
                throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, "");
            }
        });
    }

    @Generated
    public AuthenticationPolicyAwareServiceTicketValidationAuthorizer(ServicesManager servicesManager, AuthenticationEventExecutionPlan authenticationEventExecutionPlan, ConfigurableApplicationContext configurableApplicationContext) {
        this.servicesManager = servicesManager;
        this.authenticationEventExecutionPlan = authenticationEventExecutionPlan;
        this.applicationContext = configurableApplicationContext;
    }
}
