package org.jasig.cas;

import com.github.inspektr.audit.annotation.Audit;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.validation.constraints.NotNull;
import org.apache.commons.lang.StringUtils;
import org.jasig.cas.authentication.AcceptAnyAuthenticationPolicyFactory;
import org.jasig.cas.authentication.Authentication;
import org.jasig.cas.authentication.AuthenticationBuilder;
import org.jasig.cas.authentication.AuthenticationException;
import org.jasig.cas.authentication.AuthenticationManager;
import org.jasig.cas.authentication.ContextualAuthenticationPolicy;
import org.jasig.cas.authentication.ContextualAuthenticationPolicyFactory;
import org.jasig.cas.authentication.Credential;
import org.jasig.cas.authentication.MixedPrincipalException;
import org.jasig.cas.authentication.principal.PersistentIdGenerator;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator;
import org.jasig.cas.authentication.principal.SimplePrincipal;
import org.jasig.cas.logout.LogoutManager;
import org.jasig.cas.logout.LogoutRequest;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.RegisteredServiceAttributeFilter;
import org.jasig.cas.services.ServiceContext;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.services.UnauthorizedProxyingException;
import org.jasig.cas.services.UnauthorizedServiceException;
import org.jasig.cas.services.UnauthorizedSsoServiceException;
import org.jasig.cas.services.support.RegisteredServiceDefaultAttributeFilter;
import org.jasig.cas.ticket.ExpirationPolicy;
import org.jasig.cas.ticket.InvalidTicketException;
import org.jasig.cas.ticket.ServiceTicket;
import org.jasig.cas.ticket.TicketException;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.TicketGrantingTicketImpl;
import org.jasig.cas.ticket.TicketValidationException;
import org.jasig.cas.ticket.UnsatisfiedAuthenticationPolicyException;
import org.jasig.cas.ticket.registry.TicketRegistry;
import org.jasig.cas.util.UniqueTicketIdGenerator;
import org.jasig.cas.validation.Assertion;
import org.jasig.cas.validation.ImmutableAssertion;
import org.perf4j.aop.Profiled;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-4.0.0.jar:org/jasig/cas/CentralAuthenticationServiceImpl.class */
public final class CentralAuthenticationServiceImpl implements CentralAuthenticationService {

    @NotNull
    private final TicketRegistry ticketRegistry;

    @NotNull
    private final TicketRegistry serviceTicketRegistry;

    @NotNull
    private final AuthenticationManager authenticationManager;

    @NotNull
    private final UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator;

    @NotNull
    private final Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService;

    @NotNull
    private final ServicesManager servicesManager;

    @NotNull
    private final LogoutManager logoutManager;

    @NotNull
    private ExpirationPolicy ticketGrantingTicketExpirationPolicy;

    @NotNull
    private ExpirationPolicy serviceTicketExpirationPolicy;
    private final Logger logger = LoggerFactory.getLogger(getClass());

    @NotNull
    private PersistentIdGenerator persistentIdGenerator = new ShibbolethCompatiblePersistentIdGenerator();
    private RegisteredServiceAttributeFilter defaultAttributeFilter = new RegisteredServiceDefaultAttributeFilter();

    @NotNull
    private ContextualAuthenticationPolicyFactory<ServiceContext> serviceContextAuthenticationPolicyFactory = new AcceptAnyAuthenticationPolicyFactory();

    public CentralAuthenticationServiceImpl(TicketRegistry ticketRegistry, TicketRegistry ticketRegistry2, AuthenticationManager authenticationManager, UniqueTicketIdGenerator uniqueTicketIdGenerator, Map<String, UniqueTicketIdGenerator> map, ExpirationPolicy expirationPolicy, ExpirationPolicy expirationPolicy2, ServicesManager servicesManager, LogoutManager logoutManager) {
        this.ticketRegistry = ticketRegistry;
        if (ticketRegistry2 == null) {
            this.serviceTicketRegistry = ticketRegistry;
        } else {
            this.serviceTicketRegistry = ticketRegistry2;
        }
        this.authenticationManager = authenticationManager;
        this.ticketGrantingTicketUniqueTicketIdGenerator = uniqueTicketIdGenerator;
        this.uniqueTicketIdGeneratorsForService = map;
        this.ticketGrantingTicketExpirationPolicy = expirationPolicy;
        this.serviceTicketExpirationPolicy = expirationPolicy2;
        this.servicesManager = servicesManager;
        this.logoutManager = logoutManager;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Audit(action = "TICKET_GRANTING_TICKET_DESTROYED", actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    @Profiled(tag = "DESTROY_TICKET_GRANTING_TICKET", logFailuresSeparately = false)
    @Transactional(readOnly = false)
    public List<LogoutRequest> destroyTicketGrantingTicket(String str) {
        Assert.notNull(str);
        this.logger.debug("Removing ticket [{}] from registry.", str);
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(str, TicketGrantingTicket.class);
        if (ticketGrantingTicket == null) {
            this.logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", str);
            return Collections.emptyList();
        }
        this.logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
        List<LogoutRequest> performLogout = this.logoutManager.performLogout(ticketGrantingTicket);
        this.ticketRegistry.deleteTicket(str);
        return performLogout;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    @Profiled(tag = "GRANT_SERVICE_TICKET", logFailuresSeparately = false)
    @Transactional(readOnly = false)
    public String grantServiceTicket(String str, Service service, Credential... credentialArr) throws AuthenticationException, TicketException {
        Assert.notNull(str, "ticketGrantingticketId cannot be null");
        Assert.notNull(service, "service cannot be null");
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(str, TicketGrantingTicket.class);
        if (ticketGrantingTicket == null) {
            this.logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", str);
            throw new InvalidTicketException(str);
        }
        synchronized (ticketGrantingTicket) {
            if (ticketGrantingTicket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
                this.logger.debug("TicketGrantingTicket[{}] has expired and is now deleted from the ticket registry.", str);
                throw new InvalidTicketException(str);
            }
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, service);
        if (!findServiceBy.isSsoEnabled() && credentialArr == null && ticketGrantingTicket.getCountOfUses() > 0) {
            this.logger.warn("ServiceManagement: Service [{}] is not allowed to use SSO.", service.getId());
            throw new UnauthorizedSsoServiceException();
        }
        if (ticketGrantingTicket.getChainedAuthentications().size() > 1 && !findServiceBy.isAllowedToProxy()) {
            String format = String.format("ServiceManagement: Proxy attempt by service [%s] (registered service [%s]) is not allowed.", service.getId(), findServiceBy.toString());
            this.logger.warn(format);
            throw new UnauthorizedProxyingException(format);
        }
        if (credentialArr != null) {
            Authentication authenticate = this.authenticationManager.authenticate(credentialArr);
            Authentication authentication = ticketGrantingTicket.getAuthentication();
            if (!authenticate.getPrincipal().equals(authentication.getPrincipal())) {
                throw new MixedPrincipalException(authenticate, authenticate.getPrincipal(), authentication.getPrincipal());
            }
            ticketGrantingTicket.getSupplementalAuthentications().add(authenticate);
        }
        getAuthenticationSatisfiedByPolicy(ticketGrantingTicket, new ServiceContext(service, findServiceBy));
        String name = service.getClass().getName();
        if (!this.uniqueTicketIdGeneratorsForService.containsKey(name)) {
            this.logger.warn("Cannot create service ticket because the key [{}] for service [{}] is not linked to a ticket id generator", name, service.getId());
            throw new UnauthorizedSsoServiceException();
        }
        String newTicketId = this.uniqueTicketIdGeneratorsForService.get(name).getNewTicketId(ServiceTicket.PREFIX);
        this.logger.debug("Generated service ticket id [{}] for ticket granting ticket [{}]", newTicketId, ticketGrantingTicket.getId());
        ServiceTicket grantServiceTicket = ticketGrantingTicket.grantServiceTicket(newTicketId, service, this.serviceTicketExpirationPolicy, credentialArr != null);
        this.serviceTicketRegistry.addTicket(grantServiceTicket);
        if (this.logger.isInfoEnabled()) {
            List<Authentication> chainedAuthentications = grantServiceTicket.getGrantingTicket().getChainedAuthentications();
            this.logger.info(String.format("Granted %s ticket [%s] for service [%s] for user [%s]", chainedAuthentications.size() == 1 ? "service" : "proxy", grantServiceTicket.getId(), service.getId(), chainedAuthentications.get(chainedAuthentications.size() - 1).getPrincipal().getId()));
        }
        return grantServiceTicket.getId();
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    @Profiled(tag = "GRANT_SERVICE_TICKET", logFailuresSeparately = false)
    @Transactional(readOnly = false)
    public String grantServiceTicket(String str, Service service) throws TicketException {
        try {
            return grantServiceTicket(str, service, null);
        } catch (AuthenticationException e) {
            throw new IllegalStateException("Unexpected authentication exception", e);
        }
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    @Profiled(tag = "GRANT_PROXY_GRANTING_TICKET", logFailuresSeparately = false)
    @Transactional(readOnly = false)
    public String delegateTicketGrantingTicket(String str, Credential... credentialArr) throws AuthenticationException, TicketException {
        Assert.notNull(str, "serviceTicketId cannot be null");
        Assert.notNull(credentialArr, "credentials cannot be null");
        ServiceTicket serviceTicket = (ServiceTicket) this.serviceTicketRegistry.getTicket(str, ServiceTicket.class);
        if (serviceTicket == null || serviceTicket.isExpired()) {
            this.logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(serviceTicket.getService());
        verifyRegisteredServiceProperties(findServiceBy, serviceTicket.getService());
        if (!findServiceBy.isAllowedToProxy()) {
            this.logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", serviceTicket.getService().getId());
            throw new UnauthorizedProxyingException();
        }
        TicketGrantingTicket grantTicketGrantingTicket = serviceTicket.grantTicketGrantingTicket(this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(TicketGrantingTicket.PREFIX), this.authenticationManager.authenticate(credentialArr), this.ticketGrantingTicketExpirationPolicy);
        this.ticketRegistry.addTicket(grantTicketGrantingTicket);
        return grantTicketGrantingTicket.getId();
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    @Profiled(tag = "VALIDATE_SERVICE_TICKET", logFailuresSeparately = false)
    @Transactional(readOnly = false)
    public Assertion validateServiceTicket(String str, Service service) throws TicketException {
        Assert.notNull(str, "serviceTicketId cannot be null");
        Assert.notNull(service, "service cannot be null");
        ServiceTicket serviceTicket = (ServiceTicket) this.serviceTicketRegistry.getTicket(str, ServiceTicket.class);
        if (serviceTicket == null) {
            this.logger.info("ServiceTicket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, serviceTicket.getService());
        try {
            synchronized (serviceTicket) {
                if (serviceTicket.isExpired()) {
                    this.logger.info("ServiceTicket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!serviceTicket.isValidFor(service)) {
                    this.logger.error("ServiceTicket [{}] with service [{}] does not match supplied service [{}]", str, serviceTicket.getService().getId(), service);
                    throw new TicketValidationException(serviceTicket.getService());
                }
            }
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(serviceTicket.getGrantingTicket().getRoot(), new ServiceContext(serviceTicket.getService(), findServiceBy));
            Principal principal = authenticationSatisfiedByPolicy.getPrincipal();
            Map<String, Object> filter = this.defaultAttributeFilter.filter(principal.getId(), principal.getAttributes(), findServiceBy);
            if (findServiceBy.getAttributeFilter() != null) {
                filter = findServiceBy.getAttributeFilter().filter(principal.getId(), filter, findServiceBy);
            }
            SimplePrincipal simplePrincipal = new SimplePrincipal(determinePrincipalIdForRegisteredService(principal, findServiceBy, serviceTicket), filter);
            AuthenticationBuilder newInstance = AuthenticationBuilder.newInstance(authenticationSatisfiedByPolicy);
            newInstance.setPrincipal(simplePrincipal);
            ImmutableAssertion immutableAssertion = new ImmutableAssertion(newInstance.build(), serviceTicket.getGrantingTicket().getChainedAuthentications(), serviceTicket.getService(), serviceTicket.isFromNewLogin());
            if (serviceTicket.isExpired()) {
                this.serviceTicketRegistry.deleteTicket(str);
            }
            return immutableAssertion;
        } catch (Throwable th) {
            if (serviceTicket.isExpired()) {
                this.serviceTicketRegistry.deleteTicket(str);
            }
            throw th;
        }
    }

    private String determinePrincipalIdForRegisteredService(Principal principal, RegisteredService registeredService, ServiceTicket serviceTicket) {
        String id;
        String usernameAttribute = registeredService.getUsernameAttribute();
        if (registeredService.isAnonymousAccess()) {
            id = this.persistentIdGenerator.generate(principal, serviceTicket.getService());
        } else if (StringUtils.isBlank(usernameAttribute)) {
            id = principal.getId();
        } else if (principal.getAttributes().containsKey(usernameAttribute)) {
            id = principal.getAttributes().get(usernameAttribute).toString();
        } else {
            id = principal.getId();
            this.logger.warn("Principal [{}] did not have attribute [{}] among attributes [{}] so CAS cannot provide on the validation response the user attribute the registered service [{}] expects. CAS will instead return the default username attribute [{}]", id, registeredService.getUsernameAttribute(), principal.getAttributes(), registeredService.getServiceId(), id);
        }
        this.logger.debug("Principal id to return for service [{}] is [{}]. The default principal id is [{}].", registeredService.getName(), principal.getId(), id);
        return id;
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    @Profiled(tag = "CREATE_TICKET_GRANTING_TICKET", logFailuresSeparately = false)
    @Transactional(readOnly = false)
    public String createTicketGrantingTicket(Credential... credentialArr) throws AuthenticationException, TicketException {
        Assert.notNull(credentialArr, "credentials cannot be null");
        TicketGrantingTicketImpl ticketGrantingTicketImpl = new TicketGrantingTicketImpl(this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(TicketGrantingTicket.PREFIX), this.authenticationManager.authenticate(credentialArr), this.ticketGrantingTicketExpirationPolicy);
        this.ticketRegistry.addTicket(ticketGrantingTicketImpl);
        return ticketGrantingTicketImpl.getId();
    }

    public void setPersistentIdGenerator(PersistentIdGenerator persistentIdGenerator) {
        this.persistentIdGenerator = persistentIdGenerator;
    }

    public void setServiceContextAuthenticationPolicyFactory(ContextualAuthenticationPolicyFactory<ServiceContext> contextualAuthenticationPolicyFactory) {
        this.serviceContextAuthenticationPolicyFactory = contextualAuthenticationPolicyFactory;
    }

    public void setTicketGrantingTicketExpirationPolicy(ExpirationPolicy expirationPolicy) {
        this.ticketGrantingTicketExpirationPolicy = expirationPolicy;
    }

    public void setServiceTicketExpirationPolicy(ExpirationPolicy expirationPolicy) {
        this.serviceTicketExpirationPolicy = expirationPolicy;
    }

    private Authentication getAuthenticationSatisfiedByPolicy(TicketGrantingTicket ticketGrantingTicket, ServiceContext serviceContext) throws TicketException {
        ContextualAuthenticationPolicy<ServiceContext> createPolicy = this.serviceContextAuthenticationPolicyFactory.createPolicy(serviceContext);
        if (createPolicy.isSatisfiedBy(ticketGrantingTicket.getAuthentication())) {
            return ticketGrantingTicket.getAuthentication();
        }
        for (Authentication authentication : ticketGrantingTicket.getSupplementalAuthentications()) {
            if (createPolicy.isSatisfiedBy(authentication)) {
                return authentication;
            }
        }
        throw new UnsatisfiedAuthenticationPolicyException(createPolicy);
    }

    private void verifyRegisteredServiceProperties(RegisteredService registeredService, Service service) {
        if (registeredService == null) {
            String format = String.format("ServiceManagement: Unauthorized Service Access. Service [%s] is not found in service registry.", service.getId());
            this.logger.warn(format);
            throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, format);
        }
        if (registeredService.isEnabled()) {
            return;
        }
        String format2 = String.format("ServiceManagement: Unauthorized Service Access. Service %s] is not enabled in service registry.", service.getId());
        this.logger.warn(format2);
        throw new UnauthorizedServiceException(UnauthorizedServiceException.CODE_UNAUTHZ_SERVICE, format2);
    }
}
