package org.apereo.cas.web.flow.resolver.impl;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditActionResolvers;
import org.apereo.cas.audit.AuditResourceResolvers;
import org.apereo.cas.audit.AuditableActions;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.AuthenticationResultBuilder;
import org.apereo.cas.authentication.MultifactorAuthenticationContextValidationResult;
import org.apereo.cas.authentication.MultifactorAuthenticationContextValidator;
import org.apereo.cas.authentication.MultifactorAuthenticationProvider;
import org.apereo.cas.authentication.MultifactorAuthenticationUtils;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.web.flow.CasWebflowConstants;
import org.apereo.cas.web.flow.SingleSignOnParticipationRequest;
import org.apereo.cas.web.flow.SingleSignOnParticipationStrategy;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.support.WebUtils;
import org.apereo.inspektr.audit.annotation.Audit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.action.EventFactorySupport;
import org.springframework.webflow.core.collection.LocalAttributeMap;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-webflow-mfa-api-6.6.9.jar:org/apereo/cas/web/flow/resolver/impl/RankedMultifactorAuthenticationProviderWebflowEventResolver.class */
public class RankedMultifactorAuthenticationProviderWebflowEventResolver extends AbstractCasMultifactorAuthenticationWebflowEventResolver implements CasDelegatingWebflowEventResolver {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) RankedMultifactorAuthenticationProviderWebflowEventResolver.class);
    private final CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver;
    private final MultifactorAuthenticationContextValidator authenticationContextValidator;
    private final SingleSignOnParticipationStrategy singleSignOnParticipationStrategy;

    public RankedMultifactorAuthenticationProviderWebflowEventResolver(CasWebflowEventResolutionConfigurationContext casWebflowEventResolutionConfigurationContext, CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver, MultifactorAuthenticationContextValidator multifactorAuthenticationContextValidator, SingleSignOnParticipationStrategy singleSignOnParticipationStrategy) {
        super(casWebflowEventResolutionConfigurationContext);
        this.casDelegatingWebflowEventResolver = casDelegatingWebflowEventResolver;
        this.authenticationContextValidator = multifactorAuthenticationContextValidator;
        this.singleSignOnParticipationStrategy = singleSignOnParticipationStrategy;
    }

    private static Set<Event> buildEventForMultifactorProvider(RequestContext requestContext, RegisteredService registeredService, Authentication authentication, String str, MultifactorAuthenticationProvider multifactorAuthenticationProvider) {
        Map<String, Object> buildEventAttributeMap = MultifactorAuthenticationUtils.buildEventAttributeMap(authentication.getPrincipal(), Optional.of(registeredService), multifactorAuthenticationProvider);
        LOGGER.trace("Event attribute map for [{}] is [{}]", str, buildEventAttributeMap);
        Event validateEventIdForMatchingTransitionInContext = MultifactorAuthenticationUtils.validateEventIdForMatchingTransitionInContext(str, Optional.of(requestContext), buildEventAttributeMap);
        LOGGER.trace("Finalized event for multifactor provider  [{}] is [{}]", str, validateEventIdForMatchingTransitionInContext);
        return CollectionUtils.wrapSet(validateEventIdForMatchingTransitionInContext);
    }

    /* JADX WARN: Type inference failed for: r0v22, types: [org.apereo.cas.web.flow.SingleSignOnParticipationRequest$SingleSignOnParticipationRequestBuilder] */
    @Override // org.apereo.cas.web.flow.resolver.CasWebflowEventResolver
    public Set<Event> resolveInternal(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        RegisteredService registeredService = WebUtils.getRegisteredService(requestContext);
        if (registeredService == null) {
            LOGGER.debug("No service is available to determine event for principal");
            return resumeFlow(requestContext);
        }
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            LOGGER.trace("Ticket-granting ticket is blank; proceed with flow normally.");
            return resumeFlow(requestContext);
        }
        Authentication authenticationFrom = getConfigurationContext().getTicketRegistrySupport().getAuthenticationFrom(ticketGrantingTicketId);
        if (authenticationFrom == null) {
            LOGGER.trace("Ticket-granting ticket has no authentication and is blank; proceed with flow normally.");
            return resumeFlow(requestContext);
        }
        AuthenticationResultBuilder establishAuthenticationContextFromInitial = getConfigurationContext().getAuthenticationSystemSupport().establishAuthenticationContextFromInitial(authenticationFrom, WebUtils.getCredential(requestContext));
        LOGGER.trace("Recording and tracking initial authentication results in the request context");
        WebUtils.putAuthenticationResultBuilder(establishAuthenticationContextFromInitial, requestContext);
        WebUtils.putAuthentication(authenticationFrom, requestContext);
        SingleSignOnParticipationRequest build = SingleSignOnParticipationRequest.builder().requestContext(requestContext).build();
        if (this.singleSignOnParticipationStrategy.supports(build) && !this.singleSignOnParticipationStrategy.isParticipating(build)) {
            LOGGER.debug("Cannot proceed with existing authenticated session for [{}] since the single sign-on participation strategy for this request could now allow participation in the current session.", authenticationFrom);
            return resumeFlow(requestContext);
        }
        Event resolveSingle = this.casDelegatingWebflowEventResolver.resolveSingle(requestContext);
        if (resolveSingle == null) {
            LOGGER.trace("Request does not indicate a requirement for authentication policy; proceed with flow normally.");
            return resumeFlow(requestContext);
        }
        String id = resolveSingle.getId();
        LOGGER.trace("Resolved event from the initial authentication leg is [{}]", id);
        if (getOperableTransitions().contains(id)) {
            LOGGER.trace("Returning webflow event as [{}]", id);
            return CollectionUtils.wrapSet(resolveSingle);
        }
        LOGGER.trace("Validating authentication context for event [{}] and service [{}]", id, registeredService);
        MultifactorAuthenticationContextValidationResult validate = this.authenticationContextValidator.validate(authenticationFrom, id, Optional.of(registeredService));
        Optional<MultifactorAuthenticationProvider> provider = validate.getProvider();
        if (!validate.isSuccess()) {
            if (provider.isPresent()) {
                return buildEventForMultifactorProvider(requestContext, registeredService, authenticationFrom, id, provider.get());
            }
            LOGGER.warn("The authentication context cannot be satisfied and the requested event [{}] is unrecognized", id);
            return CollectionUtils.wrapSet(new Event(this, "error"));
        }
        if (!registeredService.getMultifactorAuthenticationPolicy().isForceExecution() || !provider.isPresent()) {
            LOGGER.debug("Authentication context is successfully validated by [{}] for service [{}]", id, registeredService);
            return resumeFlow(requestContext);
        }
        MultifactorAuthenticationProvider multifactorAuthenticationProvider = provider.get();
        LOGGER.trace("Multifactor authentication policy for [{}] is set to force execution for [{}]", registeredService, multifactorAuthenticationProvider);
        return buildEventForMultifactorProvider(requestContext, registeredService, authenticationFrom, id, multifactorAuthenticationProvider);
    }

    @Override // org.apereo.cas.web.flow.resolver.impl.AbstractCasWebflowEventResolver, org.apereo.cas.web.flow.resolver.CasWebflowEventResolver
    @Audit(action = AuditableActions.AUTHENTICATION_EVENT, actionResolverName = AuditActionResolvers.AUTHENTICATION_EVENT_ACTION_RESOLVER, resourceResolverName = AuditResourceResolvers.AUTHENTICATION_EVENT_RESOURCE_RESOLVER)
    public Event resolveSingle(RequestContext requestContext) {
        return super.resolveSingle(requestContext);
    }

    @Override // org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver
    public void addDelegate(CasWebflowEventResolver casWebflowEventResolver) {
        this.casDelegatingWebflowEventResolver.addDelegate(casWebflowEventResolver);
    }

    @Override // org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver
    public void addDelegate(CasWebflowEventResolver casWebflowEventResolver, int i) {
        this.casDelegatingWebflowEventResolver.addDelegate(casWebflowEventResolver, i);
    }

    protected Set<Event> resumeFlow(RequestContext requestContext) {
        return CollectionUtils.wrapSet(new EventFactorySupport().event(this, "success", new LocalAttributeMap()));
    }

    private static List<String> getOperableTransitions() {
        ArrayList arrayList = new ArrayList();
        arrayList.add("error");
        arrayList.add(CasWebflowConstants.TRANSITION_ID_AUTHENTICATION_FAILURE);
        arrayList.add("success");
        arrayList.add(CasWebflowConstants.TRANSITION_ID_SUCCESS_WITH_WARNINGS);
        arrayList.add("mfa-composite");
        return arrayList;
    }
}
