package org.jasig.cas;

import com.codahale.metrics.annotation.Counted;
import com.codahale.metrics.annotation.Metered;
import com.codahale.metrics.annotation.Timed;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import javax.validation.constraints.NotNull;
import org.jasig.cas.authentication.Authentication;
import org.jasig.cas.authentication.AuthenticationBuilder;
import org.jasig.cas.authentication.AuthenticationContext;
import org.jasig.cas.authentication.AuthenticationException;
import org.jasig.cas.authentication.DefaultAuthenticationBuilder;
import org.jasig.cas.authentication.MixedPrincipalException;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.logout.LogoutManager;
import org.jasig.cas.logout.LogoutRequest;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.RegisteredServiceAttributeReleasePolicy;
import org.jasig.cas.services.ServiceContext;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.services.UnauthorizedProxyingException;
import org.jasig.cas.services.UnauthorizedServiceForPrincipalException;
import org.jasig.cas.services.UnauthorizedSsoServiceException;
import org.jasig.cas.support.events.CasProxyGrantingTicketCreatedEvent;
import org.jasig.cas.support.events.CasProxyTicketGrantedEvent;
import org.jasig.cas.support.events.CasServiceTicketGrantedEvent;
import org.jasig.cas.support.events.CasServiceTicketValidatedEvent;
import org.jasig.cas.support.events.CasTicketGrantingTicketCreatedEvent;
import org.jasig.cas.support.events.CasTicketGrantingTicketDestroyedEvent;
import org.jasig.cas.ticket.AbstractTicketException;
import org.jasig.cas.ticket.InvalidTicketException;
import org.jasig.cas.ticket.ServiceTicket;
import org.jasig.cas.ticket.TicketFactory;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.UnrecognizableServiceForServiceTicketValidationException;
import org.jasig.cas.ticket.proxy.ProxyGrantingTicket;
import org.jasig.cas.ticket.proxy.ProxyTicket;
import org.jasig.cas.ticket.registry.TicketRegistry;
import org.jasig.cas.validation.Assertion;
import org.jasig.cas.validation.ImmutableAssertion;
import org.jasig.inspektr.audit.annotation.Audit;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Transactional;

@Transactional(readOnly = false, transactionManager = "ticketTransactionManager")
@Component("centralAuthenticationService")
/* loaded from: input_file:org/jasig/cas/CentralAuthenticationServiceImpl.class */
public class CentralAuthenticationServiceImpl extends AbstractCentralAuthenticationService {
    private static final long serialVersionUID = -8943828074939533986L;

    public CentralAuthenticationServiceImpl() {
    }

    public CentralAuthenticationServiceImpl(TicketRegistry ticketRegistry, TicketFactory ticketFactory, ServicesManager servicesManager, LogoutManager logoutManager) {
        super(ticketRegistry, ticketFactory, servicesManager, logoutManager);
    }

    @Timed(name = "DESTROY_TICKET_GRANTING_TICKET_TIMER")
    @Counted(name = "DESTROY_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "DESTROY_TICKET_GRANTING_TICKET_METER")
    @Audit(action = "TICKET_GRANTING_TICKET_DESTROYED", actionResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "DESTROY_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public List<LogoutRequest> destroyTicketGrantingTicket(@NotNull String str) {
        try {
            this.logger.debug("Removing ticket [{}] from registry...", str);
            TicketGrantingTicket ticket = getTicket(str, TicketGrantingTicket.class);
            this.logger.debug("Ticket found. Processing logout requests and then deleting the ticket...");
            List<LogoutRequest> performLogout = this.logoutManager.performLogout(ticket);
            this.ticketRegistry.deleteTicket(str);
            doPublishEvent(new CasTicketGrantingTicketDestroyedEvent(this, ticket));
            return performLogout;
        } catch (InvalidTicketException unused) {
            this.logger.debug("TicketGrantingTicket [{}] cannot be found in the ticket registry.", str);
            return Collections.emptyList();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v52, types: [java.util.Map] */
    @Timed(name = "GRANT_SERVICE_TICKET_TIMER")
    @Counted(name = "GRANT_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET", actionResolverName = "GRANT_SERVICE_TICKET_RESOLVER", resourceResolverName = "GRANT_SERVICE_TICKET_RESOURCE_RESOLVER")
    public ServiceTicket grantServiceTicket(String str, Service service, AuthenticationContext authenticationContext) throws AuthenticationException, AbstractTicketException {
        this.logger.debug("Attempting to get ticket id {} to create service ticket", str);
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) getTicket(str, TicketGrantingTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, service);
        evaluatePossibilityOfMixedPrincipals(authenticationContext, ticketGrantingTicket);
        if (ticketGrantingTicket.getCountOfUses() > 0 && !findServiceBy.getAccessStrategy().isServiceAccessAllowedForSso()) {
            this.logger.warn("Service [{}] is not allowed to use SSO.", service.getId());
            throw new UnauthorizedSsoServiceException();
        }
        evaluateProxiedServiceIfNeeded(service, ticketGrantingTicket, findServiceBy);
        this.logger.debug("Checking for authentication policy satisfaction...");
        getAuthenticationSatisfiedByPolicy(ticketGrantingTicket.getRoot(), new ServiceContext(service, findServiceBy));
        List chainedAuthentications = ticketGrantingTicket.getChainedAuthentications();
        Principal principal = ((Authentication) chainedAuthentications.get(chainedAuthentications.size() - 1)).getPrincipal();
        this.logger.debug("Located principal {} for service ticket creation", principal);
        RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = findServiceBy.getAttributeReleasePolicy();
        if (!findServiceBy.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principal.getId(), attributeReleasePolicy != null ? attributeReleasePolicy.getAttributes(principal) : new HashMap())) {
            this.logger.warn("Cannot grant service ticket because Service [{}] is not authorized for use by [{}].", service.getId(), principal);
            throw new UnauthorizedServiceForPrincipalException();
        }
        ServiceTicket create = this.ticketFactory.get(ServiceTicket.class).create(ticketGrantingTicket, service, authenticationContext != null && authenticationContext.isCredentialProvided());
        this.logger.info("Granted ticket [{}] for service [{}] and principal [{}]", new Object[]{create.getId(), service.getId(), principal.getId()});
        this.ticketRegistry.addTicket(create);
        this.logger.debug("Added service ticket {} to ticket registry", create.getId());
        doPublishEvent(new CasServiceTicketGrantedEvent(this, ticketGrantingTicket, create));
        return create;
    }

    private Authentication evaluatePossibilityOfMixedPrincipals(AuthenticationContext authenticationContext, TicketGrantingTicket ticketGrantingTicket) throws MixedPrincipalException {
        Authentication authentication = null;
        if (authenticationContext != null) {
            authentication = authenticationContext.getAuthentication();
            if (authentication != null) {
                Authentication authentication2 = ticketGrantingTicket.getAuthentication();
                if (!authentication.getPrincipal().equals(authentication2.getPrincipal())) {
                    this.logger.debug("Principal associated with current authentication {} does not match  the principal {} associated with the original authentication", authentication.getPrincipal(), authentication2.getPrincipal());
                    throw new MixedPrincipalException(authentication, authentication.getPrincipal(), authentication2.getPrincipal());
                }
                ticketGrantingTicket.getSupplementalAuthentications().clear();
                ticketGrantingTicket.getSupplementalAuthentications().add(authentication);
                this.logger.debug("Added authentication to the collection of supplemental authentications");
            }
        }
        return authentication;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v43, types: [java.util.Map] */
    @Timed(name = "GRANT_PROXY_TICKET_TIMER")
    @Counted(name = "GRANT_PROXY_TICKET_COUNTER", monotonic = true)
    @Metered(name = "GRANT_PROXY_TICKET_METER")
    @Audit(action = "PROXY_TICKET", actionResolverName = "GRANT_PROXY_TICKET_RESOLVER", resourceResolverName = "GRANT_PROXY_TICKET_RESOURCE_RESOLVER")
    public ProxyTicket grantProxyTicket(String str, Service service) throws AbstractTicketException {
        ProxyGrantingTicket ticket = getTicket(str, ProxyGrantingTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, service);
        if (!findServiceBy.getAccessStrategy().isServiceAccessAllowedForSso()) {
            this.logger.warn("Service [{}] is not allowed to use SSO.", service.getId());
            throw new UnauthorizedSsoServiceException();
        }
        evaluateProxiedServiceIfNeeded(service, ticket, findServiceBy);
        getAuthenticationSatisfiedByPolicy(ticket.getRoot(), new ServiceContext(service, findServiceBy));
        List chainedAuthentications = ticket.getChainedAuthentications();
        Principal principal = ((Authentication) chainedAuthentications.get(chainedAuthentications.size() - 1)).getPrincipal();
        RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = findServiceBy.getAttributeReleasePolicy();
        if (!findServiceBy.getAccessStrategy().doPrincipalAttributesAllowServiceAccess(principal.getId(), attributeReleasePolicy != null ? attributeReleasePolicy.getAttributes(principal) : new HashMap())) {
            this.logger.warn("Cannot grant proxy ticket because Service [{}] is not authorized for use by [{}].", service.getId(), principal);
            throw new UnauthorizedServiceForPrincipalException();
        }
        ProxyTicket create = this.ticketFactory.get(ProxyTicket.class).create(ticket, service);
        this.ticketRegistry.addTicket(create);
        this.logger.info("Granted ticket [{}] for service [{}] for user [{}]", new Object[]{create.getId(), service.getId(), principal.getId()});
        doPublishEvent(new CasProxyTicketGrantedEvent(this, ticket, create));
        return create;
    }

    @Timed(name = "CREATE_PROXY_GRANTING_TICKET_TIMER")
    @Counted(name = "CREATE_PROXY_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "CREATE_PROXY_GRANTING_TICKET_METER")
    @Audit(action = "PROXY_GRANTING_TICKET", actionResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_PROXY_GRANTING_TICKET_RESOURCE_RESOLVER")
    public ProxyGrantingTicket createProxyGrantingTicket(String str, AuthenticationContext authenticationContext) throws AuthenticationException, AbstractTicketException {
        ServiceTicket ticket = this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (ticket == null || ticket.isExpired()) {
            this.logger.debug("ServiceTicket [{}] has expired or cannot be found in the ticket registry", str);
            throw new InvalidTicketException(str);
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(ticket.getService());
        verifyRegisteredServiceProperties(findServiceBy, ticket.getService());
        if (!findServiceBy.getProxyPolicy().isAllowedToProxy()) {
            this.logger.warn("ServiceManagement: Service [{}] attempted to proxy, but is not allowed.", ticket.getService().getId());
            throw new UnauthorizedProxyingException();
        }
        ProxyGrantingTicket create = this.ticketFactory.get(ProxyGrantingTicket.class).create(ticket, authenticationContext.getAuthentication());
        this.logger.debug("Generated proxy granting ticket [{}] based off of [{}]", create, str);
        this.ticketRegistry.addTicket(create);
        doPublishEvent(new CasProxyGrantingTicketCreatedEvent(this, create));
        return create;
    }

    @Timed(name = "VALIDATE_SERVICE_TICKET_TIMER")
    @Counted(name = "VALIDATE_SERVICE_TICKET_COUNTER", monotonic = true)
    @Metered(name = "VALIDATE_SERVICE_TICKET_METER")
    @Audit(action = "SERVICE_TICKET_VALIDATE", actionResolverName = "VALIDATE_SERVICE_TICKET_RESOLVER", resourceResolverName = "VALIDATE_SERVICE_TICKET_RESOURCE_RESOLVER")
    public Assertion validateServiceTicket(String str, Service service) throws AbstractTicketException {
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        verifyRegisteredServiceProperties(findServiceBy, service);
        ServiceTicket ticket = this.ticketRegistry.getTicket(str, ServiceTicket.class);
        if (ticket == null) {
            this.logger.info("Service ticket [{}] does not exist.", str);
            throw new InvalidTicketException(str);
        }
        try {
            synchronized (ticket) {
                if (ticket.isExpired()) {
                    this.logger.info("ServiceTicket [{}] has expired.", str);
                    throw new InvalidTicketException(str);
                }
                if (!ticket.isValidFor(service)) {
                    this.logger.error("Service ticket [{}] with service [{}] does not match supplied service [{}]", new Object[]{str, ticket.getService().getId(), service});
                    throw new UnrecognizableServiceForServiceTicketValidationException(ticket.getService());
                }
            }
            Authentication authenticationSatisfiedByPolicy = getAuthenticationSatisfiedByPolicy(ticket.getGrantingTicket().getRoot(), new ServiceContext(ticket.getService(), findServiceBy));
            Principal principal = authenticationSatisfiedByPolicy.getPrincipal();
            RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = findServiceBy.getAttributeReleasePolicy();
            this.logger.debug("Attribute policy [{}] is associated with service [{}]", attributeReleasePolicy, findServiceBy);
            Principal createPrincipal = this.principalFactory.createPrincipal(findServiceBy.getUsernameAttributeProvider().resolveUsername(principal, service), attributeReleasePolicy != null ? attributeReleasePolicy.getAttributes(principal) : Collections.EMPTY_MAP);
            AuthenticationBuilder newInstance = DefaultAuthenticationBuilder.newInstance(authenticationSatisfiedByPolicy);
            newInstance.setPrincipal(createPrincipal);
            ImmutableAssertion immutableAssertion = new ImmutableAssertion(newInstance.build(), ticket.getGrantingTicket().getChainedAuthentications(), ticket.getService(), ticket.isFromNewLogin());
            doPublishEvent(new CasServiceTicketValidatedEvent(this, ticket, immutableAssertion));
            return immutableAssertion;
        } finally {
            if (ticket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
            }
        }
    }

    @Timed(name = "CREATE_TICKET_GRANTING_TICKET_TIMER")
    @Counted(name = "CREATE_TICKET_GRANTING_TICKET_COUNTER", monotonic = true)
    @Metered(name = "CREATE_TICKET_GRANTING_TICKET_METER")
    @Audit(action = "TICKET_GRANTING_TICKET", actionResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOLVER", resourceResolverName = "CREATE_TICKET_GRANTING_TICKET_RESOURCE_RESOLVER")
    public TicketGrantingTicket createTicketGrantingTicket(AuthenticationContext authenticationContext) throws AuthenticationException, AbstractTicketException {
        TicketGrantingTicket create = this.ticketFactory.get(TicketGrantingTicket.class).create(authenticationContext.getAuthentication());
        this.ticketRegistry.addTicket(create);
        doPublishEvent(new CasTicketGrantingTicketCreatedEvent(this, create));
        return create;
    }
}
