package org.jasig.cas;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.inspektr.audit.annotation.Auditable;
import org.inspektr.audit.spi.support.DefaultAuditableActionResolver;
import org.inspektr.audit.spi.support.ObjectCreationAuditableActionResolver;
import org.inspektr.audit.spi.support.ReturnValueAsStringResourceResolver;
import org.inspektr.common.ioc.annotation.NotNull;
import org.inspektr.statistics.annotation.Statistic;
import org.jasig.cas.audit.spi.ServiceResourceResolver;
import org.jasig.cas.audit.spi.TicketAsFirstParameterResourceResolver;
import org.jasig.cas.authentication.Authentication;
import org.jasig.cas.authentication.AuthenticationManager;
import org.jasig.cas.authentication.MutableAuthentication;
import org.jasig.cas.authentication.handler.AuthenticationException;
import org.jasig.cas.authentication.principal.Credentials;
import org.jasig.cas.authentication.principal.PersistentIdGenerator;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.authentication.principal.Service;
import org.jasig.cas.authentication.principal.ShibbolethCompatiblePersistentIdGenerator;
import org.jasig.cas.authentication.principal.SimplePrincipal;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.services.UnauthorizedProxyingException;
import org.jasig.cas.services.UnauthorizedServiceException;
import org.jasig.cas.services.UnauthorizedSsoServiceException;
import org.jasig.cas.ticket.ExpirationPolicy;
import org.jasig.cas.ticket.InvalidTicketException;
import org.jasig.cas.ticket.ServiceTicket;
import org.jasig.cas.ticket.TicketCreationException;
import org.jasig.cas.ticket.TicketException;
import org.jasig.cas.ticket.TicketGrantingTicket;
import org.jasig.cas.ticket.TicketGrantingTicketImpl;
import org.jasig.cas.ticket.TicketValidationException;
import org.jasig.cas.ticket.registry.TicketRegistry;
import org.jasig.cas.util.UniqueTicketIdGenerator;
import org.jasig.cas.validation.Assertion;
import org.jasig.cas.validation.ImmutableAssertionImpl;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-3.3.5-fixed.jar:org/jasig/cas/CentralAuthenticationServiceImpl.class */
public final class CentralAuthenticationServiceImpl implements CentralAuthenticationService {

    @NotNull
    private TicketRegistry ticketRegistry;

    @NotNull
    private TicketRegistry serviceTicketRegistry;

    @NotNull
    private AuthenticationManager authenticationManager;

    @NotNull
    private UniqueTicketIdGenerator ticketGrantingTicketUniqueTicketIdGenerator;

    @NotNull
    private Map<String, UniqueTicketIdGenerator> uniqueTicketIdGeneratorsForService;

    @NotNull
    private ExpirationPolicy ticketGrantingTicketExpirationPolicy;

    @NotNull
    private ExpirationPolicy serviceTicketExpirationPolicy;

    @NotNull
    private ServicesManager servicesManager;
    private final Log log = LogFactory.getLog(getClass());

    @NotNull
    private PersistentIdGenerator persistentIdGenerator = new ShibbolethCompatiblePersistentIdGenerator();

    @Override // org.jasig.cas.CentralAuthenticationService
    @Auditable(action = "TICKET_GRANTING_TICKET_DESTROYED", actionResolverClass = DefaultAuditableActionResolver.class, resourceResolverClass = TicketAsFirstParameterResourceResolver.class)
    @Transactional(readOnly = false)
    @Statistic(name = "DESTROY_TICKET_GRANTING_TICKET", requiredPrecision = {Statistic.Precision.DAY, Statistic.Precision.MINUTE, Statistic.Precision.HOUR})
    public void destroyTicketGrantingTicket(String str) {
        Assert.notNull(str);
        if (this.log.isDebugEnabled()) {
            this.log.debug("Removing ticket [" + str + "] from registry.");
        }
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(str, TicketGrantingTicket.class);
        if (ticketGrantingTicket == null) {
            return;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Ticket found.  Expiring and then deleting.");
        }
        ticketGrantingTicket.expire();
        this.ticketRegistry.deleteTicket(str);
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Auditable(action = "SERVICE_TICKET", successSuffix = "_CREATED", failureSuffix = "_NOT_CREATED", actionResolverClass = ObjectCreationAuditableActionResolver.class, resourceResolverClass = ServiceResourceResolver.class)
    @Transactional(readOnly = false)
    @Statistic(name = "GRANT_SERVICE_TICKET", requiredPrecision = {Statistic.Precision.DAY, Statistic.Precision.MINUTE, Statistic.Precision.HOUR})
    public String grantServiceTicket(String str, Service service, Credentials credentials) throws TicketException {
        Assert.notNull(str, "ticketGrantingticketId cannot be null");
        Assert.notNull(service, "service cannot be null");
        TicketGrantingTicket ticketGrantingTicket = (TicketGrantingTicket) this.ticketRegistry.getTicket(str, TicketGrantingTicket.class);
        if (ticketGrantingTicket == null) {
            throw new InvalidTicketException();
        }
        synchronized (ticketGrantingTicket) {
            if (ticketGrantingTicket.isExpired()) {
                this.ticketRegistry.deleteTicket(str);
                throw new InvalidTicketException();
            }
        }
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        if (findServiceBy == null || !findServiceBy.isEnabled()) {
            this.log.warn("ServiceManagement: Unauthorized Service Access. Service [" + service.getId() + "] not found in Service Registry.");
            throw new UnauthorizedServiceException();
        }
        if (!findServiceBy.isSsoEnabled() && credentials == null && ticketGrantingTicket.getCountOfUses() > 0) {
            this.log.warn("ServiceManagement: Service Not Allowed to use SSO.  Service [" + service.getId() + "]");
            throw new UnauthorizedSsoServiceException();
        }
        if (credentials != null) {
            try {
                Authentication authenticate = this.authenticationManager.authenticate(credentials);
                Authentication authentication = ticketGrantingTicket.getAuthentication();
                if (!authenticate.getPrincipal().equals(authentication.getPrincipal()) || !authenticate.getAttributes().equals(authentication.getAttributes())) {
                    throw new TicketCreationException();
                }
            } catch (AuthenticationException e) {
                throw new TicketCreationException(e);
            }
        }
        ServiceTicket grantServiceTicket = ticketGrantingTicket.grantServiceTicket(this.uniqueTicketIdGeneratorsForService.get(service.getClass().getName()).getNewTicketId(ServiceTicket.PREFIX), service, this.serviceTicketExpirationPolicy, credentials != null);
        this.serviceTicketRegistry.addTicket(grantServiceTicket);
        if (this.log.isInfoEnabled()) {
            this.log.info("Granted service ticket [" + grantServiceTicket.getId() + "] for service [" + service.getId() + "] for user [" + grantServiceTicket.getGrantingTicket().getAuthentication().getPrincipal().getId() + "]");
        }
        return grantServiceTicket.getId();
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Auditable(action = "SERVICE_TICKET", successSuffix = "_CREATED", failureSuffix = "_NOT_CREATED", actionResolverClass = ObjectCreationAuditableActionResolver.class, resourceResolverClass = ServiceResourceResolver.class)
    @Transactional(readOnly = false)
    @Statistic(name = "GRANT_SERVICE_TICKET", requiredPrecision = {Statistic.Precision.DAY, Statistic.Precision.MINUTE, Statistic.Precision.HOUR})
    public String grantServiceTicket(String str, Service service) throws TicketException {
        return grantServiceTicket(str, service, null);
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Auditable(action = "PROXY_GRANTING_TICKET", successSuffix = "_CREATED", failureSuffix = "_NOT_CREATED", actionResolverClass = ObjectCreationAuditableActionResolver.class, resourceResolverClass = ReturnValueAsStringResourceResolver.class)
    @Transactional(readOnly = false)
    @Statistic(name = "GRANT_PROXY_TICKET", requiredPrecision = {Statistic.Precision.DAY, Statistic.Precision.MINUTE, Statistic.Precision.HOUR})
    public String delegateTicketGrantingTicket(String str, Credentials credentials) throws TicketException {
        Assert.notNull(str, "serviceTicketId cannot be null");
        Assert.notNull(credentials, "credentials cannot be null");
        try {
            Authentication authenticate = this.authenticationManager.authenticate(credentials);
            ServiceTicket serviceTicket = (ServiceTicket) this.serviceTicketRegistry.getTicket(str, ServiceTicket.class);
            if (serviceTicket == null || serviceTicket.isExpired()) {
                throw new InvalidTicketException();
            }
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(serviceTicket.getService());
            if (findServiceBy == null || !findServiceBy.isEnabled() || !findServiceBy.isAllowedToProxy()) {
                this.log.warn("ServiceManagement: Service Attempted to Proxy, but is not allowed.  Service: [" + serviceTicket.getService().getId() + "]");
                throw new UnauthorizedProxyingException();
            }
            TicketGrantingTicket grantTicketGrantingTicket = serviceTicket.grantTicketGrantingTicket(this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(TicketGrantingTicket.PREFIX), authenticate, this.ticketGrantingTicketExpirationPolicy);
            this.ticketRegistry.addTicket(grantTicketGrantingTicket);
            return grantTicketGrantingTicket.getId();
        } catch (AuthenticationException e) {
            throw new TicketCreationException(e);
        }
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Auditable(action = "SERVICE_TICKET_VALIDATE", successSuffix = "D", failureSuffix = "_FAILED", actionResolverClass = ObjectCreationAuditableActionResolver.class, resourceResolverClass = TicketAsFirstParameterResourceResolver.class)
    @Transactional(readOnly = false)
    @Statistic(name = "SERVICE_TICKET_VALIDATE", requiredPrecision = {Statistic.Precision.DAY, Statistic.Precision.MINUTE, Statistic.Precision.HOUR})
    public Assertion validateServiceTicket(String str, Service service) throws TicketException {
        Authentication authentication;
        Assert.notNull(str, "serviceTicketId cannot be null");
        Assert.notNull(service, "service cannot be null");
        ServiceTicket serviceTicket = (ServiceTicket) this.serviceTicketRegistry.getTicket(str, ServiceTicket.class);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        if (findServiceBy == null || !findServiceBy.isEnabled()) {
            this.log.warn("ServiceManagement: Service does not exist is not enabled, and thus not allowed to validate tickets.   Service: [" + service.getId() + "]");
            throw new UnauthorizedServiceException("Service not allowed to validate tickets.");
        }
        if (serviceTicket == null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("ServiceTicket [" + str + "] does not exist.");
            }
            throw new InvalidTicketException();
        }
        try {
            synchronized (serviceTicket) {
                if (serviceTicket.isExpired()) {
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("ServiceTicket [" + str + "] has expired.");
                    }
                    throw new InvalidTicketException();
                }
                if (!serviceTicket.isValidFor(service)) {
                    if (this.log.isErrorEnabled()) {
                        this.log.error("ServiceTicket [" + str + "] with service [" + serviceTicket.getService().getId() + " does not match supplied service [" + service + "]");
                    }
                    throw new TicketValidationException(serviceTicket.getService());
                }
            }
            int size = serviceTicket.getGrantingTicket().getChainedAuthentications().size();
            Authentication authentication2 = serviceTicket.getGrantingTicket().getChainedAuthentications().get(size - 1);
            Principal principal = authentication2.getPrincipal();
            String generate = findServiceBy.isAnonymousAccess() ? this.persistentIdGenerator.generate(principal, serviceTicket.getService()) : principal.getId();
            if (findServiceBy.isIgnoreAttributes()) {
                authentication = authentication2;
            } else {
                HashMap hashMap = new HashMap();
                for (String str2 : findServiceBy.getAllowedAttributes()) {
                    Object obj = principal.getAttributes().get(str2);
                    if (obj != null) {
                        hashMap.put(str2, obj);
                    }
                }
                MutableAuthentication mutableAuthentication = new MutableAuthentication(new SimplePrincipal(generate, hashMap), authentication2.getAuthenticatedDate());
                mutableAuthentication.getAttributes().putAll(authentication2.getAttributes());
                mutableAuthentication.getAuthenticatedDate().setTime(authentication2.getAuthenticatedDate().getTime());
                authentication = mutableAuthentication;
            }
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < size - 1; i++) {
                arrayList.add(serviceTicket.getGrantingTicket().getChainedAuthentications().get(i));
            }
            arrayList.add(authentication);
            ImmutableAssertionImpl immutableAssertionImpl = new ImmutableAssertionImpl(arrayList, serviceTicket.getService(), serviceTicket.isFromNewLogin());
            if (serviceTicket.isExpired()) {
                this.serviceTicketRegistry.deleteTicket(str);
            }
            return immutableAssertionImpl;
        } catch (Throwable th) {
            if (serviceTicket.isExpired()) {
                this.serviceTicketRegistry.deleteTicket(str);
            }
            throw th;
        }
    }

    @Override // org.jasig.cas.CentralAuthenticationService
    @Auditable(action = "TICKET_GRANTING_TICKET", successSuffix = "_CREATED", failureSuffix = "_NOT_CREATED", actionResolverClass = ObjectCreationAuditableActionResolver.class, resourceResolverClass = ReturnValueAsStringResourceResolver.class)
    @Transactional(readOnly = false)
    @Statistic(name = "CREATE_TICKET_GRANTING_TICKET", requiredPrecision = {Statistic.Precision.DAY, Statistic.Precision.MINUTE, Statistic.Precision.HOUR})
    public String createTicketGrantingTicket(Credentials credentials) throws TicketCreationException {
        Assert.notNull(credentials, "credentials cannot be null");
        if (this.log.isDebugEnabled()) {
            this.log.debug("Attempting to create TicketGrantingTicket for " + credentials);
        }
        try {
            TicketGrantingTicketImpl ticketGrantingTicketImpl = new TicketGrantingTicketImpl(this.ticketGrantingTicketUniqueTicketIdGenerator.getNewTicketId(TicketGrantingTicket.PREFIX), this.authenticationManager.authenticate(credentials), this.ticketGrantingTicketExpirationPolicy);
            this.ticketRegistry.addTicket(ticketGrantingTicketImpl);
            return ticketGrantingTicketImpl.getId();
        } catch (AuthenticationException e) {
            throw new TicketCreationException(e);
        }
    }

    public void setTicketRegistry(TicketRegistry ticketRegistry) {
        this.ticketRegistry = ticketRegistry;
        if (this.serviceTicketRegistry == null) {
            this.serviceTicketRegistry = ticketRegistry;
        }
    }

    public void setServiceTicketRegistry(TicketRegistry ticketRegistry) {
        this.serviceTicketRegistry = ticketRegistry;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public void setTicketGrantingTicketExpirationPolicy(ExpirationPolicy expirationPolicy) {
        this.ticketGrantingTicketExpirationPolicy = expirationPolicy;
    }

    public void setTicketGrantingTicketUniqueTicketIdGenerator(UniqueTicketIdGenerator uniqueTicketIdGenerator) {
        this.ticketGrantingTicketUniqueTicketIdGenerator = uniqueTicketIdGenerator;
    }

    public void setServiceTicketExpirationPolicy(ExpirationPolicy expirationPolicy) {
        this.serviceTicketExpirationPolicy = expirationPolicy;
    }

    public void setUniqueTicketIdGeneratorsForService(Map<String, UniqueTicketIdGenerator> map) {
        this.uniqueTicketIdGeneratorsForService = map;
    }

    public void setServicesManager(ServicesManager servicesManager) {
        this.servicesManager = servicesManager;
    }

    public void setPersistentIdGenerator(PersistentIdGenerator persistentIdGenerator) {
        this.persistentIdGenerator = persistentIdGenerator;
    }
}
