package org.apereo.cas.authentication;

import com.amazonaws.services.cognitoidp.AWSCognitoIdentityProvider;
import com.amazonaws.services.cognitoidp.model.AdminGetUserRequest;
import com.amazonaws.services.cognitoidp.model.AdminGetUserResult;
import com.amazonaws.services.cognitoidp.model.AdminInitiateAuthRequest;
import com.amazonaws.services.cognitoidp.model.AdminInitiateAuthResult;
import com.amazonaws.services.cognitoidp.model.AuthFlowType;
import com.amazonaws.services.cognitoidp.model.InvalidPasswordException;
import com.amazonaws.services.cognitoidp.model.NotAuthorizedException;
import com.amazonaws.services.cognitoidp.model.UserNotFoundException;
import com.nimbusds.jose.proc.SimpleSecurityContext;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedHashMap;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.FailedLoginException;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.configuration.model.support.cognito.AmazonCognitoAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;

/* loaded from: input_file:org/apereo/cas/authentication/AmazonCognitoAuthenticationAuthenticationHandler.class */
public class AmazonCognitoAuthenticationAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler implements DisposableBean {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(AmazonCognitoAuthenticationAuthenticationHandler.class);
    private final AWSCognitoIdentityProvider cognitoIdentityProvider;
    private final AmazonCognitoAuthenticationProperties properties;
    private final ConfigurableJWTProcessor jwtProcessor;

    public AmazonCognitoAuthenticationAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, AWSCognitoIdentityProvider aWSCognitoIdentityProvider, AmazonCognitoAuthenticationProperties amazonCognitoAuthenticationProperties, ConfigurableJWTProcessor configurableJWTProcessor) {
        super(str, servicesManager, principalFactory, Integer.valueOf(amazonCognitoAuthenticationProperties.getOrder()));
        this.cognitoIdentityProvider = aWSCognitoIdentityProvider;
        this.properties = amazonCognitoAuthenticationProperties;
        this.jwtProcessor = configurableJWTProcessor;
    }

    public void destroy() {
        this.cognitoIdentityProvider.shutdown();
    }

    protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential usernamePasswordCredential, String str) throws GeneralSecurityException {
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("USERNAME", usernamePasswordCredential.getUsername());
            hashMap.put("PASSWORD", usernamePasswordCredential.getPassword());
            AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest();
            adminInitiateAuthRequest.withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH).withClientId(this.properties.getClientId()).withUserPoolId(this.properties.getUserPoolId()).withAuthParameters(hashMap);
            AdminInitiateAuthResult adminInitiateAuth = this.cognitoIdentityProvider.adminInitiateAuth(adminInitiateAuthRequest);
            if ("NEW_PASSWORD_REQUIRED".equalsIgnoreCase(adminInitiateAuth.getChallengeName())) {
                throw new AccountPasswordMustChangeException();
            }
            if (StringUtils.isNotBlank(this.jwtProcessor.process(adminInitiateAuth.getAuthenticationResult().getIdToken(), new SimpleSecurityContext()).getSubject())) {
                throw new FailedLoginException("Unable to accept the id token with an invalid [sub] claim");
            }
            AdminGetUserResult adminGetUser = this.cognitoIdentityProvider.adminGetUser(new AdminGetUserRequest().withUsername(usernamePasswordCredential.getUsername()).withUserPoolId(this.properties.getUserPoolId()));
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("userStatus", CollectionUtils.wrap(adminGetUser.getUserStatus()));
            linkedHashMap.put("userCreatedDate", CollectionUtils.wrap(adminGetUser.getUserCreateDate()));
            linkedHashMap.put("userModifiedDate", CollectionUtils.wrap(adminGetUser.getUserLastModifiedDate()));
            adminGetUser.getUserAttributes().forEach(attributeType -> {
                linkedHashMap.put(attributeType.getName(), CollectionUtils.wrap(attributeType.getValue()));
            });
            return createHandlerResult(usernamePasswordCredential, this.principalFactory.createPrincipal(adminGetUser.getUsername(), linkedHashMap), new ArrayList());
        } catch (InvalidPasswordException e) {
            throw new AccountPasswordMustChangeException(e.getMessage());
        } catch (Exception e2) {
            throw new FailedLoginException(e2.getMessage());
        } catch (UserNotFoundException e3) {
            throw new AccountNotFoundException(e3.getMessage());
        } catch (NotAuthorizedException e4) {
            String message = e4.getMessage();
            if (message.contains("expired")) {
                throw new AccountExpiredException(message);
            }
            if (message.contains("disabled")) {
                throw new AccountDisabledException(message);
            }
            throw new FailedLoginException(e4.getErrorMessage());
        }
    }
}
