package org.apereo.cas.authentication;

import com.nimbusds.jose.proc.SimpleSecurityContext;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.LinkedHashMap;
import javax.security.auth.login.AccountExpiredException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.FailedLoginException;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.exceptions.AccountDisabledException;
import org.apereo.cas.authentication.exceptions.AccountPasswordMustChangeException;
import org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.configuration.model.support.cognito.AmazonCognitoAuthenticationProperties;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthFlowType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.InvalidPasswordException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.NotAuthorizedException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.UserNotFoundException;

/* loaded from: input_file:org/apereo/cas/authentication/AmazonCognitoAuthenticationAuthenticationHandler.class */
public class AmazonCognitoAuthenticationAuthenticationHandler extends AbstractUsernamePasswordAuthenticationHandler {
    private final CognitoIdentityProviderClient cognitoIdentityProvider;
    private final AmazonCognitoAuthenticationProperties properties;
    private final ConfigurableJWTProcessor jwtProcessor;

    public AmazonCognitoAuthenticationAuthenticationHandler(ServicesManager servicesManager, PrincipalFactory principalFactory, CognitoIdentityProviderClient cognitoIdentityProviderClient, AmazonCognitoAuthenticationProperties amazonCognitoAuthenticationProperties, ConfigurableJWTProcessor configurableJWTProcessor) {
        super(amazonCognitoAuthenticationProperties.getName(), servicesManager, principalFactory, Integer.valueOf(amazonCognitoAuthenticationProperties.getOrder()));
        this.cognitoIdentityProvider = cognitoIdentityProviderClient;
        this.properties = amazonCognitoAuthenticationProperties;
        this.jwtProcessor = configurableJWTProcessor;
    }

    protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(UsernamePasswordCredential usernamePasswordCredential, String str) throws GeneralSecurityException {
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("USERNAME", usernamePasswordCredential.getUsername());
            hashMap.put("PASSWORD", usernamePasswordCredential.toPassword());
            AdminInitiateAuthResponse adminInitiateAuth = this.cognitoIdentityProvider.adminInitiateAuth((AdminInitiateAuthRequest) AdminInitiateAuthRequest.builder().authFlow(AuthFlowType.ADMIN_NO_SRP_AUTH).clientId(this.properties.getClientId()).userPoolId(this.properties.getUserPoolId()).authParameters(hashMap).build());
            if ("NEW_PASSWORD_REQUIRED".equalsIgnoreCase(adminInitiateAuth.challengeNameAsString())) {
                throw new CredentialExpiredException();
            }
            if (StringUtils.isBlank(this.jwtProcessor.process(adminInitiateAuth.authenticationResult().idToken(), new SimpleSecurityContext()).getSubject())) {
                throw new FailedLoginException("Unable to accept the id token with an invalid [sub] claim");
            }
            AdminGetUserResponse adminGetUser = this.cognitoIdentityProvider.adminGetUser((AdminGetUserRequest) AdminGetUserRequest.builder().userPoolId(this.properties.getUserPoolId()).username(usernamePasswordCredential.getUsername()).build());
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("userStatus", CollectionUtils.wrap(adminGetUser.userStatusAsString()));
            linkedHashMap.put("userCreatedDate", CollectionUtils.wrap(Long.valueOf(adminGetUser.userCreateDate().toEpochMilli())));
            linkedHashMap.put("userModifiedDate", CollectionUtils.wrap(Long.valueOf(adminGetUser.userLastModifiedDate().toEpochMilli())));
            adminGetUser.userAttributes().forEach(attributeType -> {
                if (this.properties.getMappedAttributes().isEmpty() || !this.properties.getMappedAttributes().containsKey(attributeType.name())) {
                    linkedHashMap.put(attributeType.name(), CollectionUtils.wrap(attributeType.value()));
                } else {
                    linkedHashMap.put((String) this.properties.getMappedAttributes().get(attributeType.name()), CollectionUtils.wrap(attributeType.value()));
                }
            });
            return createHandlerResult(usernamePasswordCredential, this.principalFactory.createPrincipal(adminGetUser.username(), linkedHashMap), new ArrayList(0));
        } catch (CredentialExpiredException | InvalidPasswordException e) {
            throw new AccountPasswordMustChangeException(e.getMessage());
        } catch (NotAuthorizedException e2) {
            String message = e2.getMessage();
            if (message.contains("expired")) {
                throw new AccountExpiredException(message);
            }
            if (message.contains("disabled")) {
                throw new AccountDisabledException(message);
            }
            throw new FailedLoginException(e2.getMessage());
        } catch (UserNotFoundException e3) {
            throw new AccountNotFoundException(e3.getMessage());
        } catch (Throwable th) {
            throw new FailedLoginException(th.getMessage());
        }
    }
}
