package org.apereo.cas.authentication.handler.support;

import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.TokenConstants;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.HandlerResult;
import org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractTokenWrapperAuthenticationHandler;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.jwt.credentials.authenticator.JwtAuthenticator;

/* loaded from: input_file:org/apereo/cas/authentication/handler/support/TokenAuthenticationHandler.class */
public class TokenAuthenticationHandler extends AbstractTokenWrapperAuthenticationHandler {
    protected HandlerResult postAuthenticate(Credential credential, HandlerResult handlerResult) {
        ((TokenCredential) credential).setId(handlerResult.getPrincipal().getId());
        return super.postAuthenticate(credential, handlerResult);
    }

    protected Authenticator<TokenCredentials> getAuthenticator(Credential credential) {
        TokenCredential tokenCredential = (TokenCredential) credential;
        this.logger.debug("Locating token secret for service [{}]", tokenCredential.getService());
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(tokenCredential.getService());
        String registeredServiceJwtSigningSecret = getRegisteredServiceJwtSigningSecret(findServiceBy);
        String registeredServiceJwtEncryptionSecret = getRegisteredServiceJwtEncryptionSecret(findServiceBy);
        if (!StringUtils.isNotBlank(registeredServiceJwtSigningSecret)) {
            this.logger.warn("No token signing secret is defined for service [{}]. Ensure [{}] property is defined for service", findServiceBy.getServiceId(), TokenConstants.PROPERTY_NAME_TOKEN_SECRET_SIGNING);
            return null;
        }
        if (!StringUtils.isBlank(registeredServiceJwtEncryptionSecret)) {
            return new JwtAuthenticator(registeredServiceJwtSigningSecret, registeredServiceJwtEncryptionSecret);
        }
        this.logger.warn("JWT authentication is configured to share a single key for both signing/encryption");
        return new JwtAuthenticator(registeredServiceJwtSigningSecret);
    }

    private String getRegisteredServiceJwtEncryptionSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtSecret(registeredService, TokenConstants.PROPERTY_NAME_TOKEN_SECRET_ENCRYPTION);
    }

    private String getRegisteredServiceJwtSigningSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtSecret(registeredService, TokenConstants.PROPERTY_NAME_TOKEN_SECRET_SIGNING);
    }

    protected String getRegisteredServiceJwtSecret(RegisteredService registeredService, String str) {
        if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
            this.logger.debug("Service is not defined/found or its access is disabled in the registry");
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        if (registeredService.getProperties().containsKey(str)) {
            String value = ((RegisteredServiceProperty) registeredService.getProperties().get(str)).getValue();
            if (StringUtils.isNotBlank(value)) {
                this.logger.debug("Found the secret value {} for service [{}]", str, registeredService.getServiceId());
                return value;
            }
        }
        this.logger.warn("Service [{}] does not define a property [{}] in the registry", registeredService.getServiceId(), str);
        return null;
    }
}
