package org.apereo.cas.services;

import com.fasterxml.jackson.annotation.JsonIgnore;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.builder.EqualsBuilder;
import org.apache.commons.lang3.builder.HashCodeBuilder;
import org.apache.commons.lang3.builder.ToStringBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.RegexUtils;
import org.pac4j.core.authorization.generator.SpringSecurityPropertiesAuthorizationGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-services-5.1.2.jar:org/apereo/cas/services/DefaultRegisteredServiceAccessStrategy.class */
public class DefaultRegisteredServiceAccessStrategy implements RegisteredServiceAccessStrategy {
    private static final long serialVersionUID = 1245279151345635245L;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultRegisteredServiceAccessStrategy.class);
    private boolean enabled;
    private boolean ssoEnabled;
    private URI unauthorizedRedirectUrl;
    private boolean requireAllAttributes;
    private Map<String, Set<String>> requiredAttributes;
    private Map<String, Set<String>> rejectedAttributes;
    private boolean caseInsensitive;

    public DefaultRegisteredServiceAccessStrategy() {
        this(true, true);
    }

    public DefaultRegisteredServiceAccessStrategy(boolean z, boolean z2) {
        this.enabled = true;
        this.ssoEnabled = true;
        this.requireAllAttributes = true;
        this.requiredAttributes = new HashMap();
        this.rejectedAttributes = new HashMap();
        this.enabled = z;
        this.ssoEnabled = z2;
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    public void setSsoEnabled(boolean z) {
        this.ssoEnabled = z;
    }

    public boolean isEnabled() {
        return this.enabled;
    }

    public boolean isSsoEnabled() {
        return this.ssoEnabled;
    }

    public void setRequireAllAttributes(boolean z) {
        this.requireAllAttributes = z;
    }

    public boolean isRequireAllAttributes() {
        return this.requireAllAttributes;
    }

    public Map<String, Set<String>> getRequiredAttributes() {
        return new HashMap(this.requiredAttributes);
    }

    public void setUnauthorizedRedirectUrl(URI uri) {
        this.unauthorizedRedirectUrl = uri;
    }

    @Override // org.apereo.cas.services.RegisteredServiceAccessStrategy
    public URI getUnauthorizedRedirectUrl() {
        return this.unauthorizedRedirectUrl;
    }

    public boolean isCaseInsensitive() {
        return this.caseInsensitive;
    }

    public void setCaseInsensitive(boolean z) {
        this.caseInsensitive = z;
    }

    public void setRequiredAttributes(Map<String, Set<String>> map) {
        this.requiredAttributes = map;
    }

    public void setRejectedAttributes(Map<String, Set<String>> map) {
        this.rejectedAttributes = map;
    }

    public Map<String, Set<String>> getRejectedAttributes() {
        return this.rejectedAttributes;
    }

    @Override // org.apereo.cas.services.RegisteredServiceAccessStrategy
    public boolean doPrincipalAttributesAllowServiceAccess(String str, Map<String, Object> map) {
        if (this.rejectedAttributes.isEmpty() && this.requiredAttributes.isEmpty()) {
            LOGGER.debug("Skipping access strategy policy, since no attributes rules are defined");
            return true;
        }
        if (!enoughAttributesAvailableToProcess(str, map)) {
            LOGGER.debug("Access is denied. There are not enough attributes available to satisfy requirements");
            return false;
        }
        if (doRejectedAttributesRefusePrincipalAccess(map)) {
            LOGGER.debug("Access is denied. The principal carries attributes that would reject service access");
            return false;
        }
        if (doRequiredAttributesAllowPrincipalAccess(map)) {
            return true;
        }
        LOGGER.debug("Access is denied. The principal does not have the required attributes specified by this strategy");
        return false;
    }

    private boolean doRequiredAttributesAllowPrincipalAccess(Map<String, Object> map) {
        LOGGER.debug("These required attributes [{}] are examined against [{}] before service can proceed.", this.requiredAttributes, map);
        if (this.requiredAttributes.isEmpty()) {
            return true;
        }
        return common(map, this.requiredAttributes);
    }

    private boolean doRejectedAttributesRefusePrincipalAccess(Map<String, Object> map) {
        LOGGER.debug("These rejected attributes [{}] are examined against [{}] before service can proceed.", this.rejectedAttributes, map);
        if (this.rejectedAttributes.isEmpty()) {
            return false;
        }
        return common(map, this.rejectedAttributes);
    }

    protected boolean enoughAttributesAvailableToProcess(String str, Map<String, Object> map) {
        if (map.isEmpty() && !this.requiredAttributes.isEmpty()) {
            LOGGER.debug("No principal attributes are found to satisfy defined attribute requirements");
            return false;
        }
        if (map.size() < this.rejectedAttributes.size()) {
            LOGGER.debug("The size of the principal attributes that are [{}] does not match defined rejected attributes, which means the principal is not carrying enough data to grant authorization", map);
            return false;
        }
        if (map.size() >= this.requiredAttributes.size()) {
            return true;
        }
        LOGGER.debug("The size of the principal attributes that are [{}] does not match defined required attributes, which indicates the principal is not carrying enough data to grant authorization", map);
        return false;
    }

    @Override // org.apereo.cas.services.RegisteredServiceAccessStrategy
    @JsonIgnore
    public boolean isServiceAccessAllowedForSso() {
        if (!this.ssoEnabled) {
            LOGGER.trace("Service is not authorized to participate in SSO.");
        }
        return this.ssoEnabled;
    }

    @Override // org.apereo.cas.services.RegisteredServiceAccessStrategy
    @JsonIgnore
    public boolean isServiceAccessAllowed() {
        if (!this.enabled) {
            LOGGER.trace("Service is not enabled in service registry.");
        }
        return this.enabled;
    }

    public boolean equals(Object obj) {
        if (obj == null) {
            return false;
        }
        if (obj == this) {
            return true;
        }
        if (obj.getClass() != getClass()) {
            return false;
        }
        DefaultRegisteredServiceAccessStrategy defaultRegisteredServiceAccessStrategy = (DefaultRegisteredServiceAccessStrategy) obj;
        return new EqualsBuilder().append(this.enabled, defaultRegisteredServiceAccessStrategy.enabled).append(this.ssoEnabled, defaultRegisteredServiceAccessStrategy.ssoEnabled).append(this.requireAllAttributes, defaultRegisteredServiceAccessStrategy.requireAllAttributes).append(this.requiredAttributes, defaultRegisteredServiceAccessStrategy.requiredAttributes).append(this.unauthorizedRedirectUrl, defaultRegisteredServiceAccessStrategy.unauthorizedRedirectUrl).append(this.caseInsensitive, defaultRegisteredServiceAccessStrategy.caseInsensitive).append(this.rejectedAttributes, defaultRegisteredServiceAccessStrategy.rejectedAttributes).isEquals();
    }

    public int hashCode() {
        return new HashCodeBuilder().append(this.enabled).append(this.ssoEnabled).append(this.requireAllAttributes).append(this.requiredAttributes).append(this.unauthorizedRedirectUrl).append(this.caseInsensitive).append(this.rejectedAttributes).toHashCode();
    }

    public String toString() {
        return new ToStringBuilder(this).append(SpringSecurityPropertiesAuthorizationGenerator.ENABLED, this.enabled).append("ssoEnabled", this.ssoEnabled).append("requireAllAttributes", this.requireAllAttributes).append("requiredAttributes", this.requiredAttributes).append("unauthorizedRedirectUrl", this.unauthorizedRedirectUrl).append("caseInsensitive", this.caseInsensitive).append("rejectedAttributes", this.rejectedAttributes).toString();
    }

    private boolean common(Map<String, Object> map, Map<String, Set<String>> map2) {
        Set set = (Set) map2.keySet().stream().filter(str -> {
            return map.keySet().contains(str);
        }).collect(Collectors.toSet());
        if (!this.requireAllAttributes || set.size() >= map2.size()) {
            return set.stream().anyMatch(str2 -> {
                Set set2 = (Set) map2.get(str2);
                Set<Object> collection = CollectionUtils.toCollection(map.get(str2));
                Pattern concatenate = RegexUtils.concatenate(set2, this.caseInsensitive);
                if (concatenate != RegexUtils.MATCH_NOTHING_PATTERN) {
                    return collection.stream().map((v0) -> {
                        return v0.toString();
                    }).anyMatch(concatenate.asPredicate());
                }
                Stream<Object> stream = collection.stream();
                set2.getClass();
                return stream.anyMatch(set2::contains);
            });
        }
        return false;
    }
}
