package org.apereo.cas.support.oauth.authenticator;

import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20ClientAuthenticationMethods;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.OAuth20RequestParameterResolver;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.RegexUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.http.credentials.X509Credentials;
import org.pac4j.http.credentials.authenticator.X509Authenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20X509Authenticator.class */
public class OAuth20X509Authenticator implements Authenticator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20X509Authenticator.class);
    private final ServicesManager servicesManager;
    private final OAuth20RequestParameterResolver requestParameterResolver;

    public Optional<Credentials> validate(CallContext callContext, Credentials credentials) {
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, (String) this.requestParameterResolver.resolveClientIdAndClientSecret(callContext).getKey());
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredOAuthServiceByClientId);
        if (!isAuthenticationMethodSupported(callContext, registeredOAuthServiceByClientId)) {
            LOGGER.warn("TLS authentication method is not supported for service [{}]", registeredOAuthServiceByClientId.getName());
            return Optional.empty();
        }
        Optional<Credentials> validate = new X509Authenticator((String) StringUtils.defaultIfBlank(registeredOAuthServiceByClientId.getTlsClientAuthSubjectDn(), "CN=(.*?)(?:,|$)")).validate(callContext, credentials);
        if (validate.isPresent()) {
            UserProfile userProfile = validate.get().getUserProfile();
            userProfile.addAttribute("x509_digest", EncodingUtils.encodeBase64(DigestUtils.digest("SHA-256", ((X509Credentials) credentials).getCertificate().getPublicKey().getEncoded())));
            userProfile.addAttribute("authenticationMethod", "X.509");
            if (!CollectionUtils.wrap("x509-sanEmail", registeredOAuthServiceByClientId.getTlsClientAuthSanEmail(), "x509-sanDNS", registeredOAuthServiceByClientId.getTlsClientAuthSanDns(), "x509-sanIP", registeredOAuthServiceByClientId.getTlsClientAuthSanIp(), "x509-sanURI", registeredOAuthServiceByClientId.getTlsClientAuthSanUri()).entrySet().stream().allMatch(entry -> {
                return isAcceptableX509Attribute(userProfile, (String) entry.getKey(), (String) entry.getValue());
            })) {
                throw new CredentialsException("Unable to accept certificate");
            }
        }
        return validate;
    }

    protected boolean isAuthenticationMethodSupported(CallContext callContext, OAuthRegisteredService oAuthRegisteredService) {
        return OAuth20Utils.isTokenAuthenticationMethodSupportedFor(callContext, oAuthRegisteredService, OAuth20ClientAuthenticationMethods.TLS_CLIENT_AUTH);
    }

    protected boolean isAcceptableX509Attribute(UserProfile userProfile, String str, String str2) {
        return ((Boolean) FunctionUtils.doIfNotBlank(str, () -> {
            Set collection = CollectionUtils.toCollection(userProfile.getAttribute(str2));
            return Boolean.valueOf(!collection.isEmpty() && collection.stream().anyMatch(obj -> {
                return RegexUtils.find(str, obj.toString());
            }));
        }, () -> {
            return Boolean.TRUE;
        })).booleanValue();
    }

    @Generated
    public OAuth20X509Authenticator(ServicesManager servicesManager, OAuth20RequestParameterResolver oAuth20RequestParameterResolver) {
        this.servicesManager = servicesManager;
        this.requestParameterResolver = oAuth20RequestParameterResolver;
    }
}
