package org.apereo.cas.uma.web.authn;

import java.util.LinkedHashMap;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.token.JwtBuilder;
import org.pac4j.core.context.CallContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/uma/web/authn/BaseUmaTokenAuthenticator.class */
public abstract class BaseUmaTokenAuthenticator implements Authenticator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(BaseUmaTokenAuthenticator.class);
    private final TicketRegistry ticketRegistry;
    private final JwtBuilder accessTokenJwtBuilder;

    public Optional<Credentials> validate(CallContext callContext, Credentials credentials) {
        TokenCredentials tokenCredentials = (TokenCredentials) credentials;
        String extractAccessTokenFrom = extractAccessTokenFrom(tokenCredentials.getToken().trim());
        OAuth20AccessToken ticket = this.ticketRegistry.getTicket(extractAccessTokenFrom, OAuth20AccessToken.class);
        if (!ticket.getScopes().contains(getRequiredScope())) {
            throw new CredentialsException(String.format("Missing scope [%s]. Unable to authenticate access token %s", getRequiredScope(), extractAccessTokenFrom));
        }
        CommonProfile commonProfile = new CommonProfile();
        Authentication authentication = ticket.getAuthentication();
        Principal principal = authentication.getPrincipal();
        commonProfile.setId(principal.getId());
        LinkedHashMap linkedHashMap = new LinkedHashMap(authentication.getAttributes());
        linkedHashMap.putAll(principal.getAttributes());
        commonProfile.addAttributes(linkedHashMap);
        commonProfile.addRoles(ticket.getScopes());
        commonProfile.addAttribute(OAuth20AccessToken.class.getName(), ticket);
        commonProfile.addAttribute("client_id", ticket.getClientId());
        LOGGER.debug("Authenticated access token [{}]", commonProfile);
        tokenCredentials.setUserProfile(commonProfile);
        return Optional.of(tokenCredentials);
    }

    protected String extractAccessTokenFrom(String str) {
        return (String) OAuth20JwtAccessTokenEncoder.builder().accessTokenJwtBuilder(this.accessTokenJwtBuilder).build().decode(str);
    }

    protected abstract String getRequiredScope();

    /* JADX INFO: Access modifiers changed from: protected */
    @Generated
    public BaseUmaTokenAuthenticator(TicketRegistry ticketRegistry, JwtBuilder jwtBuilder) {
        this.ticketRegistry = ticketRegistry;
        this.accessTokenJwtBuilder = jwtBuilder;
    }
}
