package org.apereo.cas.authentication;

import javax.security.auth.login.CredentialNotFoundException;
import javax.security.auth.login.FailedLoginException;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.authentication.surrogate.SurrogateAuthenticationService;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Aspect
/* loaded from: input_file:org/apereo/cas/authentication/SurrogateAuthenticationAspect.class */
public class SurrogateAuthenticationAspect {
    private static final Logger LOGGER = LoggerFactory.getLogger(SurrogateAuthenticationAspect.class);
    private final PrincipalFactory principalFactory;
    private final SurrogateAuthenticationService surrogateAuthenticationService;

    public SurrogateAuthenticationAspect(PrincipalFactory principalFactory, SurrogateAuthenticationService surrogateAuthenticationService) {
        this.principalFactory = principalFactory;
        this.surrogateAuthenticationService = surrogateAuthenticationService;
    }

    @Around("execution(public org.apereo.cas.authentication.HandlerResult org.apereo.cas.authentication.AuthenticationHandler.authenticate(..)) && args(credential)")
    public Object handleSurrogate(ProceedingJoinPoint proceedingJoinPoint, Credential credential) throws Throwable {
        if (!credential.getClass().equals(SurrogateUsernamePasswordCredential.class)) {
            return proceedingJoinPoint.proceed();
        }
        String surrogateUsername = ((SurrogateUsernamePasswordCredential) credential).getSurrogateUsername();
        if (StringUtils.isBlank(surrogateUsername)) {
            LOGGER.error("No surrogate username was specified as part of the credential");
            throw new CredentialNotFoundException("Missing surrogate username in credential");
        }
        HandlerResult handlerResult = (HandlerResult) proceedingJoinPoint.proceed();
        LOGGER.debug("Authenticated [{}] will be checked for surrogate eligibility next...", handlerResult.getPrincipal());
        if (this.surrogateAuthenticationService.canAuthenticateAs(surrogateUsername, handlerResult.getPrincipal())) {
            return new DefaultHandlerResult((AuthenticationHandler) AuthenticationHandler.class.cast(proceedingJoinPoint.getTarget()), new BasicCredentialMetaData(credential), this.principalFactory.createPrincipal(surrogateUsername));
        }
        LOGGER.error("Principal [{}] is unable/unauthorized to authenticate as [{}]", handlerResult.getPrincipal(), surrogateUsername);
        throw new FailedLoginException();
    }
}
