package com.supwisdom.institute.cas.site.web.flow.actions;

import com.supwisdom.institute.cas.site.account.Account;
import com.supwisdom.institute.cas.site.account.service.AccountService;
import com.supwisdom.institute.cas.site.common.util.RSAUtils;
import com.supwisdom.institute.cas.site.config.Config;
import com.supwisdom.institute.cas.site.config.ConfigManager;
import com.supwisdom.institute.cas.site.federated.authentication.FederatedClientFactory;
import com.supwisdom.institute.cas.site.federated.authentication.FederatedUserinfo;
import com.supwisdom.institute.cas.site.federated.authentication.principal.FederatedClientCredential;
import com.supwisdom.institute.cas.site.federation.Federation;
import com.supwisdom.institute.cas.site.federation.FederationManager;
import com.supwisdom.institute.cas.site.federation.FederationRepository;
import com.supwisdom.institute.cas.site.federation.authentication.principal.FederationCredential;
import com.supwisdom.institute.cas.site.state.State;
import com.supwisdom.institute.cas.site.state.StateStore;
import com.supwisdom.institute.cas.site.web.FederatedClientNavigationController;
import com.supwisdom.institute.cas.site.web.FederatedClientWebflowManager;
import com.supwisdom.institute.cas.site.web.flow.model.AccountModel;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.AuthenticationServiceSelectionPlan;
import org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.ticket.AbstractTicketException;
import org.apereo.cas.ticket.Ticket;
import org.apereo.cas.web.flow.actions.AbstractAuthenticationAction;
import org.apereo.cas.web.flow.resolver.CasDelegatingWebflowEventResolver;
import org.apereo.cas.web.flow.resolver.CasWebflowEventResolver;
import org.apereo.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpStatus;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:com/supwisdom/institute/cas/site/web/flow/actions/FederatedAuthenticationAction.class */
public class FederatedAuthenticationAction extends AbstractAuthenticationAction {
    private static final Logger log = LoggerFactory.getLogger(FederatedAuthenticationAction.class);
    public static final String CAS_SERVER_FEDER_QQ_ENABLED = "casServer.federation.qq.enabled";
    public static final String CAS_SERVER_FEDER_OPEN_WEIXIN_ENABLED = "casServer.federation.openweixin.enabled";
    public static final String CAS_SERVER_FEDER_WORK_WEIXIN_ENABLED = "casServer.federation.workweixin.enabled";
    public static final String CAS_SERVER_FEDER_ALIPAY_ENABLED = "casServer.federation.alipay.enabled";

    @Autowired
    private ConfigManager configManager;

    @Autowired
    private AccountService accountService;

    @Autowired
    @Qualifier("remoteFederationManager")
    private FederationManager federationManager;

    @Autowired
    @Qualifier("remoteFederationRepository")
    private FederationRepository federationRepository;

    @Autowired
    private StateStore redisStateStore;
    protected final Map<String, FederatedClientFactory.FederatedClient> clients;
    protected final ServicesManager servicesManager;
    protected final FederatedClientWebflowManager federatedClientWebflowManager;
    protected final String localeParamName;
    protected final String themeParamName;
    private final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies;
    private final CentralAuthenticationService centralAuthenticationService;

    /* loaded from: input_file:com/supwisdom/institute/cas/site/web/flow/actions/FederatedAuthenticationAction$ProviderLoginPageConfiguration.class */
    public static class ProviderLoginPageConfiguration implements Serializable {
        private static final long serialVersionUID = 5766047517661302326L;
        private final String name;
        private final String redirectUrl;
        private final String type;
        private final String cssClass;
        private final boolean autoRedirect;

        public ProviderLoginPageConfiguration(String str, String str2, String str3, String str4, boolean z) {
            this.name = str;
            this.redirectUrl = str2;
            this.type = str3;
            this.cssClass = str4;
            this.autoRedirect = z;
        }

        public String getName() {
            return this.name;
        }

        public String getRedirectUrl() {
            return this.redirectUrl;
        }

        public String getType() {
            return this.type;
        }

        public String getCssClass() {
            return this.cssClass;
        }

        public boolean isAutoRedirect() {
            return this.autoRedirect;
        }

        public String toString() {
            return "FederatedAuthenticationAction.ProviderLoginPageConfiguration(name=" + getName() + ", redirectUrl=" + getRedirectUrl() + ", type=" + getType() + ", cssClass=" + getCssClass() + ", autoRedirect=" + isAutoRedirect() + ")";
        }
    }

    public FederatedAuthenticationAction(CasDelegatingWebflowEventResolver casDelegatingWebflowEventResolver, CasWebflowEventResolver casWebflowEventResolver, AdaptiveAuthenticationPolicy adaptiveAuthenticationPolicy, Map<String, FederatedClientFactory.FederatedClient> map, ServicesManager servicesManager, FederatedClientWebflowManager federatedClientWebflowManager, String str, String str2, AuthenticationServiceSelectionPlan authenticationServiceSelectionPlan, CentralAuthenticationService centralAuthenticationService) {
        super(casDelegatingWebflowEventResolver, casWebflowEventResolver, adaptiveAuthenticationPolicy);
        this.clients = map;
        this.servicesManager = servicesManager;
        this.federatedClientWebflowManager = federatedClientWebflowManager;
        this.localeParamName = str;
        this.themeParamName = str2;
        this.authenticationRequestServiceSelectionStrategies = authenticationServiceSelectionPlan;
        this.centralAuthenticationService = centralAuthenticationService;
    }

    protected Event doExecute(RequestContext requestContext) {
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        prepareForLoginPage(requestContext);
        String parameter = httpServletRequestFromExternalWebflowContext.getParameter(FederatedClientCredential.AUTHENTICATION_ATTRIBUTE_FEDERATED_NAME);
        log.debug("Federated authentication is handled by federated name [{}]", parameter);
        String parameter2 = httpServletRequestFromExternalWebflowContext.getParameter("federatedCode");
        if (StringUtils.isNotBlank(parameter) && StringUtils.isNotBlank(parameter2)) {
            log.info("federatedName: {}", parameter);
            log.info("stateKey: {}", parameter2);
            FederatedClientFactory.FederatedClient federatedClient = this.clients.get(parameter);
            if (federatedClient == null) {
                return error();
            }
            try {
                Service service = WebUtils.getService(requestContext);
                Service restoreAuthenticationRequestInContext = service != null ? service : restoreAuthenticationRequestInContext(requestContext, httpServletRequestFromExternalWebflowContext, httpServletResponseFromExternalWebflowContext, parameter);
                WebUtils.putService(requestContext, restoreAuthenticationRequestInContext);
                WebUtils.putRegisteredService(requestContext, this.servicesManager.findServiceBy(this.authenticationRequestServiceSelectionStrategies.resolveService(restoreAuthenticationRequestInContext)));
                try {
                    State loadState = this.redisStateStore.loadState(parameter2);
                    if (loadState == null) {
                        throw new IllegalArgumentException("Unable to determine state from the redis with stateKey " + parameter2);
                    }
                    FederatedUserinfo federatedUserInfo = loadState.getFederatedUserInfo();
                    log.debug("Retrieved federated userinfo from client as [{}]", federatedUserInfo);
                    if (federatedUserInfo == null) {
                        throw new IllegalArgumentException("Unable to determine federated userinfo from the context with client " + federatedClient.getName());
                    }
                    Map<String, Object> externalInfo = federatedUserInfo.getExternalInfo();
                    String federatedType = federatedUserInfo.getFederatedType();
                    String federatedId = federatedUserInfo.getFederatedId();
                    String name = federatedUserInfo.getName();
                    String logo = federatedUserInfo.getLogo();
                    String str = null;
                    if (externalInfo != null && !externalInfo.isEmpty()) {
                        r23 = externalInfo.containsKey("wxType") ? String.valueOf(externalInfo.get("wxType")) : null;
                        if (externalInfo.containsKey("openid")) {
                            str = String.valueOf(externalInfo.get("openid"));
                        }
                    }
                    Federation loadByFederatedTypeId = this.federationRepository.loadByFederatedTypeId(federatedType, federatedId);
                    if (loadByFederatedTypeId == null && StringUtils.isNotBlank(str)) {
                        loadByFederatedTypeId = this.federationRepository.loadByFederatedTypeId(federatedType, str);
                    }
                    FederatedClientCredential federatedClientCredential = new FederatedClientCredential(federatedUserInfo, parameter);
                    WebUtils.putCredential(requestContext, federatedClientCredential);
                    if (loadByFederatedTypeId == null) {
                        requestContext.getFlowScope().put("federation", new FederationCredential());
                        return getEventFactorySupport().event(this, "federatedBindAccount");
                    }
                    String userNo = loadByFederatedTypeId.getUserNo();
                    List<Account> loadAccountsByUserNo = StringUtils.isNotBlank(userNo) ? this.accountService.loadAccountsByUserNo(userNo) : this.accountService.loadAccountsByUserId(loadByFederatedTypeId.getUserId());
                    if (loadAccountsByUserNo == null || loadAccountsByUserNo.isEmpty()) {
                        requestContext.getFlowScope().put("federation", new FederationCredential());
                        return getEventFactorySupport().event(this, "federatedBindAccount");
                    }
                    if (StringUtils.isBlank(userNo)) {
                        userNo = loadAccountsByUserNo.get(0).getUserNo();
                    }
                    federatedBind(userNo, federatedType, federatedId, name, logo, r23, str);
                    if (loadAccountsByUserNo.size() == 1) {
                        requestContext.getFlowScope().put("originalUsername", "");
                        federatedClientCredential.setAccount(loadAccountsByUserNo.get(0));
                        WebUtils.putCredential(requestContext, federatedClientCredential);
                        return super.doExecute(requestContext);
                    }
                    if (loadAccountsByUserNo.size() > 1) {
                        Account account = null;
                        ArrayList arrayList = new ArrayList();
                        for (Account account2 : loadAccountsByUserNo) {
                            AccountModel accountModel = new AccountModel();
                            accountModel.setId(account2.getId());
                            accountModel.setUsernameOrigin(account2.getUsername());
                            accountModel.setUsername(encodeUsername(account2.getUsername()));
                            accountModel.setUsernameEncrypt(rsaEncrypt(account2.getUsername()));
                            accountModel.setIdentity(account2.getIdentity());
                            accountModel.setOrganization(account2.getOrganization());
                            accountModel.setIdentityTypeCode(account2.getIdentityTypeCode());
                            accountModel.setIdentityTypeName(account2.getIdentityTypeName());
                            arrayList.add(accountModel);
                            if (account2.isDefaultAccount()) {
                                account = account2;
                            }
                        }
                        if (account != null) {
                            federatedClientCredential.setAccount(account);
                            WebUtils.putCredential(requestContext, federatedClientCredential);
                            return super.doExecute(requestContext);
                        }
                        Collections.sort(arrayList);
                        requestContext.getFlowScope().put("casServerMultiAccounts", arrayList);
                        return getEventFactorySupport().event(this, CasServerMultiAccountAction.EVENT_ID_SELECT_ACCOUNT);
                    }
                } catch (Exception e) {
                    e.printStackTrace();
                    return error();
                }
            } catch (Exception e2) {
                e2.printStackTrace();
                return error();
            }
        }
        return error();
    }

    private void federatedBind(String str, String str2, String str3, String str4, String str5, String str6, String str7) {
        try {
            Federation federation = new Federation();
            federation.setUserNo(str);
            federation.setFederatedType(str2);
            federation.setFederatedId(str3);
            federation.setFederatedInfo(str4);
            federation.setFederatedLogo(str5);
            this.federationManager.bind(federation, str6, str7);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private String rsaEncrypt(String str) {
        return "__RSA__" + RSAUtils.publicEncrypt(str, RSAUtils.instance().getPublicKey());
    }

    private String encodeUsername(String str) {
        if (StringUtils.isNotBlank(str)) {
            return str.length() > 5 ? str.replaceAll("(.{2}).*(.{2})", "$1****$2") : str.replaceAll("(.{1}).*(.{1})", "$1****$2");
        }
        return null;
    }

    protected Event handleException(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FederatedClientFactory.FederatedClient federatedClient, Exception exc) {
        log.info(exc.getMessage(), exc);
        throw new IllegalArgumentException("Federated authentication has failed with client " + federatedClient.getName());
    }

    protected Event stopWebflow() {
        return new Event(this, "stop");
    }

    protected Service restoreAuthenticationRequestInContext(RequestContext requestContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        try {
            return this.federatedClientWebflowManager.retrieve(requestContext, httpServletRequest, httpServletResponse, this.clients.get(str));
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            throw new UnauthorizedServiceException("screen.service.error.message", "Service unauthorized");
        }
    }

    private boolean singleSignOnSessionExists(RequestContext requestContext) {
        String ticketGrantingTicketId = WebUtils.getTicketGrantingTicketId(requestContext);
        if (StringUtils.isBlank(ticketGrantingTicketId)) {
            log.trace("No ticket-granting ticket could be located in the webflow context");
            return false;
        }
        try {
            Ticket ticket = this.centralAuthenticationService.getTicket(ticketGrantingTicketId, Ticket.class);
            if (ticket != null && !ticket.isExpired()) {
                log.trace("Located a valid ticket-granting ticket, honoring existing single sign-on session");
                return true;
            }
        } catch (AbstractTicketException e) {
            log.trace("Could not retrieve ticket id [{}] from registry.", e.getMessage());
        }
        log.trace("Ticket-granting ticket found in the webflow context is invalid or has expired");
        return false;
    }

    protected void prepareForLoginPage(RequestContext requestContext) {
        WebApplicationService service = WebUtils.getService(requestContext);
        this.authenticationRequestServiceSelectionStrategies.resolveService(service, WebApplicationService.class);
        HttpServletRequest httpServletRequestFromExternalWebflowContext = WebUtils.getHttpServletRequestFromExternalWebflowContext(requestContext);
        HttpServletResponse httpServletResponseFromExternalWebflowContext = WebUtils.getHttpServletResponseFromExternalWebflowContext(requestContext);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        this.clients.values().stream().filter(federatedClient -> {
            return isLoginFederationEnabled(federatedClient.getType());
        }).forEach(federatedClient2 -> {
            try {
                UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(FederatedClientNavigationController.ENDPOINT_REDIRECT);
                if (service != null) {
                    String source = service.getSource();
                    String originalUrl = service.getOriginalUrl();
                    if (StringUtils.isNotBlank(source) && StringUtils.isNotBlank(originalUrl)) {
                        fromUriString.queryParam(source, new Object[]{originalUrl});
                    }
                }
                String parameter = httpServletRequestFromExternalWebflowContext.getParameter("method");
                if (StringUtils.isNotBlank(parameter)) {
                    fromUriString.queryParam("method", new Object[]{parameter});
                }
                String parameter2 = httpServletRequestFromExternalWebflowContext.getParameter(this.localeParamName);
                if (StringUtils.isNotBlank(parameter2)) {
                    fromUriString.queryParam(this.localeParamName, new Object[]{parameter2});
                }
                String parameter3 = httpServletRequestFromExternalWebflowContext.getParameter(this.themeParamName);
                if (StringUtils.isNotBlank(parameter3)) {
                    fromUriString.queryParam(this.themeParamName, new Object[]{parameter3});
                }
                fromUriString.queryParam(FederatedClientCredential.AUTHENTICATION_ATTRIBUTE_FEDERATED_NAME, new Object[]{federatedClient2.getType()});
                Optional of = Optional.of(new ProviderLoginPageConfiguration(federatedClient2.getName(), fromUriString.toUriString(), federatedClient2.getType(), "", false));
                linkedHashSet.getClass();
                of.ifPresent((v1) -> {
                    r1.add(v1);
                });
            } catch (Exception e) {
                log.error("Cannot process client [{}]", federatedClient2, e);
            }
        });
        if (!linkedHashSet.isEmpty()) {
            requestContext.getFlowScope().put("federatedUrls", linkedHashSet);
        } else if (httpServletResponseFromExternalWebflowContext.getStatus() != HttpStatus.UNAUTHORIZED.value()) {
            log.warn("No federated authentication providers could be determined based on the provided configuration. Either no clients are configured, or the current access strategy rules prohibit CAS from using authentication providers for this request.");
        }
    }

    private boolean isLoginFederationEnabled(String str) {
        return isConfigEnabled("login.federation." + str + ".enabled", isConfigEnabled("casServer.federation." + str + ".enabled", true));
    }

    private boolean isConfigEnabled(String str, boolean z) {
        Config config = this.configManager.getConfigs().get(str);
        if (config == null) {
            return z;
        }
        String configValue = config.getConfigValue();
        return configValue != null && Boolean.valueOf(configValue).booleanValue();
    }
}
