package org.apereo.cas.authentication;

import java.util.ArrayList;
import java.util.Collection;
import java.util.LinkedHashMap;
import java.util.Map;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.CasProtocolConstants;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAttributeReleasePolicy;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.validation.Assertion;
import org.apereo.cas.validation.AuthenticationAttributeReleasePolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-attributes-6.0.2.jar:org/apereo/cas/authentication/DefaultAuthenticationAttributeReleasePolicy.class */
public class DefaultAuthenticationAttributeReleasePolicy implements AuthenticationAttributeReleasePolicy {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultAuthenticationAttributeReleasePolicy.class);
    private final Collection<String> onlyReleaseAttributes;
    private final Collection<String> neverReleaseAttributes;
    private final String authenticationContextAttribute;

    public DefaultAuthenticationAttributeReleasePolicy(String str) {
        this(new ArrayList(), new ArrayList(), str);
    }

    @Override // org.apereo.cas.validation.AuthenticationAttributeReleasePolicy
    public Map<String, Object> getAuthenticationAttributesForRelease(Authentication authentication, Assertion assertion, Map<String, Object> map, RegisteredService registeredService) {
        if (!registeredService.getAttributeReleasePolicy().isAuthorizedToReleaseAuthenticationAttributes()) {
            LOGGER.debug("Attribute release policy for service [{}] is configured to never release any attributes", registeredService);
            return new LinkedHashMap(0);
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap(authentication.getAttributes());
        linkedHashMap.keySet().removeAll(this.neverReleaseAttributes);
        if (this.onlyReleaseAttributes != null && !this.onlyReleaseAttributes.isEmpty()) {
            linkedHashMap.keySet().retainAll(this.onlyReleaseAttributes);
        }
        if (isAttributeAllowedForRelease(CasProtocolConstants.VALIDATION_CAS_MODEL_ATTRIBUTE_NAME_AUTHENTICATION_DATE)) {
            linkedHashMap.put(CasProtocolConstants.VALIDATION_CAS_MODEL_ATTRIBUTE_NAME_AUTHENTICATION_DATE, CollectionUtils.wrap(authentication.getAuthenticationDate()));
        }
        if (assertion != null) {
            if (isAttributeAllowedForRelease(CasProtocolConstants.VALIDATION_CAS_MODEL_ATTRIBUTE_NAME_FROM_NEW_LOGIN)) {
                linkedHashMap.put(CasProtocolConstants.VALIDATION_CAS_MODEL_ATTRIBUTE_NAME_FROM_NEW_LOGIN, CollectionUtils.wrap(Boolean.valueOf(assertion.isFromNewLogin())));
            }
            if (isAttributeAllowedForRelease("longTermAuthenticationRequestTokenUsed")) {
                linkedHashMap.put("longTermAuthenticationRequestTokenUsed", CollectionUtils.wrap(Boolean.valueOf(CoreAuthenticationUtils.isRememberMeAuthentication(authentication, assertion))));
            }
        }
        if (StringUtils.isNotBlank(this.authenticationContextAttribute) && map.containsKey(this.authenticationContextAttribute)) {
            String obj = map.get(this.authenticationContextAttribute).toString();
            if (StringUtils.isNotBlank(obj) && isAttributeAllowedForRelease(this.authenticationContextAttribute)) {
                linkedHashMap.put(this.authenticationContextAttribute, CollectionUtils.wrap(obj));
            }
        }
        decideIfCredentialPasswordShouldBeReleasedAsAttribute(linkedHashMap, authentication, registeredService);
        decideIfProxyGrantingTicketShouldBeReleasedAsAttribute(linkedHashMap, map, registeredService);
        LOGGER.debug("Processed protocol/authentication attributes from the output model to be [{}]", linkedHashMap.keySet());
        return linkedHashMap;
    }

    protected boolean isAttributeAllowedForRelease(String str) {
        return !this.neverReleaseAttributes.contains(str);
    }

    protected void decideIfCredentialPasswordShouldBeReleasedAsAttribute(Map<String, Object> map, Authentication authentication, RegisteredService registeredService) {
        RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = registeredService.getAttributeReleasePolicy();
        decideAttributeReleaseBasedOnServiceAttributePolicy(map, (String) CollectionUtils.firstElement(authentication.getAttributes().get("credential")).map((v0) -> {
            return v0.toString();
        }).orElse(null), "credential", registeredService, attributeReleasePolicy != null && attributeReleasePolicy.isAuthorizedToReleaseCredentialPassword() && isAttributeAllowedForRelease("credential"));
    }

    protected void decideIfProxyGrantingTicketShouldBeReleasedAsAttribute(Map<String, Object> map, Map<String, Object> map2, RegisteredService registeredService) {
        RegisteredServiceAttributeReleasePolicy attributeReleasePolicy = registeredService.getAttributeReleasePolicy();
        decideAttributeReleaseBasedOnServiceAttributePolicy(map, (String) map2.get("proxyGrantingTicket"), "proxyGrantingTicket", registeredService, attributeReleasePolicy != null && attributeReleasePolicy.isAuthorizedToReleaseProxyGrantingTicket() && isAttributeAllowedForRelease("proxyGrantingTicket"));
    }

    protected void decideAttributeReleaseBasedOnServiceAttributePolicy(Map<String, Object> map, String str, String str2, RegisteredService registeredService, boolean z) {
        if (!StringUtils.isNotBlank(str)) {
            LOGGER.trace("[{}] is not available and will not be released to the validation response.", str2);
            return;
        }
        LOGGER.debug("Obtained [{}] as an authentication attribute", str2);
        if (z) {
            LOGGER.debug("Obtained [{}] is passed to the CAS validation payload", str2);
            map.put(str2, CollectionUtils.wrap(str));
        } else {
            LOGGER.debug("Attribute release policy for [{}] does not authorize the release of [{}]", registeredService.getServiceId(), str2);
            map.remove(str2);
        }
    }

    @Generated
    public DefaultAuthenticationAttributeReleasePolicy(Collection<String> collection, Collection<String> collection2, String str) {
        this.onlyReleaseAttributes = collection;
        this.neverReleaseAttributes = collection2;
        this.authenticationContextAttribute = str;
    }
}
