package net.unicon.cas.addons.serviceregistry.services.authorization;

import java.util.Map;
import net.unicon.cas.addons.authentication.AuthenticationSupport;
import net.unicon.cas.addons.authentication.internal.DefaultAuthenticationSupport;
import net.unicon.cas.addons.serviceregistry.RegisteredServiceWithAttributes;
import org.jasig.cas.authentication.principal.Principal;
import org.jasig.cas.authentication.principal.WebApplicationService;
import org.jasig.cas.services.RegisteredService;
import org.jasig.cas.services.ServicesManager;
import org.jasig.cas.services.UnauthorizedServiceException;
import org.jasig.cas.ticket.registry.TicketRegistry;
import org.jasig.cas.web.support.WebUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.webflow.action.AbstractAction;
import org.springframework.webflow.execution.Event;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:WEB-INF/lib/cas-addons-1.11.1.jar:net/unicon/cas/addons/serviceregistry/services/authorization/ServiceAuthorizationAction.class */
public class ServiceAuthorizationAction extends AbstractAction {
    private final ServicesManager servicesManager;
    private final RegisteredServiceAuthorizer authorizer;
    private final AuthenticationSupport authenticationSupport;
    private static final String AUTHZ_ATTRS_KEY = "authzAttributes";
    private static final String AUTHZ_FAIL_REDIRECT_URL_KEY = "authorizationFailureRedirectUrl";
    private static final String ATTR_URL_KEY = "unauthorizedRedirectUrl";
    private static final Logger logger = LoggerFactory.getLogger(ServiceAuthorizationAction.class);

    public ServiceAuthorizationAction(ServicesManager servicesManager, TicketRegistry ticketRegistry, RegisteredServiceAuthorizer registeredServiceAuthorizer) {
        this.servicesManager = servicesManager;
        this.authorizer = registeredServiceAuthorizer;
        this.authenticationSupport = new DefaultAuthenticationSupport(ticketRegistry);
    }

    @Override // org.springframework.webflow.action.AbstractAction
    protected Event doExecute(RequestContext requestContext) throws Exception {
        Principal authenticatedPrincipalFrom = this.authenticationSupport.getAuthenticatedPrincipalFrom(WebUtils.getTicketGrantingTicketId(requestContext));
        if (authenticatedPrincipalFrom == null) {
            logger.warn("The SSO session is no longer valid. Restarting the login process...");
            return error();
        }
        Map<String, Object> attributes = authenticatedPrincipalFrom.getAttributes();
        String id = authenticatedPrincipalFrom.getId();
        WebApplicationService service = WebUtils.getService(requestContext);
        String id2 = service.getId();
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(service);
        if (findServiceBy == null) {
            logger.warn("Unauthorized Service Access for Service: [ {} ] - service is not defined in the service registry.", id2);
            throw new UnauthorizedServiceException();
        }
        if (!findServiceBy.isEnabled()) {
            logger.warn("Unauthorized Service Access for Service: [ {} ] - service is not enabled in the service registry.", id2);
            throw new UnauthorizedServiceException();
        }
        if (!(findServiceBy instanceof RegisteredServiceWithAttributes)) {
            logger.info("Service [{}] is not configured for role-based authorization", findServiceBy);
            return null;
        }
        RegisteredServiceWithAttributes registeredServiceWithAttributes = (RegisteredServiceWithAttributes) findServiceBy;
        Object obj = registeredServiceWithAttributes.getExtraAttributes().get(AUTHZ_ATTRS_KEY);
        if (obj == null) {
            logger.info("Service [{}] is not configured for role-based authorization", registeredServiceWithAttributes.getServiceId());
            return null;
        }
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("SERVICE [%s] ATTRIBUTES: %s | PRINCIPAL [%s] ATTRIBUTES: %s", registeredServiceWithAttributes.getServiceId(), obj, id, attributes));
        }
        if (this.authorizer.authorized(obj, attributes)) {
            logger.info("Principal [{}] is authorized to use service [{}]", id, id2);
            return null;
        }
        logger.info("Principal [{}] is not authorized to use service [{}]", id, id2);
        requestContext.getRequestScope().put(AUTHZ_FAIL_REDIRECT_URL_KEY, registeredServiceWithAttributes.getExtraAttributes().get(ATTR_URL_KEY));
        throw new RoleBasedServiceAuthorizationException();
    }
}
