package org.apereo.cas.authentication.adaptive;

import java.util.regex.Pattern;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.adaptive.geo.GeoLocationRequest;
import org.apereo.cas.authentication.adaptive.geo.GeoLocationResponse;
import org.apereo.cas.authentication.adaptive.geo.GeoLocationService;
import org.apereo.cas.configuration.model.core.authentication.AdaptiveAuthenticationProperties;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-authentication-api-5.3.0.jar:org/apereo/cas/authentication/adaptive/DefaultAdaptiveAuthenticationPolicy.class */
public class DefaultAdaptiveAuthenticationPolicy implements AdaptiveAuthenticationPolicy {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) DefaultAdaptiveAuthenticationPolicy.class);
    private final GeoLocationService geoLocationService;
    private final AdaptiveAuthenticationProperties adaptiveAuthenticationProperties;

    @Override // org.apereo.cas.authentication.adaptive.AdaptiveAuthenticationPolicy
    public boolean apply(String str, GeoLocationRequest geoLocationRequest) {
        ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
        if (clientInfo == null || StringUtils.isBlank(str)) {
            LOGGER.warn("No client IP or user-agent was provided. Skipping adaptive authentication policy...");
            return true;
        }
        String clientIpAddress = clientInfo.getClientIpAddress();
        LOGGER.debug("Located client IP address as [{}]", clientIpAddress);
        if (isClientIpAddressRejected(clientIpAddress)) {
            LOGGER.warn("Client IP [{}] is rejected for authentication", clientIpAddress);
            return false;
        }
        if (isUserAgentRejected(str)) {
            LOGGER.warn("User agent [{}] is rejected for authentication", str);
            return false;
        }
        LOGGER.debug("User agent [{}] is authorized to proceed", str);
        if (this.geoLocationService != null && geoLocationRequest != null && StringUtils.isNotBlank(clientIpAddress) && StringUtils.isNotBlank(this.adaptiveAuthenticationProperties.getRejectCountries())) {
            GeoLocationResponse locate = this.geoLocationService.locate(clientIpAddress, geoLocationRequest);
            if (locate != null) {
                LOGGER.debug("Determined geolocation to be [{}]", locate);
                if (isGeoLocationCountryRejected(locate)) {
                    LOGGER.warn("Client [{}] is rejected for authentication", clientIpAddress);
                    return false;
                }
            } else {
                LOGGER.info("Could not determine geolocation for [{}]", clientIpAddress);
            }
        }
        LOGGER.debug("Adaptive authentication policy has authorized client [{}] to proceed.", clientIpAddress);
        return true;
    }

    private boolean isClientIpAddressRejected(String str) {
        return StringUtils.isNotBlank(this.adaptiveAuthenticationProperties.getRejectIpAddresses()) && Pattern.compile(this.adaptiveAuthenticationProperties.getRejectIpAddresses()).matcher(str).find();
    }

    private boolean isGeoLocationCountryRejected(GeoLocationResponse geoLocationResponse) {
        return StringUtils.isNotBlank(this.adaptiveAuthenticationProperties.getRejectCountries()) && Pattern.compile(this.adaptiveAuthenticationProperties.getRejectCountries()).matcher(geoLocationResponse.build()).find();
    }

    private boolean isUserAgentRejected(String str) {
        return StringUtils.isNotBlank(this.adaptiveAuthenticationProperties.getRejectBrowsers()) && Pattern.compile(this.adaptiveAuthenticationProperties.getRejectBrowsers()).matcher(str).find();
    }

    @Generated
    public DefaultAdaptiveAuthenticationPolicy(GeoLocationService geoLocationService, AdaptiveAuthenticationProperties adaptiveAuthenticationProperties) {
        this.geoLocationService = geoLocationService;
        this.adaptiveAuthenticationProperties = adaptiveAuthenticationProperties;
    }
}
