package net.shibboleth.idp.saml.saml2.profile.config.navigate;

import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.profile.config.ProfileConfiguration;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.profile.context.navigate.AbstractRelyingPartyLookupFunction;
import net.shibboleth.idp.saml.saml2.profile.config.SAML2ProfileConfiguration;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;

/* loaded from: input_file:WEB-INF/lib/idp-saml-api-4.3.1.jar:net/shibboleth/idp/saml/saml2/profile/config/navigate/ProxyRestrictionLookupFunction.class */
public class ProxyRestrictionLookupFunction extends AbstractRelyingPartyLookupFunction<Pair<Integer, Set<String>>> {

    @Nonnull
    private Function<ProfileRequestContext, SubjectContext> subjectContextLookupStrategy = new ChildContextLookup(SubjectContext.class);

    public void setSubjectContextLookupStrategy(@Nonnull Function<ProfileRequestContext, SubjectContext> function) {
        this.subjectContextLookupStrategy = (Function) Constraint.isNotNull(function, "SubjectContext lookup strategy cannot be null");
    }

    @Override // java.util.function.Function
    @Nullable
    public Pair<Integer, Set<String>> apply(@Nullable ProfileRequestContext profileRequestContext) {
        ProfileConfiguration profileConfig;
        Integer num = null;
        HashSet hashSet = new HashSet();
        RelyingPartyContext apply = getRelyingPartyContextLookupStrategy().apply(profileRequestContext);
        if (apply != null && (profileConfig = apply.getProfileConfig()) != null && (profileConfig instanceof SAML2ProfileConfiguration)) {
            num = ((SAML2ProfileConfiguration) profileConfig).getProxyCount(profileRequestContext);
            Set<String> proxyAudiences = ((SAML2ProfileConfiguration) profileConfig).getProxyAudiences(profileRequestContext);
            if (proxyAudiences != null && !proxyAudiences.isEmpty()) {
                hashSet.addAll(proxyAudiences);
            }
        }
        SubjectContext apply2 = this.subjectContextLookupStrategy.apply(profileRequestContext);
        Set<ProxyAuthenticationPrincipal> emptySet = apply2 == null ? Collections.emptySet() : (Set) apply2.getSubjects().stream().map(subject -> {
            return subject.getPrincipals(ProxyAuthenticationPrincipal.class);
        }).flatMap((v0) -> {
            return v0.stream();
        }).collect(Collectors.toUnmodifiableSet());
        if (emptySet.isEmpty()) {
            return new Pair<>(num, Set.copyOf(hashSet));
        }
        for (ProxyAuthenticationPrincipal proxyAuthenticationPrincipal : emptySet) {
            Set<String> audiences = proxyAuthenticationPrincipal.getAudiences();
            if (audiences != null && !audiences.isEmpty()) {
                if (hashSet.isEmpty()) {
                    hashSet.addAll(audiences);
                } else {
                    hashSet.retainAll(audiences);
                    if (hashSet.isEmpty()) {
                        return new Pair<>(0, Collections.emptySet());
                    }
                }
            }
            if (proxyAuthenticationPrincipal.getProxyCount() != null) {
                num = num != null ? Integer.valueOf(Integer.min(num.intValue(), Integer.max(0, proxyAuthenticationPrincipal.getProxyCount().intValue() - 1))) : Integer.valueOf(Integer.max(0, proxyAuthenticationPrincipal.getProxyCount().intValue() - 1));
            }
        }
        return new Pair<>(num, Set.copyOf(hashSet));
    }
}
