package net.shibboleth.idp.authn.impl;

import java.io.IOException;
import java.time.Duration;
import java.time.Instant;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.authn.AccountLockoutManager;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.LockoutManagerContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.Positive;
import net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.net.HttpServletSupport;
import net.shibboleth.utilities.java.support.primitive.NonnullSupplier;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.StorageCapabilities;
import org.opensaml.storage.StorageCapabilitiesEx;
import org.opensaml.storage.StorageRecord;
import org.opensaml.storage.StorageService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.2.jar:net/shibboleth/idp/authn/impl/StorageBackedAccountLockoutManager.class */
public class StorageBackedAccountLockoutManager extends AbstractIdentifiableInitializableComponent implements AccountLockoutManager {

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) StorageBackedAccountLockoutManager.class);

    @NonnullAfterInit
    private StorageService storageService;

    @Nullable
    private Function<ProfileRequestContext, String> lockoutKeyStrategy;

    @Nonnull
    private Function<ProfileRequestContext, Integer> maxAttemptsLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, Duration> counterIntervalLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, Duration> lockoutDurationLookupStrategy;
    private boolean extendLockoutDuration;

    /* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.2.jar:net/shibboleth/idp/authn/impl/StorageBackedAccountLockoutManager$UsernameIPLockoutKeyStrategy.class */
    public static class UsernameIPLockoutKeyStrategy implements Function<ProfileRequestContext, String> {

        @Nullable
        private NonnullSupplier<HttpServletRequest> httpRequestSupplier;

        public void setHttpServletRequestSupplier(@Nonnull NonnullSupplier<HttpServletRequest> nonnullSupplier) {
            this.httpRequestSupplier = (NonnullSupplier) Constraint.isNotNull(nonnullSupplier, "HttpServletRequest cannot be null");
        }

        @Nullable
        private HttpServletRequest getHttpServletRequest() {
            if (this.httpRequestSupplier == null) {
                return null;
            }
            return this.httpRequestSupplier.get();
        }

        @Override // java.util.function.Function
        @Nullable
        public String apply(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext authenticationContext;
            UsernamePasswordContext usernamePasswordContext;
            if (profileRequestContext == null) {
                return null;
            }
            LockoutManagerContext lockoutManagerContext = (LockoutManagerContext) profileRequestContext.getSubcontext(LockoutManagerContext.class);
            if (lockoutManagerContext != null) {
                return lockoutManagerContext.getKey();
            }
            if (getHttpServletRequest() == null || (authenticationContext = (AuthenticationContext) profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || (usernamePasswordContext = (UsernamePasswordContext) authenticationContext.getSubcontext(UsernamePasswordContext.class)) == null) {
                return null;
            }
            String username = usernamePasswordContext.getUsername();
            String remoteAddr = HttpServletSupport.getRemoteAddr(getHttpServletRequest());
            if (username == null || username.isEmpty() || remoteAddr == null || remoteAddr.isEmpty()) {
                return null;
            }
            return username.toLowerCase() + "!" + remoteAddr;
        }
    }

    public StorageBackedAccountLockoutManager() {
        setMaxAttempts(5);
        setCounterInterval(Duration.ofMinutes(5L));
        setLockoutDuration(Duration.ofMinutes(5L));
    }

    public void setStorageService(@Nonnull StorageService storageService) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.storageService = (StorageService) Constraint.isNotNull(storageService, "StorageService cannot be null");
        StorageCapabilities capabilities = this.storageService.getCapabilities();
        if (capabilities instanceof StorageCapabilitiesEx) {
            Constraint.isTrue(((StorageCapabilitiesEx) capabilities).isServerSide(), "StorageService cannot be client-side");
            if (((StorageCapabilitiesEx) capabilities).isClustered()) {
                return;
            }
            this.log.info("Use of non-clustered storage service will result in per-node lockout behavior");
        }
    }

    public void setLockoutKeyStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.lockoutKeyStrategy = (Function) Constraint.isNotNull(function, "Lockout key strategy cannot be null");
    }

    public void setMaxAttempts(@Positive int i) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.maxAttemptsLookupStrategy = FunctionSupport.constant(Integer.valueOf(Constraint.isGreaterThan(0, i, "Attempts must be greater than zero")));
    }

    public void setMaxAttemptsLookupStrategy(@Nonnull Function<ProfileRequestContext, Integer> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.maxAttemptsLookupStrategy = (Function) Constraint.isNotNull(function, "Max attempts lookup strategy cannot be null");
    }

    public void setCounterInterval(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.counterIntervalLookupStrategy = FunctionSupport.constant((Duration) Constraint.isNotNull(duration, "Counter interval cannot be null"));
    }

    public void setCounterIntervalLookupStrategy(@Nonnull Function<ProfileRequestContext, Duration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.counterIntervalLookupStrategy = (Function) Constraint.isNotNull(function, "Counter interval lookup strategy cannot be null");
    }

    public void setLockoutDuration(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.lockoutDurationLookupStrategy = FunctionSupport.constant((Duration) Constraint.isNotNull(duration, "Lockout duration cannot be null"));
    }

    public void setLockoutDurationLookupStrategy(@Nonnull Function<ProfileRequestContext, Duration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.lockoutDurationLookupStrategy = (Function) Constraint.isNotNull(function, "Lockout duration lookup strategy cannot be null");
    }

    public void setExtendLockoutDuration(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.extendLockoutDuration = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.storageService == null) {
            throw new ComponentInitializationException("StorageService cannot be null");
        }
        if (this.lockoutKeyStrategy == null) {
            throw new ComponentInitializationException("Lockout key strategy cannot be null");
        }
    }

    @Override // net.shibboleth.idp.authn.AccountLockoutManager
    public boolean check(@Nonnull ProfileRequestContext profileRequestContext) {
        StorageRecord storageRecord;
        String apply = this.lockoutKeyStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("No lockout key returned for request");
            return false;
        }
        try {
            storageRecord = this.storageService.read(getId(), apply);
        } catch (IOException e) {
            storageRecord = null;
            this.log.error("Error reading back account lockout state for '{}'", apply, e);
        }
        if (storageRecord == null) {
            this.log.debug("No lockout record available for '{}'", apply);
            return false;
        }
        try {
            int parseInt = Integer.parseInt(storageRecord.getValue());
            if (parseInt >= this.maxAttemptsLookupStrategy.apply(profileRequestContext).intValue()) {
                long millis = this.lockoutDurationLookupStrategy.apply(profileRequestContext).toMillis();
                if (System.currentTimeMillis() - (storageRecord.getExpiration().longValue() - Math.max(millis, this.counterIntervalLookupStrategy.apply(profileRequestContext).toMillis())) <= millis) {
                    this.log.info("Lockout threshold reached for '{}', invalid count is {}", apply, Integer.valueOf(parseInt));
                    if (!this.extendLockoutDuration) {
                        return true;
                    }
                    doIncrement(profileRequestContext, apply, 10);
                    return true;
                }
                this.log.debug("Lockout for '{}' has elapsed", apply);
            } else {
                this.log.debug("Invalid attempts counter for '{}' has only reached {}", apply, Integer.valueOf(parseInt));
            }
            return false;
        } catch (NumberFormatException e2) {
            this.log.error("Error converting lockout data for '{}' into integer", apply, e2);
            return false;
        }
    }

    @Override // net.shibboleth.idp.authn.AccountLockoutManager
    public boolean increment(@Nonnull ProfileRequestContext profileRequestContext) {
        String apply = this.lockoutKeyStrategy.apply(profileRequestContext);
        if (apply != null) {
            return doIncrement(profileRequestContext, apply, 10);
        }
        this.log.warn("No lockout key returned for request");
        return false;
    }

    @Override // net.shibboleth.idp.authn.AccountLockoutManager
    public boolean clear(@Nonnull ProfileRequestContext profileRequestContext) {
        try {
            String apply = this.lockoutKeyStrategy.apply(profileRequestContext);
            if (apply == null) {
                this.log.warn("No lockout key returned for request");
                return false;
            }
            this.log.debug("Clearing lockout state for '{}'", apply);
            this.storageService.delete(getId(), apply);
            return true;
        } catch (IOException e) {
            this.log.error("Error deleting lockout entry", (Throwable) e);
            return false;
        }
    }

    protected boolean doIncrement(@Nonnull ProfileRequestContext profileRequestContext, @NotEmpty @Nonnull String str, int i) {
        StorageRecord storageRecord;
        if (i <= 0) {
            this.log.error("Account lockout increment attempts for '{}' exceeded retry limit", str);
            return false;
        }
        this.log.debug("Reading account lockout data for '{}'", str);
        int i2 = 0;
        try {
            storageRecord = this.storageService.read(getId(), str);
            if (storageRecord != null) {
                i2 = Integer.parseInt(storageRecord.getValue());
            }
        } catch (IOException e) {
            storageRecord = null;
            i2 = 0;
            this.log.error("Error reading back account lockout state for '{}'", str, e);
        } catch (NumberFormatException e2) {
            storageRecord = null;
            i2 = 0;
            this.log.error("Error converting lockout data for '{}' into integer", str, e2);
        }
        long currentTimeMillis = System.currentTimeMillis();
        long millis = this.lockoutDurationLookupStrategy.apply(profileRequestContext).toMillis();
        long millis2 = this.counterIntervalLookupStrategy.apply(profileRequestContext).toMillis();
        long j = currentTimeMillis;
        if (storageRecord != null) {
            j = storageRecord.getExpiration().longValue() - Math.max(millis, millis2);
        }
        if (currentTimeMillis - j > millis2) {
            i2 = 0;
        }
        int i3 = i2 + 1;
        long currentTimeMillis2 = System.currentTimeMillis() + Math.max(millis, millis2);
        this.log.debug("Invalid login count for '{}' will be {}, expiring at {}", str, Integer.valueOf(i3), Instant.ofEpochMilli(currentTimeMillis2));
        if (storageRecord == null) {
            try {
                if (this.storageService.create(getId(), str, Integer.toString(i3), Long.valueOf(currentTimeMillis2))) {
                    return true;
                }
            } catch (IOException e3) {
                this.log.error("Unable to create account lockout record for '{}'", str, e3);
            }
        } else {
            try {
                if (this.storageService.update(getId(), str, Integer.toString(i3), Long.valueOf(currentTimeMillis2))) {
                    return true;
                }
            } catch (IOException e4) {
                this.log.error("Unable to update account lockout record for '{}'", str, e4);
            }
        }
        return doIncrement(profileRequestContext, str, i - 1);
    }
}
