package net.shibboleth.idp.authn;

import com.google.common.base.MoreObjects;
import com.google.common.base.Predicates;
import java.io.IOException;
import java.security.Principal;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.BiPredicate;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.PrincipalServiceManager;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.idp.profile.FlowDescriptor;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.Unmodifiable;
import net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.PredicateSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.StorageSerializer;
import org.springframework.core.Ordered;

/* loaded from: input_file:WEB-INF/lib/idp-authn-api-4.3.2.jar:net/shibboleth/idp/authn/AuthenticationFlowDescriptor.class */
public class AuthenticationFlowDescriptor extends AbstractIdentifiableInitializableComponent implements FlowDescriptor, PrincipalSupportingComponent, Predicate<ProfileRequestContext>, StorageSerializer<AuthenticationResult>, Ordered {

    @NotEmpty
    @Nonnull
    public static final String FLOW_ID_PREFIX = "authn/";

    @Nonnull
    public static final Duration STORAGE_EXPIRATION_OFFSET = Duration.ofMinutes(10);
    private boolean supportsPassive;
    private boolean supportsForced;
    private boolean proxyScopingEnforced;
    private boolean discoveryRequired;

    @Nullable
    private BiPredicate<ProfileRequestContext, AuthenticationResult> revocationCondition;

    @Nullable
    private Duration lifetime;

    @Nullable
    private StorageSerializer<AuthenticationResult> resultSerializer;

    @Nullable
    private PrincipalServiceManager principalServiceManager;

    @Nullable
    private BiConsumer<ProfileRequestContext, Subject> subjectDecorator;
    private int order = Integer.MAX_VALUE;
    private boolean supportsNonBrowser = true;
    private boolean proxyRestrictionsEnforced = true;

    @Nonnull
    private Predicate<ProfileRequestContext> reuseCondition = new ProxyCountPredicate();

    @Nonnull
    private Subject supportedPrincipals = new Subject();

    @Nonnull
    private Predicate<ProfileRequestContext> activationCondition = Predicates.alwaysTrue();

    @Nonnull
    private Duration inactivityTimeout = Duration.ofMinutes(30);

    @NonnullElements
    @Nullable
    private Map<Principal, Integer> principalWeightMap = Collections.emptyMap();

    @Nonnull
    private Set<String> stringBasedPrincipals = Collections.emptySet();

    /* loaded from: input_file:WEB-INF/lib/idp-authn-api-4.3.2.jar:net/shibboleth/idp/authn/AuthenticationFlowDescriptor$ProxyCountPredicate.class */
    private class ProxyCountPredicate implements Predicate<ProfileRequestContext> {
        private ProxyCountPredicate() {
        }

        @Override // java.util.function.Predicate
        public boolean test(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext authenticationContext;
            return !AuthenticationFlowDescriptor.this.proxyScopingEnforced || (authenticationContext = (AuthenticationContext) profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || authenticationContext.getProxyCount() == null || authenticationContext.getProxyCount().intValue() != 0;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/idp-authn-api-4.3.2.jar:net/shibboleth/idp/authn/AuthenticationFlowDescriptor$WeightedComparator.class */
    private class WeightedComparator<T> implements Comparator<T> {
        private WeightedComparator() {
        }

        @Override // java.util.Comparator
        public int compare(T t, T t2) {
            int intValue = AuthenticationFlowDescriptor.this.principalWeightMap.containsKey(t) ? AuthenticationFlowDescriptor.this.principalWeightMap.get(t).intValue() : 0;
            int intValue2 = AuthenticationFlowDescriptor.this.principalWeightMap.containsKey(t2) ? AuthenticationFlowDescriptor.this.principalWeightMap.get(t2).intValue() : 0;
            if (intValue < intValue2) {
                return -1;
            }
            return intValue > intValue2 ? 1 : 0;
        }
    }

    @Override // org.springframework.core.Ordered
    public int getOrder() {
        return this.order;
    }

    public void setOrder(int i) {
        this.order = i;
    }

    public boolean isNonBrowserSupported() {
        return this.supportsNonBrowser;
    }

    public void setNonBrowserSupported(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.supportsNonBrowser = z;
    }

    public boolean isPassiveAuthenticationSupported() {
        return this.supportsPassive;
    }

    public void setPassiveAuthenticationSupported(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.supportsPassive = z;
    }

    public boolean isForcedAuthenticationSupported() {
        return this.supportsForced;
    }

    public void setForcedAuthenticationSupported(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.supportsForced = z;
    }

    public boolean isProxyRestrictionsEnforced() {
        return this.proxyRestrictionsEnforced;
    }

    public void setProxyRestrictionsEnforced(boolean z) {
        this.proxyRestrictionsEnforced = z;
    }

    public boolean isProxyScopingEnforced() {
        return this.proxyScopingEnforced;
    }

    public void setProxyScopingEnforced(boolean z) {
        this.proxyScopingEnforced = z;
    }

    public boolean isDiscoveryRequired() {
        return this.discoveryRequired;
    }

    public void setDiscoveryRequired(boolean z) {
        this.discoveryRequired = z;
    }

    @Nonnull
    public Predicate<ProfileRequestContext> getReuseCondition() {
        return this.reuseCondition;
    }

    public void setReuseCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.reuseCondition = PredicateSupport.and(new ProxyCountPredicate(), (Predicate) Constraint.isNotNull(predicate, "Predicate cannot be null"));
    }

    @Nonnull
    public BiPredicate<ProfileRequestContext, AuthenticationResult> getRevocationCondition() {
        return this.revocationCondition;
    }

    public void setRevocationCondition(@Nullable BiPredicate<ProfileRequestContext, AuthenticationResult> biPredicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.revocationCondition = biPredicate;
    }

    @Nullable
    public BiConsumer<ProfileRequestContext, Subject> getSubjectDecorator() {
        return this.subjectDecorator;
    }

    public void setSubjectDecorator(@Nullable BiConsumer<ProfileRequestContext, Subject> biConsumer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.subjectDecorator = biConsumer;
    }

    @Nullable
    public Duration getLifetime() {
        return this.lifetime;
    }

    public void setLifetime(@Nullable Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isFalse(duration != null && (duration.isNegative() || duration.isZero()), "Lifetime must be null or greater than 0");
        this.lifetime = duration;
    }

    @Nonnull
    public Duration getInactivityTimeout() {
        return this.inactivityTimeout;
    }

    public void setInactivityTimeout(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(duration, "Inactivity timeout cannot be null");
        Constraint.isFalse(duration.isNegative() || duration.isZero(), "Inactivity timeout must be greater than 0");
        this.inactivityTimeout = duration;
    }

    public boolean isResultActive(@Nonnull AuthenticationResult authenticationResult) {
        Constraint.isNotNull(authenticationResult, "AuthenticationResult cannot be null");
        Constraint.isTrue(authenticationResult.getAuthenticationFlowId().equals(getId()), "AuthenticationResult was not produced by this flow");
        Instant now = Instant.now();
        return (getLifetime() == null || !now.isAfter(authenticationResult.getAuthenticationInstant().plus((TemporalAmount) getLifetime()))) && !now.isAfter(authenticationResult.getLastActivityInstant().plus((TemporalAmount) getInactivityTimeout()));
    }

    @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
    @NonnullElements
    @Nonnull
    @Unmodifiable
    public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> cls) {
        return this.supportedPrincipals.getPrincipals(cls);
    }

    @NonnullElements
    @Nonnull
    public Collection<Principal> getSupportedPrincipals() {
        return this.supportedPrincipals.getPrincipals();
    }

    public void setSupportedPrincipals(@NonnullElements @Nonnull Collection<Principal> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(collection, "Principal collection cannot be null.");
        this.supportedPrincipals.getPrincipals().clear();
        this.supportedPrincipals.getPrincipals().addAll(Set.copyOf(collection));
    }

    public void setSupportedPrincipalsByString(@NonnullElements @Nonnull Collection<String> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.stringBasedPrincipals = Set.copyOf(StringSupport.normalizeStringCollection(collection));
    }

    public void setActivationCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        this.activationCondition = (Predicate) Constraint.isNotNull(predicate, "Activation condition predicate cannot be null");
    }

    @Override // java.util.function.Predicate
    public boolean test(@Nullable ProfileRequestContext profileRequestContext) {
        return this.activationCondition.test(profileRequestContext);
    }

    public void setResultSerializer(@Nonnull StorageSerializer<AuthenticationResult> storageSerializer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.resultSerializer = (StorageSerializer) Constraint.isNotNull(storageSerializer, "StorageSerializer cannot be null");
    }

    public void setPrincipalWeightMap(@NonnullElements @Nullable Map<Principal, Integer> map) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.principalWeightMap = map != null ? map : Collections.emptyMap();
    }

    public void setPrincipalServiceManager(@Nullable PrincipalServiceManager principalServiceManager) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.principalServiceManager = principalServiceManager;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.resultSerializer == null) {
            throw new ComponentInitializationException("AuthenticationResult serializer cannot be null");
        }
        if (this.stringBasedPrincipals.isEmpty()) {
            return;
        }
        if (this.principalServiceManager == null) {
            throw new ComponentInitializationException("PrincipalServiceManager cannot be null");
        }
        this.supportedPrincipals.getPrincipals().clear();
        this.stringBasedPrincipals.forEach(str -> {
            Principal principalFromString = this.principalServiceManager.principalFromString(str);
            if (principalFromString != null) {
                this.supportedPrincipals.getPrincipals().add(principalFromString);
            }
        });
    }

    @Nonnull
    public AuthenticationResult newAuthenticationResult(@Nonnull Subject subject) {
        AuthenticationResult authenticationResult = new AuthenticationResult(getId(), subject);
        if (this.proxyRestrictionsEnforced) {
            Predicate<ProfileRequestContext> predicate = this.reuseCondition;
            Objects.requireNonNull(authenticationResult);
            authenticationResult.setReuseCondition(PredicateSupport.and(predicate, new AuthenticationResult.ProxyRestrictionReusePredicate()));
        } else {
            authenticationResult.setReuseCondition(this.reuseCondition);
        }
        authenticationResult.setRevocationCondition(this.revocationCondition);
        return authenticationResult;
    }

    @Override // org.opensaml.storage.StorageSerializer
    @NotEmpty
    @Nonnull
    public String serialize(@Nonnull AuthenticationResult authenticationResult) throws IOException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        return this.resultSerializer.serialize(authenticationResult);
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.opensaml.storage.StorageSerializer
    @Nonnull
    public AuthenticationResult deserialize(long j, @NotEmpty @Nonnull String str, @NotEmpty @Nonnull String str2, @NotEmpty @Nonnull String str3, @Nonnull Long l) throws IOException {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        AuthenticationResult deserialize = this.resultSerializer.deserialize(j, str, str2, str3, l != null ? Long.valueOf((l.longValue() - this.inactivityTimeout.toMillis()) - STORAGE_EXPIRATION_OFFSET.toMillis()) : null);
        if (this.proxyRestrictionsEnforced) {
            Predicate<ProfileRequestContext> predicate = this.reuseCondition;
            Objects.requireNonNull(deserialize);
            deserialize.setReuseCondition(PredicateSupport.and(predicate, new AuthenticationResult.ProxyRestrictionReusePredicate()));
        } else {
            deserialize.setReuseCondition(this.reuseCondition);
        }
        deserialize.setRevocationCondition(this.revocationCondition);
        return deserialize;
    }

    @Nullable
    public <T extends Principal> T getHighestWeighted(@NonnullElements @Nonnull Collection<T> collection) {
        if (collection.isEmpty()) {
            return null;
        }
        if (this.principalWeightMap.isEmpty() || collection.size() == 1) {
            return collection.iterator().next();
        }
        Object[] array = collection.toArray();
        Arrays.sort(array, new WeightedComparator());
        return (T) array[array.length - 1];
    }

    public int hashCode() {
        return getId().hashCode();
    }

    public boolean equals(Object obj) {
        if (obj == null) {
            return false;
        }
        if (obj == this) {
            return true;
        }
        if (obj instanceof AuthenticationFlowDescriptor) {
            return getId().equals(((AuthenticationFlowDescriptor) obj).getId());
        }
        return false;
    }

    public String toString() {
        return MoreObjects.toStringHelper(this).add("flowId", getId()).add("supportsPassive", this.supportsPassive).add("supportsForcedAuthentication", this.supportsForced).add("lifetime", this.lifetime).add("inactivityTimeout", this.inactivityTimeout).toString();
    }
}
