package net.shibboleth.idp.authn;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.idp.authn.principal.PasswordPrincipal;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.collection.Pair;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/authn/AbstractUsernamePasswordCredentialValidator.class */
public abstract class AbstractUsernamePasswordCredentialValidator extends AbstractCredentialValidator {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.password";
    private boolean savePasswordToCredentialSet;

    @Nullable
    private Pattern matchExpression;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AbstractUsernamePasswordCredentialValidator.class);

    @Nonnull
    private Function<AuthenticationContext, UsernamePasswordContext> usernamePasswordContextLookupStrategy = new ChildContextLookup(UsernamePasswordContext.class);

    @Nonnull
    private List<Pair<Pattern, String>> transforms = CollectionSupport.emptyList();
    private boolean uppercase = false;
    private boolean lowercase = false;
    private boolean trim = false;

    public void setUsernamePasswordContextLookupStrategy(@Nonnull Function<AuthenticationContext, UsernamePasswordContext> function) {
        checkSetterPreconditions();
        this.usernamePasswordContextLookupStrategy = (Function) Constraint.isNotNull(function, "UsernamePasswordContextLookupStrategy cannot be null");
    }

    public boolean savePasswordToCredentialSet() {
        return this.savePasswordToCredentialSet;
    }

    public void setSavePasswordToCredentialSet(boolean z) {
        checkSetterPreconditions();
        this.savePasswordToCredentialSet = z;
    }

    public void setMatchExpression(@Nullable Pattern pattern) {
        checkSetterPreconditions();
        if (pattern == null || pattern.pattern().isEmpty()) {
            this.matchExpression = null;
        } else {
            this.matchExpression = pattern;
        }
    }

    public void setTransforms(@Nullable Collection<Pair<String, String>> collection) {
        checkSetterPreconditions();
        if (collection == null) {
            this.transforms = CollectionSupport.emptyList();
            return;
        }
        this.transforms = new ArrayList();
        for (Pair<String, String> pair : collection) {
            this.transforms.add(new Pair<>(Pattern.compile(StringSupport.trimOrNull((String) pair.getFirst())), (String) Constraint.isNotNull(StringSupport.trimOrNull((String) pair.getSecond()), "Replacement expression cannot be null")));
        }
    }

    public void setUppercase(boolean z) {
        checkSetterPreconditions();
        this.uppercase = z;
    }

    public void setLowercase(boolean z) {
        checkSetterPreconditions();
        this.lowercase = z;
    }

    public void setTrim(boolean z) {
        checkSetterPreconditions();
        this.trim = z;
    }

    @Override // net.shibboleth.idp.authn.AbstractCredentialValidator
    protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        checkComponentActive();
        UsernamePasswordContext apply = this.usernamePasswordContextLookupStrategy.apply(authenticationContext);
        if (apply == null) {
            this.log.debug("{} No UsernamePasswordContext available", getLogPrefix());
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS);
            }
            throw new LoginException(AuthnEventIds.NO_CREDENTIALS);
        }
        String username = apply.getUsername();
        if (username == null) {
            this.log.info("{} No username available within UsernamePasswordContext", getLogPrefix());
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS);
            }
            throw new LoginException(AuthnEventIds.NO_CREDENTIALS);
        }
        if (apply.getPassword() == null) {
            this.log.info("{} No password available within UsernamePasswordContext", getLogPrefix());
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS);
            }
            throw new LoginException(AuthnEventIds.INVALID_CREDENTIALS);
        }
        apply.setTransformedUsername(applyTransforms(username));
        if (this.matchExpression == null || this.matchExpression.matcher(apply.getTransformedUsername()).matches()) {
            return doValidate(profileRequestContext, authenticationContext, apply, warningHandler, errorHandler);
        }
        this.log.debug("{} Username '{}' did not match expression", getLogPrefix(), apply.getTransformedUsername());
        return null;
    }

    @Nullable
    protected abstract Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception;

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject, @Nonnull UsernamePasswordContext usernamePasswordContext) {
        String transformedUsername = usernamePasswordContext.getTransformedUsername();
        if (!$assertionsDisabled && transformedUsername == null) {
            throw new AssertionError();
        }
        subject.getPrincipals().add(new UsernamePrincipal(transformedUsername));
        if (this.savePasswordToCredentialSet) {
            String password = usernamePasswordContext.getPassword();
            if (!$assertionsDisabled && password == null) {
                throw new AssertionError();
            }
            subject.getPrivateCredentials().add(new PasswordPrincipal(password));
        }
        return super.populateSubject(subject);
    }

    @Nonnull
    @NotEmpty
    protected String applyTransforms(@Nonnull @NotEmpty String str) {
        String str2 = str;
        if (this.trim) {
            this.log.trace("{} Trimming whitespace of input string '{}'", getLogPrefix(), str2);
            str2 = str2.trim();
        }
        if (this.lowercase) {
            this.log.trace("{} Converting input string '{}' to lowercase", getLogPrefix(), str2);
            str2 = str2.toLowerCase();
        } else if (this.uppercase) {
            this.log.trace("{} Converting input string '{}' to uppercase", getLogPrefix(), str2);
            str2 = str2.toUpperCase();
        }
        if (this.transforms.isEmpty()) {
            if ($assertionsDisabled || str2 != null) {
                return str2;
            }
            throw new AssertionError();
        }
        for (Pair<Pattern, String> pair : this.transforms) {
            Pattern pattern = (Pattern) pair.getFirst();
            if (pattern != null) {
                Matcher matcher = pattern.matcher(str2);
                this.log.trace("{} Applying replacement expression '{}' against input '{}'", new Object[]{getLogPrefix(), pattern.pattern(), str2});
                str2 = matcher.replaceAll((String) pair.getSecond());
                this.log.trace("{} Result of replacement is '{}'", getLogPrefix(), str2);
            }
        }
        if ($assertionsDisabled || str2 != null) {
            return str2;
        }
        throw new AssertionError();
    }

    static {
        $assertionsDisabled = !AbstractUsernamePasswordCredentialValidator.class.desiredAssertionStatus();
    }
}
