package net.shibboleth.idp.authn.impl;

import java.security.Principal;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.session.context.SessionContext;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/FinalizeAuthentication.class */
public class FinalizeAuthentication extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(FinalizeAuthentication.class);

    @Nullable
    private String canonicalPrincipalName;

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Principal matchingPrincipal;
        AuthenticationResult authenticationResult;
        SessionContext subcontext;
        SubjectCanonicalizationContext subcontext2 = profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class);
        if (subcontext2 != null) {
            this.canonicalPrincipalName = subcontext2.getPrincipalName();
            profileRequestContext.removeSubcontext(subcontext2);
            this.log.debug("{} Canonical principal name was established as '{}'", getLogPrefix(), this.canonicalPrincipalName);
        }
        if (this.canonicalPrincipalName == null && (subcontext = profileRequestContext.getSubcontext(SessionContext.class)) != null && subcontext.getIdPSession() != null) {
            this.canonicalPrincipalName = subcontext.getIdPSession().getPrincipalName();
            this.log.debug("{} Canonical principal name established from session as '{}'", getLogPrefix(), this.canonicalPrincipalName);
        }
        RequestedPrincipalContext subcontext3 = authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        if (subcontext3 == null || (matchingPrincipal = subcontext3.getMatchingPrincipal()) == null || ((authenticationResult = authenticationContext.getAuthenticationResult()) != null && authenticationResult.getSupportedPrincipals(matchingPrincipal.getClass()).contains(matchingPrincipal))) {
            return super.doPreExecute(profileRequestContext, authenticationContext);
        }
        Logger logger = this.log;
        Object[] objArr = new Object[3];
        objArr[0] = getLogPrefix();
        objArr[1] = authenticationResult != null ? authenticationResult.getAuthenticationFlowId() : "(none)";
        objArr[2] = matchingPrincipal;
        logger.warn("{} Authentication result for flow {} did not satisfy the requested Principal {}", objArr);
        ActionSupport.buildEvent(profileRequestContext, "RequestUnsupported");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (this.canonicalPrincipalName != null) {
            SubjectContext subcontext = profileRequestContext.getSubcontext(SubjectContext.class, true);
            if (subcontext.getPrincipalName() != null && !this.canonicalPrincipalName.equals(subcontext.getPrincipalName())) {
                this.log.warn("{} Result of authentication ({}) does not match existing subject in context ({})", new Object[]{getLogPrefix(), this.canonicalPrincipalName, subcontext.getPrincipalName()});
                ActionSupport.buildEvent(profileRequestContext, "InvalidSubjectContext");
                return;
            }
            subcontext.setPrincipalName(this.canonicalPrincipalName);
            Map authenticationResults = subcontext.getAuthenticationResults();
            authenticationResults.putAll(authenticationContext.getActiveResults());
            AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
            if (authenticationResult != null && !authenticationResults.containsKey(authenticationResult.getAuthenticationFlowId())) {
                authenticationResults.put(authenticationResult.getAuthenticationFlowId(), authenticationResult);
            }
        }
        authenticationContext.setCompletionInstant();
    }
}
