package net.shibboleth.idp.authn.revocation.impl;

import java.io.IOException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.function.BiPredicate;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.AbstractInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.NonnullSupplier;
import org.opensaml.messaging.context.ScratchContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.RevocationCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/revocation/impl/RevocationCacheCondition.class */
public class RevocationCacheCondition extends AbstractInitializableComponent implements BiPredicate<ProfileRequestContext, AuthenticationResult> {

    @NotEmpty
    @Nonnull
    public static final String REVOCATION_CONTEXT = "LoginFlowRevocation";

    @NotEmpty
    @Nonnull
    public static final String PRINCIPAL_REVOCATION_PREFIX = "prin!";

    @NotEmpty
    @Nonnull
    public static final String ADDRESS_REVOCATION_PREFIX = "addr!";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(RevocationCacheCondition.class);

    @NonnullAfterInit
    private RevocationCache revocationCache;

    @NonnullAfterInit
    private Function<ProfileRequestContext, String> principalNameLookupStrategy;

    @Nullable
    private NonnullSupplier<HttpServletRequest> httpServletRequestSupplier;

    public void setRevocationCache(@Nonnull RevocationCache revocationCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.revocationCache = (RevocationCache) Constraint.isNotNull(revocationCache, "RevocationCache cannot be null");
    }

    public void setPrincipalNameLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.principalNameLookupStrategy = (Function) Constraint.isNotNull(function, "Principal name lookup strategy cannot be null");
    }

    public void setHttpServletRequestSupplier(@Nullable NonnullSupplier<HttpServletRequest> nonnullSupplier) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.httpServletRequestSupplier = nonnullSupplier;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.revocationCache == null) {
            throw new ComponentInitializationException("RevocationCache cannot be null");
        }
        if (this.principalNameLookupStrategy == null) {
            throw new ComponentInitializationException("Principal name lookup strategy cannot be null");
        }
    }

    @Override // java.util.function.BiPredicate
    public boolean test(@Nullable ProfileRequestContext profileRequestContext, @Nullable AuthenticationResult authenticationResult) {
        if (profileRequestContext == null || authenticationResult == null) {
            this.log.error("Called with null inputs");
            return true;
        }
        String apply = this.principalNameLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("Principal lookup strategy returned null value");
            return true;
        }
        this.log.debug("Checking revocation for principal name {} for {} result", apply, authenticationResult.getAuthenticationFlowId());
        ScratchContext subcontext = profileRequestContext.getSubcontext(ScratchContext.class, true);
        if (!subcontext.getMap().containsKey(getClass())) {
            try {
                String revocationRecord = this.revocationCache.getRevocationRecord(REVOCATION_CONTEXT, "prin!" + apply);
                HttpServletRequest httpServletRequest = this.httpServletRequestSupplier == null ? null : (HttpServletRequest) this.httpServletRequestSupplier.get();
                String revocationRecord2 = httpServletRequest != null ? this.revocationCache.getRevocationRecord(REVOCATION_CONTEXT, "addr!" + httpServletRequest.getRemoteAddr()) : null;
                ArrayList arrayList = new ArrayList(2);
                if (revocationRecord != null) {
                    arrayList.add(revocationRecord);
                }
                if (revocationRecord2 != null) {
                    arrayList.add(revocationRecord2);
                }
                subcontext.getMap().put(getClass(), arrayList);
            } catch (IOException e) {
                this.log.error("Error checking revocation cache for principal {}, treating as revoked", apply, e);
                return true;
            }
        }
        return isRevoked(apply, authenticationResult, (Collection) subcontext.getMap().get(getClass()));
    }

    protected boolean isRevoked(@NotEmpty @Nonnull String str, @Nonnull AuthenticationResult authenticationResult, @NonnullElements @Nonnull Collection<String> collection) {
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            if (authenticationResult.getAuthenticationInstant().isBefore(Instant.ofEpochSecond(Long.valueOf(it.next()).longValue()))) {
                this.log.info("Authentication result {} for principal {} has been revoked", authenticationResult.getAuthenticationFlowId(), str);
                return true;
            }
        }
        return false;
    }
}
