package net.shibboleth.idp.authn.impl;

import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.MultiFactorAuthenticationTransition;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext;
import net.shibboleth.idp.authn.principal.AuthenticationResultPrincipal;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/PopulateMultiFactorAuthenticationContext.class */
public class PopulateMultiFactorAuthenticationContext extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(PopulateMultiFactorAuthenticationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, Map<String, MultiFactorAuthenticationTransition>> transitionMapLookupStrategy = FunctionSupport.constant((Object) null);

    @Nonnull
    private Function<ProfileRequestContext, MultiFactorAuthenticationContext> multiFactorContextCreationStrategy = new ChildContextLookup(MultiFactorAuthenticationContext.class, true).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nullable
    private Function<ProfileRequestContext, Collection<AuthenticationResult>> activeResultLookupStrategy = new DefaultResultLookupStrategy();

    /* loaded from: input_file:net/shibboleth/idp/authn/impl/PopulateMultiFactorAuthenticationContext$DefaultResultLookupStrategy.class */
    private class DefaultResultLookupStrategy implements Function<ProfileRequestContext, Collection<AuthenticationResult>> {
        private DefaultResultLookupStrategy() {
        }

        @Override // java.util.function.Function
        @Nullable
        public Collection<AuthenticationResult> apply(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext authenticationContext;
            AuthenticationResult authenticationResult;
            if (profileRequestContext == null || (authenticationContext = (AuthenticationContext) profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || authenticationContext.getAttemptedFlow() == null || (authenticationResult = (AuthenticationResult) authenticationContext.getActiveResults().get(authenticationContext.getAttemptedFlow().getId())) == null) {
                return null;
            }
            if (authenticationContext.isForceAuthn()) {
                PopulateMultiFactorAuthenticationContext.this.log.debug("{} Ignoring active result due to forced authentication requirement", PopulateMultiFactorAuthenticationContext.this.getLogPrefix());
                return null;
            }
            Set<AuthenticationResultPrincipal> principals = authenticationResult.getSubject().getPrincipals(AuthenticationResultPrincipal.class);
            if (principals.isEmpty()) {
                return null;
            }
            ArrayList arrayList = new ArrayList(principals.size());
            for (AuthenticationResultPrincipal authenticationResultPrincipal : principals) {
                authenticationResultPrincipal.getAuthenticationResult().setLastActivityInstant(authenticationResult.getLastActivityInstant());
                processActiveResult(profileRequestContext, authenticationContext, arrayList, authenticationResultPrincipal.getAuthenticationResult());
            }
            return arrayList;
        }

        void processActiveResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Collection<AuthenticationResult> collection, @Nonnull AuthenticationResult authenticationResult) {
            AuthenticationFlowDescriptor authenticationFlowDescriptor = (AuthenticationFlowDescriptor) authenticationContext.getAvailableFlows().get(authenticationResult.getAuthenticationFlowId());
            if (authenticationFlowDescriptor == null) {
                PopulateMultiFactorAuthenticationContext.this.log.warn("{} Ignoring active result from undefined login flow {}", PopulateMultiFactorAuthenticationContext.this.getLogPrefix(), authenticationResult.getAuthenticationFlowId());
                return;
            }
            if (!authenticationFlowDescriptor.test(profileRequestContext)) {
                PopulateMultiFactorAuthenticationContext.this.log.debug("{} Ignoring active result from login flow {} due to activation condition", PopulateMultiFactorAuthenticationContext.this.getLogPrefix(), authenticationResult.getAuthenticationFlowId());
                return;
            }
            if (!authenticationFlowDescriptor.isResultActive(authenticationResult)) {
                PopulateMultiFactorAuthenticationContext.this.log.debug("{} Result from login flow {} has expired", PopulateMultiFactorAuthenticationContext.this.getLogPrefix(), authenticationFlowDescriptor.getId());
                return;
            }
            if (authenticationContext.getMaxAge() != null && authenticationResult.getAuthenticationInstant().plus((TemporalAmount) authenticationContext.getMaxAge()).isBefore(Instant.now())) {
                PopulateMultiFactorAuthenticationContext.this.log.debug("{} Ignoring active result from login flow {} due to maxAge on request", PopulateMultiFactorAuthenticationContext.this.getLogPrefix(), authenticationResult.getAuthenticationFlowId());
            } else if (authenticationFlowDescriptor.getRevocationCondition() == null || !authenticationFlowDescriptor.getRevocationCondition().test(profileRequestContext, authenticationResult)) {
                collection.add(authenticationResult);
            } else {
                PopulateMultiFactorAuthenticationContext.this.log.debug("{} Ignoring active but revoked result from login flow {}", PopulateMultiFactorAuthenticationContext.this.getLogPrefix(), authenticationResult.getAuthenticationFlowId());
            }
        }
    }

    PopulateMultiFactorAuthenticationContext() {
    }

    public void setTransitionMapLookupStrategy(@Nonnull Function<ProfileRequestContext, Map<String, MultiFactorAuthenticationTransition>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.transitionMapLookupStrategy = (Function) Constraint.isNotNull(function, "Transition map lookup strategy cannot be null");
    }

    public void setMultiFactorContextCreationStrategy(@Nonnull Function<ProfileRequestContext, MultiFactorAuthenticationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.multiFactorContextCreationStrategy = (Function) Constraint.isNotNull(function, "MultiFactorAuthenticationContext creation strategy cannot be null");
    }

    public void setActiveResultLookupStrategy(@Nullable Function<ProfileRequestContext, Collection<AuthenticationResult>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.activeResultLookupStrategy = function;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Map<String, MultiFactorAuthenticationTransition> apply = this.transitionMapLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.info("No map of transition rules was returned");
            ActionSupport.buildEvent(profileRequestContext, "ReselectFlow");
            return;
        }
        MultiFactorAuthenticationContext apply2 = this.multiFactorContextCreationStrategy.apply(profileRequestContext);
        if (apply2 == null) {
            this.log.error("{} Unable to create/access MultiFactorAuthenticationContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        apply2.setAuthenticationFlowDescriptor(authenticationContext.getAttemptedFlow());
        apply2.setTransitionMap(apply);
        apply2.setNextFlowId((String) null);
        apply2.getActiveResults().clear();
        if (this.activeResultLookupStrategy == null) {
            this.log.debug("{} No lookup strategy provided, no active results will be made available", getLogPrefix());
            return;
        }
        Collection<AuthenticationResult> apply3 = this.activeResultLookupStrategy.apply(profileRequestContext);
        if (apply3 == null) {
            this.log.debug("{} No active results extracted", getLogPrefix());
            return;
        }
        for (AuthenticationResult authenticationResult : apply3) {
            apply2.getActiveResults().put(authenticationResult.getAuthenticationFlowId(), authenticationResult);
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("{} {} active result(s) extracted for possible reuse: {}", new Object[]{getLogPrefix(), Integer.valueOf(apply3.size()), apply2.getActiveResults().keySet()});
        }
    }
}
