package net.shibboleth.idp.authn.impl;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AccountLockoutManager;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateCredentials.class */
public class ValidateCredentials extends AbstractAuditingValidationAction implements CredentialValidator.WarningHandler, CredentialValidator.ErrorHandler {

    @NotEmpty
    @Nonnull
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateCredentials.class);

    @NonnullElements
    @Nonnull
    private List<CredentialValidator> credentialValidators;
    private boolean requireAll;

    @Nullable
    private AccountLockoutManager lockoutManager;

    @NonnullElements
    @Nonnull
    private Collection<Subject> results;

    @Nullable
    private CredentialValidator currentValidator;
    private boolean warningSignaled;
    private boolean errorSignaled;

    /* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateCredentials$UsernamePasswordCleanupHook.class */
    public static class UsernamePasswordCleanupHook implements Consumer<ProfileRequestContext> {
        @Override // java.util.function.Consumer
        public void accept(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext subcontext;
            UsernamePasswordContext subcontext2;
            if (profileRequestContext == null || (subcontext = profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || (subcontext2 = subcontext.getSubcontext(UsernamePasswordContext.class)) == null) {
                return;
            }
            subcontext2.setPassword((String) null);
            subcontext.removeSubcontext(subcontext2);
        }
    }

    public ValidateCredentials() {
        setMetricName(DEFAULT_METRIC_NAME);
        this.credentialValidators = Collections.emptyList();
        this.results = new ArrayList(1);
    }

    public void setLockoutManager(@Nullable AccountLockoutManager accountLockoutManager) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.lockoutManager = accountLockoutManager;
    }

    public void setValidators(@NonnullElements @Nullable List<CredentialValidator> list) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (list != null) {
            this.credentialValidators = List.copyOf(list);
        } else {
            this.credentialValidators = Collections.emptyList();
        }
    }

    public void setRequireAll(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requireAll = z;
    }

    @NotEmpty
    @Nonnull
    public String getMetricName() {
        return super.getMetricName() + "." + this.currentValidator.getId();
    }

    public void handleWarning(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String str, @NotEmpty @Nonnull String str2) {
        this.warningSignaled = true;
        super.handleWarning(profileRequestContext, authenticationContext, str, str2);
    }

    public void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String str, @NotEmpty @Nonnull String str2) {
        this.errorSignaled = true;
        super.handleError(profileRequestContext, authenticationContext, str, str2);
    }

    public void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Exception exc, @NotEmpty @Nonnull String str) {
        this.errorSignaled = true;
        super.handleError(profileRequestContext, authenticationContext, exc, str);
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (this.lockoutManager != null && this.lockoutManager.check(profileRequestContext)) {
            this.log.info("{} Account locked out, aborting authentication", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "AccountLocked", "AccountLocked");
            return;
        }
        for (CredentialValidator credentialValidator : this.credentialValidators) {
            this.log.trace("{} Attempting credential validation via {}", getLogPrefix(), credentialValidator.getId());
            this.currentValidator = credentialValidator;
            try {
                Subject validate = this.currentValidator.validate(profileRequestContext, authenticationContext, this, this);
                if (validate != null) {
                    this.results.add(validate);
                    if (!this.requireAll) {
                        recordSuccess(profileRequestContext);
                        buildAuthenticationResult(profileRequestContext, authenticationContext);
                        if (this.warningSignaled) {
                            return;
                        }
                        ActionSupport.buildProceedEvent(profileRequestContext);
                        return;
                    }
                    continue;
                }
            } catch (Exception e) {
                if (this.requireAll || !this.errorSignaled) {
                    super.handleError(profileRequestContext, authenticationContext, e, "AuthenticationException");
                    this.errorSignaled = true;
                }
                recordFailure(profileRequestContext);
                if (this.requireAll) {
                    break;
                }
            }
        }
        if (this.requireAll && !this.errorSignaled && !this.results.isEmpty()) {
            recordSuccess(profileRequestContext);
            buildAuthenticationResult(profileRequestContext, authenticationContext);
            if (this.warningSignaled) {
                return;
            }
            ActionSupport.buildProceedEvent(profileRequestContext);
            return;
        }
        if (!this.errorSignaled) {
            this.log.warn("{} No validators were available or usable", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "RequestUnsupported", "RequestUnsupported");
        } else if (this.lockoutManager != null) {
            this.lockoutManager.increment(profileRequestContext);
        }
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        for (Subject subject2 : this.results) {
            subject.getPrincipals().addAll(subject2.getPrincipals());
            subject.getPublicCredentials().addAll(subject2.getPublicCredentials());
            subject.getPrivateCredentials().addAll(subject2.getPrivateCredentials());
        }
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
    public void recordSuccess(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.lockoutManager != null && !this.lockoutManager.clear(profileRequestContext)) {
            this.log.warn("{} Failed to clear lockout state", getLogPrefix());
        }
        super.recordSuccess(profileRequestContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
    @NonnullElements
    @Nullable
    public Map<String, String> getAuditFields(@Nonnull ProfileRequestContext profileRequestContext) {
        return Map.of("CV", this.currentValidator.getId());
    }
}
