package net.shibboleth.idp.authn.impl;

import java.util.Collection;
import java.util.Set;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernameContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateRemoteUser.class */
public class ValidateRemoteUser extends AbstractAuditingValidationAction {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.remoteuser";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateRemoteUser.class);

    @Nonnull
    private Set<String> allowedUsernames = CollectionSupport.emptySet();

    @Nonnull
    private Set<String> deniedUsernames = CollectionSupport.emptySet();

    @Nullable
    private Pattern matchExpression;

    @NonnullBeforeExec
    private UsernameContext usernameContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ValidateRemoteUser() {
        setMetricName(DEFAULT_METRIC_NAME);
    }

    public void setAllowedUsernames(@Nullable Collection<String> collection) {
        checkSetterPreconditions();
        this.allowedUsernames = CollectionSupport.copyToSet(StringSupport.normalizeStringCollection(collection));
    }

    public void setDeniedUsernames(@Nullable Collection<String> collection) {
        checkSetterPreconditions();
        this.deniedUsernames = CollectionSupport.copyToSet(StringSupport.normalizeStringCollection(collection));
    }

    public void setMatchExpression(@Nullable Pattern pattern) {
        checkSetterPreconditions();
        if (pattern == null || pattern.pattern().isEmpty()) {
            this.matchExpression = null;
        } else {
            this.matchExpression = pattern;
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.usernameContext = authenticationContext.getSubcontext(UsernameContext.class);
        if (this.usernameContext == null) {
            this.log.debug("{} No UsernameContext available within authentication context", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "NoCredentials", "NoCredentials");
            return false;
        }
        if (this.usernameContext.getUsername() != null) {
            return true;
        }
        this.log.debug("{} No username available within UsernameContext", getLogPrefix());
        handleError(profileRequestContext, authenticationContext, "NoCredentials", "NoCredentials");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        String username = this.usernameContext.getUsername();
        if (!$assertionsDisabled && username == null) {
            throw new AssertionError();
        }
        if (isAuthenticated(username)) {
            this.log.info("{} Validated user '{}'", getLogPrefix(), username);
            recordSuccess(profileRequestContext);
            buildAuthenticationResult(profileRequestContext, authenticationContext);
        } else {
            this.log.info("{} User '{}' was not valid", getLogPrefix(), username);
            handleError(profileRequestContext, authenticationContext, "InvalidCredentials", "InvalidCredentials");
            recordFailure(profileRequestContext);
        }
    }

    private boolean isAuthenticated(@Nonnull @NotEmpty String str) {
        Pattern pattern = this.matchExpression;
        if (this.allowedUsernames.isEmpty() || this.allowedUsernames.contains(str)) {
            return !this.deniedUsernames.contains(str) && (pattern == null || pattern.matcher(str).matches());
        }
        if (pattern == null) {
            return false;
        }
        return pattern.matcher(str).matches();
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        String username = this.usernameContext.getUsername();
        if (!$assertionsDisabled && username == null) {
            throw new AssertionError();
        }
        subject.getPrincipals().add(new UsernamePrincipal(username));
        return subject;
    }

    static {
        $assertionsDisabled = !ValidateRemoteUser.class.desiredAssertionStatus();
    }
}
