package net.shibboleth.idp.authn.revocation.impl;

import java.time.DateTimeException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.function.BiPredicate;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.attribute.DateTimeAttributeValue;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.attribute.StringAttributeValue;
import net.shibboleth.idp.attribute.resolver.AttributeResolver;
import net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.profile.context.navigate.IssuerLookupFunction;
import net.shibboleth.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.AbstractInitializableComponent;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.service.ReloadableService;
import org.opensaml.messaging.context.ScratchContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/authn/revocation/impl/AttributeRevocationCondition.class */
public class AttributeRevocationCondition extends AbstractInitializableComponent implements BiPredicate<ProfileRequestContext, AuthenticationResult> {

    @NonnullAfterInit
    private Function<ProfileRequestContext, String> principalNameLookupStrategy;

    @NonnullAfterInit
    private ReloadableService<AttributeResolver> attributeResolver;

    @NotEmpty
    @NonnullAfterInit
    private String attributeId;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AttributeRevocationCondition.class);

    @Nullable
    private Function<ProfileRequestContext, String> issuerLookupStrategy = new IssuerLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> recipientLookupStrategy = new RelyingPartyIdLookupFunction();

    public void setPrincipalNameLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.principalNameLookupStrategy = (Function) Constraint.isNotNull(function, "Principal name lookup strategy cannot be null");
    }

    public void setIssuerLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.issuerLookupStrategy = function;
    }

    public void setRecipientLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.recipientLookupStrategy = function;
    }

    public void setAttributeResolver(@Nonnull ReloadableService<AttributeResolver> reloadableService) {
        checkSetterPreconditions();
        this.attributeResolver = (ReloadableService) Constraint.isNotNull(reloadableService, "ReloadableService<AttributeResolver> cannot be null");
    }

    public void setAttributeId(@Nonnull @NotEmpty String str) {
        checkSetterPreconditions();
        this.attributeId = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Attribute ID cannot be null or empty");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.attributeResolver == null) {
            throw new ComponentInitializationException("ReloadableService<AttributeResolver> cannot be null");
        }
        if (this.principalNameLookupStrategy == null) {
            throw new ComponentInitializationException("Principal name lookup strategy cannot be null");
        }
        if (this.attributeId == null) {
            throw new ComponentInitializationException("Attribute ID to resolve cannot be null or empty");
        }
    }

    @Override // java.util.function.BiPredicate
    public boolean test(@Nullable ProfileRequestContext profileRequestContext, @Nullable AuthenticationResult authenticationResult) {
        checkComponentActive();
        if (profileRequestContext == null || authenticationResult == null) {
            this.log.error("Called with null inputs");
            return true;
        }
        String apply = this.principalNameLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("Principal lookup strategy returned null value");
            return true;
        }
        this.log.debug("Checking revocation for principal name {} for {} result via attribute resolver", apply, authenticationResult.getAuthenticationFlowId());
        ScratchContext ensureSubcontext = profileRequestContext.ensureSubcontext(ScratchContext.class);
        if (!ensureSubcontext.getMap().containsKey(getClass())) {
            AttributeResolutionContext buildResolutionContext = buildResolutionContext(profileRequestContext, apply);
            if (!$assertionsDisabled && this.attributeResolver == null) {
                throw new AssertionError();
            }
            buildResolutionContext.resolveAttributes(this.attributeResolver);
            ArrayList arrayList = new ArrayList();
            if (buildResolutionContext.getResolvedIdPAttributes().containsKey(this.attributeId)) {
                for (StringAttributeValue stringAttributeValue : ((IdPAttribute) buildResolutionContext.getResolvedIdPAttributes().get(this.attributeId)).getValues()) {
                    if (stringAttributeValue instanceof DateTimeAttributeValue) {
                        arrayList.add(((DateTimeAttributeValue) stringAttributeValue).getValue());
                    } else if (stringAttributeValue instanceof StringAttributeValue) {
                        try {
                            arrayList.add(Instant.ofEpochSecond(Long.valueOf(stringAttributeValue.getValue()).longValue()));
                        } catch (NumberFormatException | DateTimeException e) {
                            this.log.error("Error parsing timestamp '{}' into epoch", stringAttributeValue.getValue(), e);
                        }
                    } else {
                        this.log.warn("Ignoring non-string attribute value type: {}", stringAttributeValue.getClass().getName());
                    }
                }
            } else {
                this.log.debug("Resolver did not return an IdPAttribute named {} for principal {}", this.attributeId, apply);
            }
            ensureSubcontext.getMap().put(getClass(), arrayList);
            buildResolutionContext.removeFromParent();
        }
        return isRevoked(apply, authenticationResult, (Collection) ensureSubcontext.getMap().get(getClass()));
    }

    @Nonnull
    private AttributeResolutionContext buildResolutionContext(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull @NotEmpty String str) {
        AttributeResolutionContext attributeResolutionContext = new AttributeResolutionContext();
        attributeResolutionContext.setPrincipal(str).setResolutionLabel("authn/revocation");
        if (!$assertionsDisabled && this.attributeId == null) {
            throw new AssertionError();
        }
        attributeResolutionContext.setRequestedIdPAttributeNames(CollectionSupport.singletonList(this.attributeId));
        if (this.recipientLookupStrategy != null) {
            attributeResolutionContext.setAttributeRecipientID(this.recipientLookupStrategy.apply(profileRequestContext));
        }
        if (this.issuerLookupStrategy != null) {
            attributeResolutionContext.setAttributeIssuerID(this.issuerLookupStrategy.apply(profileRequestContext));
        }
        profileRequestContext.addSubcontext(attributeResolutionContext, true);
        return attributeResolutionContext;
    }

    protected boolean isRevoked(@Nonnull @NotEmpty String str, @Nonnull AuthenticationResult authenticationResult, @Nonnull Collection<Instant> collection) {
        Iterator<Instant> it = collection.iterator();
        while (it.hasNext()) {
            if (authenticationResult.getAuthenticationInstant().isBefore(it.next())) {
                this.log.info("Authentication result {} for principal {} has been revoked", authenticationResult.getAuthenticationFlowId(), str);
                return true;
            }
        }
        return false;
    }

    static {
        $assertionsDisabled = !AttributeRevocationCondition.class.desiredAssertionStatus();
    }
}
