package net.shibboleth.idp.saml.saml2.profile.impl;

import com.google.common.base.Function;
import com.google.common.base.Functions;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.DefaultPrincipalDeterminationStrategy;
import net.shibboleth.idp.profile.config.navigate.IdentifierGenerationStrategyLookupFunction;
import net.shibboleth.idp.profile.context.navigate.ResponderIdLookupFunction;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.profile.config.navigate.SessionLifetimeLookupFunction;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import org.joda.time.DateTime;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectLocality;
import org.opensaml.saml.saml2.profile.SAML2ActionSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnStatementToAssertion.class */
public class AddAuthnStatementToAssertion extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AddAuthnStatementToAssertion.class);
    private boolean statementInOwnAssertion = false;

    @Nonnull
    private Function<ProfileRequestContext, Response> responseLookupStrategy = Functions.compose(new MessageLookup(Response.class), new OutboundMessageContextLookup());

    @NonnullAfterInit
    private Function<ProfileRequestContext, IdentifierGenerationStrategy> idGeneratorLookupStrategy = new IdentifierGenerationStrategyLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> issuerLookupStrategy = new ResponderIdLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, AuthnContextClassRefPrincipal> classRefLookupStrategy = new DefaultPrincipalDeterminationStrategy(AuthnContextClassRefPrincipal.class, new AuthnContextClassRefPrincipal("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"));

    @Nullable
    private Function<ProfileRequestContext, Long> sessionLifetimeLookupStrategy = new SessionLifetimeLookupFunction();

    @Nullable
    private IdentifierGenerationStrategy idGenerator;

    @Nullable
    private AuthenticationResult authenticationResult;

    @Nullable
    private Response response;

    @Nullable
    private String issuerId;

    public void setStatementInOwnAssertion(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.statementInOwnAssertion = z;
    }

    public void setResponseLookupStrategy(@Nonnull Function<ProfileRequestContext, Response> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responseLookupStrategy = (Function) Constraint.isNotNull(function, "Response lookup strategy cannot be null");
    }

    public void setIdentifierGeneratorLookupStrategy(@Nonnull Function<ProfileRequestContext, IdentifierGenerationStrategy> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.idGeneratorLookupStrategy = (Function) Constraint.isNotNull(function, "IdentifierGenerationStrategy lookup strategy cannot be null");
    }

    public void setIssuerLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.issuerLookupStrategy = (Function) Constraint.isNotNull(function, "Issuer lookup strategy cannot be null");
    }

    public void setClassRefLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnContextClassRefPrincipal> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.classRefLookupStrategy = (Function) Constraint.isNotNull(function, "Authentication context class reference strategy cannot be null");
    }

    public void setSessionLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext, Long> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.sessionLifetimeLookupStrategy = function;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} Attempting to add an AuthnStatement to Response", getLogPrefix());
        this.idGenerator = (IdentifierGenerationStrategy) this.idGeneratorLookupStrategy.apply(profileRequestContext);
        if (this.idGenerator == null) {
            this.log.debug("{} No identifier generation strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.issuerId = (String) this.issuerLookupStrategy.apply(profileRequestContext);
        if (this.issuerId == null) {
            this.log.debug("{} No assertion issuer value", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.authenticationResult = authenticationContext.getAuthenticationResult();
        if (this.authenticationResult == null) {
            this.log.debug("{} No AuthenticationResult in current authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            return false;
        }
        this.response = (Response) this.responseLookupStrategy.apply(profileRequestContext);
        if (this.response != null) {
            return super.doPreExecute(profileRequestContext, authenticationContext);
        }
        this.log.debug("{} No SAML response located in current profile request context", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Assertion statementAssertion = getStatementAssertion();
        statementAssertion.getAuthnStatements().add(buildAuthnStatement(profileRequestContext, (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class, false)));
        this.log.debug("{} Added AuthenticationStatement to assertion {}", getLogPrefix(), statementAssertion.getID());
    }

    @Nonnull
    private Assertion getStatementAssertion() {
        return (this.statementInOwnAssertion || this.response.getAssertions().isEmpty()) ? SAML2ActionSupport.addAssertionToResponse(this, this.response, this.idGenerator, this.issuerId) : (Assertion) this.response.getAssertions().get(0);
    }

    @Nonnull
    private AuthnStatement buildAuthnStatement(@Nonnull ProfileRequestContext profileRequestContext, @Nullable RequestedPrincipalContext requestedPrincipalContext) {
        Long l;
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder builderOrThrow = builderFactory.getBuilderOrThrow(AuthnStatement.TYPE_NAME);
        SAMLObjectBuilder builderOrThrow2 = builderFactory.getBuilderOrThrow(AuthnContext.TYPE_NAME);
        SAMLObjectBuilder builderOrThrow3 = builderFactory.getBuilderOrThrow(SubjectLocality.TYPE_NAME);
        AuthnStatement buildObject = builderOrThrow.buildObject();
        buildObject.setAuthnInstant(new DateTime(this.authenticationResult.getAuthenticationInstant()));
        AuthnContext buildObject2 = builderOrThrow2.buildObject();
        buildObject.setAuthnContext(buildObject2);
        if (requestedPrincipalContext == null || requestedPrincipalContext.getMatchingPrincipal() == null) {
            buildObject2.setAuthnContextClassRef(((AuthnContextClassRefPrincipal) this.classRefLookupStrategy.apply(profileRequestContext)).getAuthnContextClassRef());
        } else {
            AuthnContextClassRefPrincipal matchingPrincipal = requestedPrincipalContext.getMatchingPrincipal();
            if (matchingPrincipal instanceof AuthnContextClassRefPrincipal) {
                buildObject2.setAuthnContextClassRef(matchingPrincipal.getAuthnContextClassRef());
            } else if (matchingPrincipal instanceof AuthnContextDeclRefPrincipal) {
                buildObject2.setAuthnContextDeclRef(((AuthnContextDeclRefPrincipal) matchingPrincipal).getAuthnContextDeclRef());
            } else {
                buildObject2.setAuthnContextClassRef(((AuthnContextClassRefPrincipal) this.classRefLookupStrategy.apply(profileRequestContext)).getAuthnContextClassRef());
            }
        }
        if (this.sessionLifetimeLookupStrategy != null && (l = (Long) this.sessionLifetimeLookupStrategy.apply(profileRequestContext)) != null && l.longValue() > 0) {
            buildObject.setSessionNotOnOrAfter(new DateTime().plus(l.longValue()));
        }
        buildObject.setSessionIndex(this.idGenerator.generateIdentifier());
        if (getHttpServletRequest() != null) {
            SubjectLocality buildObject3 = builderOrThrow3.buildObject();
            buildObject3.setAddress(getHttpServletRequest().getRemoteAddr());
            buildObject.setSubjectLocality(buildObject3);
        } else {
            this.log.debug("{} HttpServletRequest not available, omitting SubjectLocality element", getLogPrefix());
        }
        return buildObject;
    }
}
