package net.shibboleth.idp.saml.saml2.profile.impl;

import java.time.Instant;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.assertion.ValidationContext;
import org.opensaml.saml.common.assertion.ValidationProcessingData;
import org.opensaml.saml.common.assertion.ValidationResult;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/ProcessAssertionsForAuthentication.class */
public class ProcessAssertionsForAuthentication extends AbstractAuthenticationAction {
    private final Logger log = LoggerFactory.getLogger(ProcessAssertionsForAuthentication.class);

    @Nonnull
    private Function<ProfileRequestContext, Response> responseResolver = new DefaultResponseResolver().compose(new ChildContextLookup(ProfileRequestContext.class).compose(new ChildContextLookup(AuthenticationContext.class)));

    @Nonnull
    private Function<ProfileRequestContext, SAMLAuthnContext> samlContextLookupStrategy = new ChildContextLookup(SAMLAuthnContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nonnull
    private Function<List<Assertion>, Assertion> authnAssertionSelectionStrategy = list -> {
        return (Assertion) list.stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).sorted(Comparator.comparing(assertion -> {
            return (Instant) assertion.getAuthnStatements().stream().filter((v0) -> {
                return Objects.nonNull(v0);
            }).map((v0) -> {
                return v0.getSessionNotOnOrAfter();
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).sorted().findFirst().orElse(Instant.MAX);
        })).findFirst().orElse(null);
    };

    @Nonnull
    private Function<Assertion, AuthnStatement> authnStatementSelectionStrategy = assertion -> {
        return (AuthnStatement) assertion.getAuthnStatements().stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).sorted(Comparator.comparing((v0) -> {
            return v0.getSessionNotOnOrAfter();
        }, Comparator.nullsLast(Comparator.naturalOrder()))).findFirst().orElse(null);
    };
    private Response response;
    private SAMLAuthnContext samlAuthnContext;

    /* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/ProcessAssertionsForAuthentication$AssertionContainsAuthenticationStatement.class */
    private class AssertionContainsAuthenticationStatement implements Predicate<Assertion> {
        private AssertionContainsAuthenticationStatement() {
        }

        @Override // java.util.function.Predicate
        public boolean test(@Nullable Assertion assertion) {
            return (assertion == null || assertion.getAuthnStatements().isEmpty()) ? false : true;
        }
    }

    /* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/ProcessAssertionsForAuthentication$AssertionContainsConfirmedSubject.class */
    private class AssertionContainsConfirmedSubject implements Predicate<Assertion> {
        private AssertionContainsConfirmedSubject() {
        }

        @Override // java.util.function.Predicate
        public boolean test(@Nullable Assertion assertion) {
            ValidationContext context;
            if (assertion == null) {
                return false;
            }
            Optional findFirst = assertion.getObjectMetadata().get(ValidationProcessingData.class).stream().findFirst();
            return (findFirst.isEmpty() || (context = ((ValidationProcessingData) findFirst.get()).getContext()) == null || context.getDynamicParameters().get("saml2.ConfirmedSubjectConfirmation") == null) ? false : true;
        }
    }

    /* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/ProcessAssertionsForAuthentication$AssertionIsValid.class */
    private class AssertionIsValid implements Predicate<Assertion> {
        private AssertionIsValid() {
        }

        @Override // java.util.function.Predicate
        public boolean test(@Nullable Assertion assertion) {
            if (assertion == null) {
                return false;
            }
            Optional findFirst = assertion.getObjectMetadata().get(ValidationProcessingData.class).stream().findFirst();
            return !findFirst.isEmpty() && ((ValidationProcessingData) findFirst.get()).getResult() == ValidationResult.VALID;
        }
    }

    /* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/ProcessAssertionsForAuthentication$DefaultResponseResolver.class */
    private class DefaultResponseResolver implements Function<ProfileRequestContext, Response> {
        private DefaultResponseResolver() {
        }

        @Override // java.util.function.Function
        public Response apply(@Nonnull ProfileRequestContext profileRequestContext) {
            Response response = (SAMLObject) profileRequestContext.getInboundMessageContext().getMessage();
            if (response instanceof Response) {
                return response;
            }
            return null;
        }
    }

    public void setAuthnAssertionSelectionStrategy(@Nonnull Function<List<Assertion>, Assertion> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.authnAssertionSelectionStrategy = (Function) Constraint.isNotNull(function, "The Assertion selection strategy may not be null");
    }

    public void setAuthnStatementSelectionStrategy(@Nonnull Function<Assertion, AuthnStatement> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.authnStatementSelectionStrategy = (Function) Constraint.isNotNull(function, "The AuthnStatement selection strategy may not be null");
    }

    public void setResponseResolver(@Nonnull Function<ProfileRequestContext, Response> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responseResolver = (Function) Constraint.isNotNull(function, "The Response resolver strategy may not be null");
    }

    public void setSAMLAuthnContextLookupStrategy(@Nonnull Function<ProfileRequestContext, SAMLAuthnContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.samlContextLookupStrategy = (Function) Constraint.isNotNull(function, "SAMLAuthnContext lookup strategy may not be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.response = this.responseResolver.apply(profileRequestContext);
        if (this.response == null || this.response.getAssertions() == null || this.response.getAssertions().isEmpty()) {
            this.log.info("{} Profile context contained no candidate Assertions to process. Skipping further processing", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidCredentials");
            return false;
        }
        this.samlAuthnContext = this.samlContextLookupStrategy.apply(profileRequestContext);
        if (this.samlAuthnContext != null) {
            return true;
        }
        this.log.debug("{} No SAMLAuthnContext available within authentication context", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidCredentials");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Assertion apply;
        AuthnStatement apply2;
        List list = (List) this.response.getAssertions().stream().filter(new AssertionIsValid().negate()).collect(Collectors.toList());
        this.log.debug("{} Removing {} non-valid Assertions from Response", getLogPrefix(), Integer.valueOf(list.size()));
        this.response.getAssertions().removeAll(list);
        List<Assertion> list2 = (List) this.response.getAssertions().stream().filter(new AssertionContainsAuthenticationStatement().and(new AssertionContainsConfirmedSubject())).collect(Collectors.toList());
        if (list2.isEmpty()) {
            this.log.debug("{} No valid SAML Assertions meeting the criteria for authentication were found", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidCredentials");
            return;
        }
        if (list2.size() == 1) {
            apply = list2.get(0);
            this.log.debug("{} Saw single suitable SAML Assertion, selecting for authentication", getLogPrefix());
        } else {
            this.log.debug("{} Attempting to select from {} suitable SAML Assertions for authentication", getLogPrefix(), Integer.valueOf(list2.size()));
            apply = this.authnAssertionSelectionStrategy.apply(list2);
        }
        if (apply == null) {
            this.log.debug("{} Could not select a single valid SAML Assertion for authentication", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidCredentials");
            return;
        }
        this.log.debug("{} Selected SAML Assertion for authentication: {}", getLogPrefix(), apply.getID());
        if (apply.getAuthnStatements().size() == 1) {
            apply2 = (AuthnStatement) apply.getAuthnStatements().get(0);
            this.log.debug("{} Saw single AuthnStatement, selecting for authentication", getLogPrefix());
        } else {
            this.log.debug("{} Attempting to select from multiple AuthnStatements for authentication", getLogPrefix());
            apply2 = this.authnStatementSelectionStrategy.apply(apply);
            if (apply2 == null) {
                this.log.debug("{} Could not select a single AuthnStatement for authentication", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidCredentials");
                return;
            }
        }
        this.samlAuthnContext.setAuthnStatement(apply2);
        this.samlAuthnContext.setSubject(apply.getSubject());
    }
}
