package net.shibboleth.idp.saml.saml2.profile.impl;

import java.time.Instant;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.profile.config.navigate.IdentifierGenerationStrategyLookupFunction;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.security.IdentifierGenerationStrategy;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.ParentContextLookup;
import org.opensaml.messaging.context.navigate.RootContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.ProxiedRequesterContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.ext.reqattr.RequestedAttributes;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Extensions;
import org.opensaml.saml.saml2.core.IDPEntry;
import org.opensaml.saml.saml2.core.IDPList;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.RequesterID;
import org.opensaml.saml.saml2.core.Scoping;
import org.opensaml.saml.saml2.core.Subject;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnRequest.class */
public class AddAuthnRequest extends AbstractAuthenticationAction {
    private boolean overwriteExisting;

    @Nullable
    private Function<ProfileRequestContext, String> issuerLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, String> requesterLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, ProxiedRequesterContext> proxiedRequesterContextLookupStrategy;

    @Nullable
    private Function<ProfileRequestContext, NameID> nameIDLookupStrategy;
    private boolean convertUnknownRequestedPrincipals;

    @NonnullBeforeExec
    private IdentifierGenerationStrategy idGenerator;

    @NonnullBeforeExec
    private BrowserSSOProfileConfiguration profileConfiguration;

    @Nullable
    private String issuerId;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(AddAuthnRequest.class);

    @Nonnull
    private Function<ProfileRequestContext, IdentifierGenerationStrategy> idGeneratorLookupStrategy = new IdentifierGenerationStrategyLookupFunction();

    public AddAuthnRequest() {
        setAuthenticationContextLookupStrategy(new ParentContextLookup(AuthenticationContext.class));
        Function<ProfileRequestContext, String> compose = new RelyingPartyIdLookupFunction().compose(new RootContextLookup(ProfileRequestContext.class));
        if (!$assertionsDisabled && compose == null) {
            throw new AssertionError();
        }
        this.requesterLookupStrategy = compose;
        Function<ProfileRequestContext, ProxiedRequesterContext> compose2 = new ChildContextLookup(ProxiedRequesterContext.class).compose(new InboundMessageContextLookup().compose(new RootContextLookup(ProfileRequestContext.class)));
        if (!$assertionsDisabled && compose2 == null) {
            throw new AssertionError();
        }
        this.proxiedRequesterContextLookupStrategy = compose2;
    }

    public void setConvertUnknownRequestedPrincipals(boolean z) {
        checkSetterPreconditions();
        this.convertUnknownRequestedPrincipals = z;
    }

    public void setOverwriteExisting(boolean z) {
        checkSetterPreconditions();
        this.overwriteExisting = z;
    }

    public void setIdentifierGeneratorLookupStrategy(@Nonnull Function<ProfileRequestContext, IdentifierGenerationStrategy> function) {
        checkSetterPreconditions();
        this.idGeneratorLookupStrategy = (Function) Constraint.isNotNull(function, "IdentifierGenerationStrategy lookup strategy cannot be null");
    }

    public void setIssuerLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.issuerLookupStrategy = function;
    }

    public void setRequesterLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.requesterLookupStrategy = (Function) Constraint.isNotNull(function, "Requester lookup strategy cannot be null");
    }

    public void setProxiedRequesterContextLookupStrategy(@Nonnull Function<ProfileRequestContext, ProxiedRequesterContext> function) {
        checkSetterPreconditions();
        this.proxiedRequesterContextLookupStrategy = (Function) Constraint.isNotNull(function, "ProxiedRequesterContext lookup strategy cannot be null");
    }

    public void setNameIDLookupStrategy(@Nullable Function<ProfileRequestContext, NameID> function) {
        checkSetterPreconditions();
        this.nameIDLookupStrategy = function;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        RelyingPartyContext subcontext = profileRequestContext.getSubcontext(RelyingPartyContext.class);
        if (subcontext != null && subcontext.getConfiguration() != null && (subcontext.getProfileConfig() instanceof BrowserSSOProfileConfiguration)) {
            this.profileConfiguration = subcontext.getProfileConfig();
        }
        if (this.profileConfiguration == null) {
            this.log.error("{} BrowserSSOProfileConfiguration not found", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        MessageContext outboundMessageContext = profileRequestContext.getOutboundMessageContext();
        if (outboundMessageContext == null) {
            this.log.debug("{} No outbound message context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        if (!this.overwriteExisting && outboundMessageContext.getMessage() != null) {
            this.log.debug("{} Outbound message context already contains a message", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        this.idGenerator = this.idGeneratorLookupStrategy.apply(profileRequestContext);
        if (this.idGenerator == null) {
            this.log.debug("{} No identifier generation strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.issuerLookupStrategy != null) {
            this.issuerId = this.issuerLookupStrategy.apply(profileRequestContext);
        }
        outboundMessageContext.setMessage((Object) null);
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} Building AuthnRequest for upstream IdP ({})", getLogPrefix(), authenticationContext.getAuthenticatingAuthority());
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder ensureBuilder = builderFactory.ensureBuilder(AuthnRequest.DEFAULT_ELEMENT_NAME);
        SAMLObjectBuilder ensureBuilder2 = builderFactory.ensureBuilder(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        AuthnRequest buildObject = ensureBuilder.buildObject();
        buildObject.setID(this.idGenerator.generateIdentifier());
        buildObject.setIssueInstant(Instant.now());
        buildObject.setVersion(SAMLVersion.VERSION_20);
        Integer attributeIndex = this.profileConfiguration.getAttributeIndex(profileRequestContext);
        if (attributeIndex != null) {
            this.log.debug("{} Setting AttributeConsumingServiceIndex to '{}' for SAML AuthnRequest", getLogPrefix(), attributeIndex);
            buildObject.setAttributeConsumingServiceIndex(attributeIndex);
        }
        if (this.issuerId != null) {
            this.log.debug("{} Setting Issuer to {}", getLogPrefix(), this.issuerId);
            Issuer buildObject2 = builderFactory.ensureBuilder(Issuer.DEFAULT_ELEMENT_NAME).buildObject();
            buildObject2.setValue(this.issuerId);
            buildObject.setIssuer(buildObject2);
        } else {
            this.log.debug("{} No issuer value available, leaving Issuer unset", getLogPrefix());
        }
        if (this.profileConfiguration.isForceAuthn(profileRequestContext)) {
            this.log.debug("{} Setting ForceAuthn for SAML AuthnRequest", getLogPrefix());
            buildObject.setForceAuthn(true);
        }
        if (authenticationContext.isPassive()) {
            this.log.debug("{} Setting IsPassive for SAML AuthnRequest", getLogPrefix());
            buildObject.setIsPassive(true);
        }
        NameIDPolicy buildObject3 = ensureBuilder2.buildObject();
        buildObject3.setAllowCreate(true);
        String sPNameQualifier = this.profileConfiguration.getSPNameQualifier(profileRequestContext);
        if (sPNameQualifier != null) {
            this.log.debug("{} Setting NameIDPolicy SPNameQualifier to '{}' for SAML AuthnRequest", getLogPrefix(), sPNameQualifier);
            buildObject3.setSPNameQualifier(sPNameQualifier);
        }
        List nameIDFormatPrecedence = this.profileConfiguration.getNameIDFormatPrecedence(profileRequestContext);
        if (!nameIDFormatPrecedence.isEmpty()) {
            this.log.debug("{} Setting NameIDPolicy Format to '{}' for SAML AuthnRequest", getLogPrefix(), nameIDFormatPrecedence.get(0));
            buildObject3.setFormat((String) nameIDFormatPrecedence.get(0));
        }
        buildObject.setNameIDPolicy(buildObject3);
        RequestedAuthnContext buildRequestedAuthnContext = buildRequestedAuthnContext(profileRequestContext);
        if (buildRequestedAuthnContext != null) {
            AuthnContextComparisonTypeEnumeration authnContextComparison = this.profileConfiguration.getAuthnContextComparison(profileRequestContext);
            if (authnContextComparison != null) {
                this.log.debug("{} Setting RequestedAuthnContext comparison to {}", getLogPrefix(), authnContextComparison);
                buildRequestedAuthnContext.setComparison(authnContextComparison);
            }
            buildObject.setRequestedAuthnContext(buildRequestedAuthnContext);
        }
        buildObject.setSubject(buildSubject(profileRequestContext));
        buildObject.setScoping(buildScoping(profileRequestContext, authenticationContext.getProxyCount(), authenticationContext.getProxiableAuthorities()));
        buildObject.setExtensions(buildExtensions(profileRequestContext));
        MessageContext outboundMessageContext = profileRequestContext.getOutboundMessageContext();
        if (!$assertionsDisabled && outboundMessageContext == null) {
            throw new AssertionError();
        }
        outboundMessageContext.setMessage(buildObject);
    }

    @Nullable
    private RequestedAuthnContext buildRequestedAuthnContext(@Nullable ProfileRequestContext profileRequestContext) {
        if (!$assertionsDisabled && this.profileConfiguration == null) {
            throw new AssertionError();
        }
        List defaultAuthenticationMethods = this.profileConfiguration.getDefaultAuthenticationMethods(profileRequestContext);
        if (defaultAuthenticationMethods.isEmpty()) {
            return null;
        }
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder ensureBuilder = builderFactory.ensureBuilder(RequestedAuthnContext.DEFAULT_ELEMENT_NAME);
        Stream stream = defaultAuthenticationMethods.stream();
        Class<AuthnContextClassRefPrincipal> cls = AuthnContextClassRefPrincipal.class;
        Objects.requireNonNull(AuthnContextClassRefPrincipal.class);
        Stream filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<AuthnContextClassRefPrincipal> cls2 = AuthnContextClassRefPrincipal.class;
        Objects.requireNonNull(AuthnContextClassRefPrincipal.class);
        List list = (List) filter.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toUnmodifiableList());
        if (!list.isEmpty()) {
            RequestedAuthnContext buildObject = ensureBuilder.buildObject();
            buildObject.getAuthnContextClassRefs().addAll((Collection) list.stream().map((v0) -> {
                return v0.getAuthnContextClassRef();
            }).collect(Collectors.toUnmodifiableList()));
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} Setting RequestedAuthnContext class refs to {}", getLogPrefix(), list.stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toUnmodifiableList()));
            }
            return buildObject;
        }
        Stream stream2 = defaultAuthenticationMethods.stream();
        Class<AuthnContextDeclRefPrincipal> cls3 = AuthnContextDeclRefPrincipal.class;
        Objects.requireNonNull(AuthnContextDeclRefPrincipal.class);
        Stream filter2 = stream2.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<AuthnContextDeclRefPrincipal> cls4 = AuthnContextDeclRefPrincipal.class;
        Objects.requireNonNull(AuthnContextDeclRefPrincipal.class);
        List list2 = (List) filter2.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toUnmodifiableList());
        if (!list2.isEmpty()) {
            RequestedAuthnContext buildObject2 = ensureBuilder.buildObject();
            buildObject2.getAuthnContextDeclRefs().addAll((Collection) list2.stream().map((v0) -> {
                return v0.getAuthnContextDeclRef();
            }).collect(Collectors.toUnmodifiableList()));
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} Setting RequestedAuthnContext decl refs to {}", getLogPrefix(), list2.stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toUnmodifiableList()));
            }
            return buildObject2;
        }
        if (!this.convertUnknownRequestedPrincipals) {
            return null;
        }
        SAMLObjectBuilder ensureBuilder2 = builderFactory.ensureBuilder(AuthnContextClassRef.DEFAULT_ELEMENT_NAME);
        List list3 = (List) defaultAuthenticationMethods.stream().map(principal -> {
            AuthnContextClassRef buildObject3 = ensureBuilder2.buildObject();
            buildObject3.setURI(principal.getName());
            return buildObject3;
        }).collect(Collectors.toUnmodifiableList());
        RequestedAuthnContext buildObject3 = ensureBuilder.buildObject();
        buildObject3.getAuthnContextClassRefs().addAll(list3);
        if (this.log.isDebugEnabled()) {
            this.log.debug("{} Setting RequestedAuthnContext class refs to {}", getLogPrefix(), defaultAuthenticationMethods.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toUnmodifiableList()));
        }
        return buildObject3;
    }

    @Nullable
    private Subject buildSubject(@Nonnull ProfileRequestContext profileRequestContext) {
        NameID apply = this.nameIDLookupStrategy != null ? this.nameIDLookupStrategy.apply(profileRequestContext) : null;
        if (apply == null) {
            return null;
        }
        Subject buildObject = XMLObjectProviderRegistrySupport.getBuilderFactory().ensureBuilder(Subject.DEFAULT_ELEMENT_NAME).buildObject();
        buildObject.setNameID(apply);
        this.log.debug("{} Populating request with NameID '{}' and Format '{}'", new Object[]{getLogPrefix(), apply.getValue(), apply.getFormat()});
        return buildObject;
    }

    @Nullable
    private Scoping buildScoping(@Nonnull ProfileRequestContext profileRequestContext, @Nullable Integer num, @Nonnull Set<String> set) {
        boolean z = false;
        if (!$assertionsDisabled && this.profileConfiguration == null) {
            throw new AssertionError();
        }
        if (this.profileConfiguration.isIgnoreScoping(profileRequestContext)) {
            this.log.warn("{} Skipping generation of Scoping element in violation of standard", getLogPrefix());
            return null;
        }
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        Scoping buildObject = builderFactory.ensureBuilder(Scoping.DEFAULT_ELEMENT_NAME).buildObject();
        if (num != null) {
            buildObject.setProxyCount(Integer.valueOf(Integer.max(0, num.intValue() - 1)));
            z = true;
        }
        if (!set.isEmpty()) {
            SAMLObjectBuilder ensureBuilder = builderFactory.ensureBuilder(IDPList.DEFAULT_ELEMENT_NAME);
            SAMLObjectBuilder ensureBuilder2 = builderFactory.ensureBuilder(IDPEntry.DEFAULT_ELEMENT_NAME);
            IDPList buildObject2 = ensureBuilder.buildObject();
            for (String str : set) {
                IDPEntry buildObject3 = ensureBuilder2.buildObject();
                buildObject3.setProviderID(str);
                buildObject2.getIDPEntrys().add(buildObject3);
            }
            buildObject.setIDPList(buildObject2);
            z = true;
        }
        SAMLObjectBuilder ensureBuilder3 = builderFactory.ensureBuilder(RequesterID.DEFAULT_ELEMENT_NAME);
        ProxiedRequesterContext apply = this.proxiedRequesterContextLookupStrategy.apply(profileRequestContext);
        if (apply != null) {
            for (String str2 : apply.getRequesters()) {
                RequesterID buildObject4 = ensureBuilder3.buildObject();
                buildObject4.setURI(str2);
                buildObject.getRequesterIDs().add(buildObject4);
                z = true;
            }
        }
        String apply2 = this.requesterLookupStrategy.apply(profileRequestContext);
        if (apply2 != null) {
            RequesterID buildObject5 = ensureBuilder3.buildObject();
            buildObject5.setURI(apply2);
            buildObject.getRequesterIDs().add(buildObject5);
            z = true;
        }
        if (z) {
            return buildObject;
        }
        return null;
    }

    @Nullable
    private Extensions buildExtensions(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!$assertionsDisabled && this.profileConfiguration == null) {
            throw new AssertionError();
        }
        Collection requestedAttributes = this.profileConfiguration.getRequestedAttributes(profileRequestContext);
        if (requestedAttributes.isEmpty()) {
            return null;
        }
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder ensureBuilder = builderFactory.ensureBuilder(Extensions.DEFAULT_ELEMENT_NAME);
        RequestedAttributes buildObject = builderFactory.ensureBuilder(RequestedAttributes.DEFAULT_ELEMENT_NAME).buildObject();
        requestedAttributes.forEach(requestedAttribute -> {
            try {
                if (!$assertionsDisabled && requestedAttribute == null) {
                    throw new AssertionError();
                }
                buildObject.getRequestedAttributes().add(XMLObjectSupport.cloneXMLObject(requestedAttribute));
            } catch (MarshallingException | UnmarshallingException e) {
                this.log.error("{} Error cloning RequestedAttribute from profile configuration", getLogPrefix(), e);
            }
        });
        Extensions buildObject2 = ensureBuilder.buildObject();
        buildObject2.getUnknownXMLObjects().add(buildObject);
        return buildObject2;
    }

    static {
        $assertionsDisabled = !AddAuthnRequest.class.desiredAssertionStatus();
    }
}
