package net.shibboleth.idp.saml.profile.impl;

import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.saml.authn.principal.NameIDPrincipal;
import net.shibboleth.idp.saml.authn.principal.NameIdentifierPrincipal;
import net.shibboleth.profile.context.navigate.IssuerLookupFunction;
import net.shibboleth.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.messaging.context.SAMLSubjectNameIdentifierContext;
import org.opensaml.saml.saml1.core.NameIdentifier;
import org.opensaml.saml.saml2.core.NameID;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/saml/profile/impl/ExtractSubjectFromRequest.class */
public class ExtractSubjectFromRequest extends AbstractProfileAction {

    @Nonnull
    @NotEmpty
    public static final String NO_SUBJECT = "NoSubject";

    @Nullable
    private Predicate<ProfileRequestContext> nameIDPolicyPredicate;

    @NonnullBeforeExec
    private SAMLObject nameIdentifier;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ExtractSubjectFromRequest.class);

    @Nullable
    private Function<ProfileRequestContext, String> requesterLookupStrategy = new RelyingPartyIdLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> responderLookupStrategy = new IssuerLookupFunction();

    /* loaded from: input_file:net/shibboleth/idp/saml/profile/impl/ExtractSubjectFromRequest$SubjectNameLookupFunction.class */
    public static class SubjectNameLookupFunction implements Function<ProfileRequestContext, SAMLObject> {
        @Override // java.util.function.Function
        @Nullable
        public SAMLObject apply(@Nullable ProfileRequestContext profileRequestContext) {
            MessageContext inboundMessageContext;
            if (profileRequestContext == null || (inboundMessageContext = profileRequestContext.getInboundMessageContext()) == null) {
                return null;
            }
            return inboundMessageContext.ensureSubcontext(SAMLSubjectNameIdentifierContext.class).getSubjectNameIdentifier();
        }
    }

    public void setRequesterLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.requesterLookupStrategy = function;
    }

    public void setResponderLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.responderLookupStrategy = function;
    }

    public void setNameIDPolicyPredicate(@Nullable Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.nameIDPolicyPredicate = predicate;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        MessageContext inboundMessageContext = profileRequestContext.getInboundMessageContext();
        if (inboundMessageContext == null || inboundMessageContext.getMessage() == null) {
            this.log.debug("{} No inbound message", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, NO_SUBJECT);
            return false;
        }
        this.nameIdentifier = inboundMessageContext.ensureSubcontext(SAMLSubjectNameIdentifierContext.class).getSubjectNameIdentifier();
        if (this.nameIdentifier == null) {
            this.log.debug("{} No Subject NameID/NameIdentifier in message needs inbound processing", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, NO_SUBJECT);
            return false;
        }
        if (this.nameIDPolicyPredicate == null || this.nameIDPolicyPredicate.test(profileRequestContext)) {
            return super.doPreExecute(profileRequestContext);
        }
        this.log.warn("{} Consumption of NameID/NameIdentifier blocked by policy", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidSubject");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        Subject subject;
        NameIdentifier nameIdentifier = this.nameIdentifier;
        if (nameIdentifier instanceof NameIdentifier) {
            this.log.debug("{} Creating Subject for canonicalization around NameIdentifier {}", getLogPrefix(), nameIdentifier.getValue());
            subject = new Subject(false, CollectionSupport.singleton(new NameIdentifierPrincipal(nameIdentifier)), CollectionSupport.emptySet(), CollectionSupport.emptySet());
        } else if (nameIdentifier instanceof NameID) {
            this.log.debug("{} Creating Subject for canonicalization around NameID {}", getLogPrefix(), ((NameID) nameIdentifier).getValue());
            subject = new Subject(false, CollectionSupport.singleton(new NameIDPrincipal((NameID) nameIdentifier)), CollectionSupport.emptySet(), CollectionSupport.emptySet());
        } else {
            subject = null;
        }
        if (subject == null) {
            this.log.debug("{} Identifier was not of a supported type, ignoring", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, NO_SUBJECT);
            return;
        }
        SubjectCanonicalizationContext subjectCanonicalizationContext = new SubjectCanonicalizationContext();
        subjectCanonicalizationContext.setSubject(subject);
        if (this.requesterLookupStrategy != null) {
            subjectCanonicalizationContext.setRequesterId(this.requesterLookupStrategy.apply(profileRequestContext));
        }
        if (this.responderLookupStrategy != null) {
            subjectCanonicalizationContext.setResponderId(this.responderLookupStrategy.apply(profileRequestContext));
        }
        profileRequestContext.addSubcontext(subjectCanonicalizationContext, true);
        this.log.debug("{} Created subject canonicalization context", getLogPrefix());
    }
}
