package net.shibboleth.idp.saml.saml2.profile.impl;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.impl.DefaultPrincipalDeterminationStrategy;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.profile.config.navigate.SessionLifetimeLookupFunction;
import net.shibboleth.idp.saml.profile.impl.BaseAddAuthenticationStatementToAssertion;
import net.shibboleth.idp.saml.saml2.profile.config.logic.SuppressAuthenticatingAuthorityPredicate;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthenticatingAuthority;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectLocality;
import org.opensaml.saml.saml2.profile.SAML2ActionSupport;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnStatementToAssertion.class */
public class AddAuthnStatementToAssertion extends BaseAddAuthenticationStatementToAssertion {

    @NonnullAfterInit
    private Function<ProfileRequestContext, Assertion> assertionLookupStrategy;

    @NonnullAfterInit
    private Function<ProfileRequestContext, AuthnContextClassRefPrincipal> classRefLookupStrategy;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AddAuthnStatementToAssertion.class);

    @Nullable
    private Function<ProfileRequestContext, Duration> sessionLifetimeLookupStrategy = new SessionLifetimeLookupFunction();

    @Nonnull
    private Predicate<ProfileRequestContext> suppressAuthenticatingAuthorityPredicate = new SuppressAuthenticatingAuthorityPredicate();

    /* loaded from: input_file:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnStatementToAssertion$AssertionStrategy.class */
    private class AssertionStrategy implements Function<ProfileRequestContext, Assertion> {
        private AssertionStrategy() {
        }

        @Override // java.util.function.Function
        @Nullable
        public Assertion apply(@Nullable ProfileRequestContext profileRequestContext) {
            MessageContext outboundMessageContext = profileRequestContext != null ? profileRequestContext.getOutboundMessageContext() : null;
            if (outboundMessageContext == null) {
                return null;
            }
            Object message = outboundMessageContext.getMessage();
            if (message == null) {
                Assertion buildAssertion = SAML2ActionSupport.buildAssertion(AddAuthnStatementToAssertion.this, AddAuthnStatementToAssertion.this.getIdGenerator(), AddAuthnStatementToAssertion.this.getIssuerId());
                outboundMessageContext.setMessage(buildAssertion);
                return buildAssertion;
            }
            if (message instanceof Assertion) {
                return (Assertion) message;
            }
            if (message instanceof Response) {
                return (AddAuthnStatementToAssertion.this.isStatementInOwnAssertion() || ((Response) message).getAssertions().isEmpty()) ? SAML2ActionSupport.addAssertionToResponse(AddAuthnStatementToAssertion.this, (Response) message, AddAuthnStatementToAssertion.this.getIdGenerator(), AddAuthnStatementToAssertion.this.getIssuerId()) : (Assertion) ((Response) message).getAssertions().get(0);
            }
            return null;
        }
    }

    public void setAssertionLookupStrategy(@Nonnull Function<ProfileRequestContext, Assertion> function) {
        checkSetterPreconditions();
        this.assertionLookupStrategy = (Function) Constraint.isNotNull(function, "Assertion lookup strategy cannot be null");
    }

    public void setClassRefLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnContextClassRefPrincipal> function) {
        checkSetterPreconditions();
        this.classRefLookupStrategy = (Function) Constraint.isNotNull(function, "Authentication context class reference strategy cannot be null");
    }

    public void setSessionLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext, Duration> function) {
        checkSetterPreconditions();
        this.sessionLifetimeLookupStrategy = function;
    }

    public void setSuppressAuthenticatingAuthorityPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.suppressAuthenticatingAuthorityPredicate = (Predicate) Constraint.isNotNull(predicate, "Condition cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.saml.profile.impl.BaseAddAuthenticationStatementToAssertion
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.classRefLookupStrategy == null) {
            this.classRefLookupStrategy = new DefaultPrincipalDeterminationStrategy(AuthnContextClassRefPrincipal.class, new AuthnContextClassRefPrincipal("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"));
        }
        if (this.assertionLookupStrategy == null) {
            this.assertionLookupStrategy = new AssertionStrategy();
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Assertion apply = this.assertionLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("Unable to obtain Assertion to modify");
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
        } else {
            apply.getAuthnStatements().add(buildAuthnStatement(profileRequestContext, (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class)));
            this.log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), apply.getID());
        }
    }

    @Nonnull
    private AuthnStatement buildAuthnStatement(@Nonnull ProfileRequestContext profileRequestContext, @Nullable RequestedPrincipalContext requestedPrincipalContext) {
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder ensureBuilder = builderFactory.ensureBuilder(AuthnStatement.TYPE_NAME);
        SAMLObjectBuilder ensureBuilder2 = builderFactory.ensureBuilder(AuthnContext.TYPE_NAME);
        SAMLObjectBuilder ensureBuilder3 = builderFactory.ensureBuilder(SubjectLocality.TYPE_NAME);
        AuthnStatement buildObject = ensureBuilder.buildObject();
        buildObject.setAuthnInstant(getAuthenticationResult().getAuthenticationInstant());
        AuthnContext authnContext = (AuthnContext) ensureBuilder2.buildObject();
        buildObject.setAuthnContext(authnContext);
        if (requestedPrincipalContext == null || requestedPrincipalContext.getMatchingPrincipal() == null) {
            authnContext.setAuthnContextClassRef(this.classRefLookupStrategy.apply(profileRequestContext).getAuthnContextClassRef());
        } else {
            AuthnContextClassRefPrincipal matchingPrincipal = requestedPrincipalContext.getMatchingPrincipal();
            if (matchingPrincipal instanceof AuthnContextClassRefPrincipal) {
                authnContext.setAuthnContextClassRef(matchingPrincipal.getAuthnContextClassRef());
            } else if (matchingPrincipal instanceof AuthnContextDeclRefPrincipal) {
                authnContext.setAuthnContextDeclRef(((AuthnContextDeclRefPrincipal) matchingPrincipal).getAuthnContextDeclRef());
            } else {
                authnContext.setAuthnContextClassRef(this.classRefLookupStrategy.apply(profileRequestContext).getAuthnContextClassRef());
            }
        }
        addAuthenticatingAuthorities(profileRequestContext, authnContext);
        Duration apply = this.sessionLifetimeLookupStrategy != null ? this.sessionLifetimeLookupStrategy.apply(profileRequestContext) : null;
        if (apply != null && apply.toMillis() > 0) {
            buildObject.setSessionNotOnOrAfter(Instant.now().plus((TemporalAmount) apply));
        }
        buildObject.setSessionIndex(getIdGenerator().generateIdentifier());
        String apply2 = getAddressLookupStrategy().apply(profileRequestContext);
        if (apply2 != null) {
            SubjectLocality buildObject2 = ensureBuilder3.buildObject();
            buildObject2.setAddress(apply2);
            buildObject.setSubjectLocality(buildObject2);
        } else {
            this.log.debug("{} Address not available, omitting SubjectLocality element", getLogPrefix());
        }
        return buildObject;
    }

    private void addAuthenticatingAuthorities(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthnContext authnContext) {
        Set principals = getAuthenticationResult().getSubject().getPrincipals(ProxyAuthenticationPrincipal.class);
        if (principals == null || principals.isEmpty()) {
            return;
        }
        if (principals.size() != 1) {
            this.log.warn("{} Multiple ProxyAuthenticationPrincipals, skipping AuthenticatingAuthority population", getLogPrefix());
            return;
        }
        ProxyAuthenticationPrincipal proxyAuthenticationPrincipal = (ProxyAuthenticationPrincipal) principals.iterator().next();
        if (this.suppressAuthenticatingAuthorityPredicate.test(profileRequestContext)) {
            this.log.debug("{} Suppressing AuthenticatingAuthority population", getLogPrefix());
            return;
        }
        SAMLObjectBuilder ensureBuilder = XMLObjectProviderRegistrySupport.getBuilderFactory().ensureBuilder(AuthenticatingAuthority.DEFAULT_ELEMENT_NAME);
        for (String str : proxyAuthenticationPrincipal.getAuthorities()) {
            AuthenticatingAuthority buildObject = ensureBuilder.buildObject();
            buildObject.setURI(str);
            authnContext.getAuthenticatingAuthorities().add(buildObject);
        }
    }
}
