package net.shibboleth.idp.authn.impl;

import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.MultiFactorAuthenticationTransition;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext;
import net.shibboleth.idp.profile.context.navigate.WebFlowCurrentEventLookupFunction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.EventContext;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.2.jar:net/shibboleth/idp/authn/impl/TransitionMultiFactorAuthentication.class */
public class TransitionMultiFactorAuthentication extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) TransitionMultiFactorAuthentication.class);

    @Nonnull
    private Function<ProfileRequestContext, MultiFactorAuthenticationContext> multiFactorContextLookupStrategy = new ChildContextLookup(MultiFactorAuthenticationContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nonnull
    private Function<ProfileRequestContext, EventContext> eventContextLookupStrategy = new WebFlowCurrentEventLookupFunction();
    private boolean validateLoginTransitions = true;

    @Nullable
    private MultiFactorAuthenticationContext mfaContext;

    @Nullable
    private String previousEvent;

    TransitionMultiFactorAuthentication() {
    }

    public void setMultiFactorContextLookupStrategy(@Nonnull Function<ProfileRequestContext, MultiFactorAuthenticationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.multiFactorContextLookupStrategy = (Function) Constraint.isNotNull(function, "MultiFactorAuthenticationContext lookup strategy cannot be null");
    }

    public void setEventContextLookupStrategy(@Nonnull Function<ProfileRequestContext, EventContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.eventContextLookupStrategy = (Function) Constraint.isNotNull(function, "EventContext lookup strategy cannot be null");
    }

    public void setValidateLoginTransitions(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.validateLoginTransitions = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.mfaContext = this.multiFactorContextLookupStrategy.apply(profileRequestContext);
        if (this.mfaContext != null) {
            return true;
        }
        this.log.error("{} No MultiFactorAuthenticationContext found by lookup strategy", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        authenticationContext.setAttemptedFlow(this.mfaContext.getAuthenticationFlowDescriptor());
        if (this.previousEvent == null) {
            EventContext apply = this.eventContextLookupStrategy.apply(profileRequestContext);
            this.previousEvent = (apply == null || apply.getEvent() == null) ? EventIds.PROCEED_EVENT_ID : apply.getEvent().toString();
        }
        AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
        if (authenticationResult != null) {
            if (EventIds.PROCEED_EVENT_ID.equals(this.previousEvent)) {
                this.log.debug("{} Preserving authentication result from '{}' flow", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
                this.mfaContext.getActiveResults().put(authenticationResult.getAuthenticationFlowId(), authenticationResult);
            } else {
                this.log.debug("{} Discarding incomplete authentication result from '{}' flow", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
            }
            authenticationContext.setAuthenticationResult(null);
        }
        String nextFlowId = this.mfaContext.getNextFlowId();
        this.mfaContext.setNextFlowId(null);
        if (nextFlowId == null) {
            this.log.debug("{} Applying MFA transition rule to determine initial state", getLogPrefix());
        } else {
            this.log.debug("{} Applying MFA transition rule to exit state '{}'", getLogPrefix(), nextFlowId);
        }
        String str = null;
        MultiFactorAuthenticationTransition multiFactorAuthenticationTransition = this.mfaContext.getTransitionMap().get(nextFlowId);
        if (multiFactorAuthenticationTransition != null) {
            str = multiFactorAuthenticationTransition.getNextFlowStrategy(this.previousEvent).apply(profileRequestContext);
            if (str == null) {
                str = multiFactorAuthenticationTransition.getNextFlowStrategy("*").apply(profileRequestContext);
            }
        }
        if (str != null) {
            this.log.debug("{} MFA flow transition after '{}' event to '{}' flow", getLogPrefix(), this.previousEvent, str);
            this.mfaContext.setNextFlowId(str);
            doTransition(profileRequestContext, authenticationContext, multiFactorAuthenticationTransition);
        } else {
            String event = this.mfaContext.getEvent() != null ? this.mfaContext.getEvent() : this.previousEvent;
            this.log.debug("{} MFA flow completing with event '{}'", getLogPrefix(), event);
            if (EventIds.PROCEED_EVENT_ID.equals(event)) {
                ActionSupport.buildProceedEvent(profileRequestContext);
            } else {
                ActionSupport.buildEvent(profileRequestContext, event);
            }
        }
    }

    private void doTransition(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull MultiFactorAuthenticationTransition multiFactorAuthenticationTransition) {
        String nextFlowId = this.mfaContext.getNextFlowId();
        if (!nextFlowId.startsWith(AuthenticationFlowDescriptor.FLOW_ID_PREFIX)) {
            ActionSupport.buildProceedEvent(profileRequestContext);
            return;
        }
        AuthenticationFlowDescriptor authenticationFlowDescriptor = authenticationContext.getAvailableFlows().get(nextFlowId);
        if (authenticationFlowDescriptor == null) {
            this.log.error("{} Targeted login flow '{}' is not configured, check available flow descriptors", getLogPrefix(), nextFlowId);
            ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : AuthnEventIds.NO_POTENTIAL_FLOW);
            return;
        }
        AuthenticationResult authenticationResult = this.mfaContext.getActiveResults().get(nextFlowId);
        if (authenticationResult != null) {
            if (authenticationResult.test(profileRequestContext)) {
                this.log.debug("{} Reusing active result for flow {}", getLogPrefix(), nextFlowId);
                authenticationResult.setLastActivityInstantToNow();
                this.previousEvent = EventIds.PROCEED_EVENT_ID;
                ActionSupport.buildProceedEvent(profileRequestContext);
                doExecute(profileRequestContext, authenticationContext);
                return;
            }
            this.log.debug("{} Active result for flow {} not reusable, ignoring", getLogPrefix(), nextFlowId);
            this.mfaContext.getActiveResults().remove(nextFlowId);
        }
        if (this.validateLoginTransitions) {
            if (authenticationContext.isPassive() && !authenticationFlowDescriptor.isPassiveAuthenticationSupported()) {
                this.log.error("{} Targeted login flow '{}' does not support passive authentication", getLogPrefix(), nextFlowId);
                ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_PASSIVE);
                return;
            }
            if ((authenticationContext.isForceAuthn() || authenticationContext.getMaxAge() != null) && !authenticationFlowDescriptor.isForcedAuthenticationSupported()) {
                this.log.error("{} Targeted login flow '{}' does not support forced re-authentication", getLogPrefix(), nextFlowId);
                ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.REQUEST_UNSUPPORTED);
                return;
            } else if (!profileRequestContext.isBrowserProfile() && !authenticationFlowDescriptor.isNonBrowserSupported()) {
                this.log.error("{} Targeted login flow '{}' does not support non-browser authentication", getLogPrefix(), nextFlowId);
                ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : AuthnEventIds.REQUEST_UNSUPPORTED);
                return;
            } else if (authenticationFlowDescriptor.isProxyScopingEnforced() && authenticationContext.getProxyCount() != null && authenticationContext.getProxyCount().intValue() == 0) {
                this.log.error("{} Targeted login flow '{}' cannot be used with an effective ProxyCount of zero", getLogPrefix(), nextFlowId);
                ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.PROXY_COUNT_EXCEEDED);
                return;
            }
        }
        authenticationContext.setAttemptedFlow(authenticationFlowDescriptor);
        ActionSupport.buildProceedEvent(profileRequestContext);
    }
}
