package net.shibboleth.idp.authn.impl;

import java.security.Principal;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.PreferredPrincipalContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.1.jar:net/shibboleth/idp/authn/impl/SelectAuthenticationFlow.class */
public class SelectAuthenticationFlow extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) SelectAuthenticationFlow.class);
    private boolean favorSSO;

    @Nullable
    private RequestedPrincipalContext requestedPrincipalCtx;

    @Nullable
    private PreferredPrincipalContext preferredPrincipalCtx;
    private boolean noProxying;

    public boolean getFavorSSO() {
        return this.favorSSO;
    }

    public void setFavorSSO(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.favorSSO = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.noProxying = authenticationContext.getProxyCount() != null && authenticationContext.getProxyCount().intValue() == 0;
        this.requestedPrincipalCtx = (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        if (this.requestedPrincipalCtx != null && (this.requestedPrincipalCtx.getOperator() == null || this.requestedPrincipalCtx.getRequestedPrincipals().isEmpty())) {
            this.requestedPrincipalCtx = null;
        }
        this.preferredPrincipalCtx = (PreferredPrincipalContext) authenticationContext.getSubcontext(PreferredPrincipalContext.class);
        if (this.preferredPrincipalCtx != null && this.preferredPrincipalCtx.getPreferredPrincipals().isEmpty()) {
            this.preferredPrincipalCtx = null;
        }
        if (authenticationContext.getAttemptedFlow() == null) {
            return true;
        }
        this.log.info("{} Moving incomplete flow {} to intermediate set", getLogPrefix(), authenticationContext.getAttemptedFlow().getId());
        authenticationContext.getIntermediateFlows().put(authenticationContext.getAttemptedFlow().getId(), authenticationContext.getAttemptedFlow());
        return true;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (authenticationContext.getSignaledFlowId() != null) {
            doSelectSignaledFlow(profileRequestContext, authenticationContext);
        } else if (this.requestedPrincipalCtx == null) {
            doSelectNoRequestedPrincipals(profileRequestContext, authenticationContext);
        } else {
            doSelectRequestedPrincipals(profileRequestContext, authenticationContext);
        }
    }

    private void doSelectSignaledFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        AuthenticationFlowDescriptor authenticationFlowDescriptor = authenticationContext.getPotentialFlows().get(authenticationContext.getSignaledFlowId());
        if (authenticationFlowDescriptor == null) {
            this.log.error("{} Signaled flow {} is not available", getLogPrefix(), authenticationContext.getSignaledFlowId());
            ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : AuthnEventIds.NO_POTENTIAL_FLOW);
            authenticationContext.setSignaledFlowId(null);
            return;
        }
        authenticationContext.setSignaledFlowId(null);
        this.log.debug("{} Attempting to honor signaled flow {}", getLogPrefix(), authenticationFlowDescriptor.getId());
        if (this.noProxying && authenticationFlowDescriptor.isProxyScopingEnforced()) {
            this.log.error("{} Signaled flow {} disallowed due to proxy count of zero", getLogPrefix(), authenticationFlowDescriptor.getId());
            ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : AuthnEventIds.PROXY_COUNT_EXCEEDED);
            return;
        }
        AuthenticationResult authenticationResult = null;
        if (!authenticationContext.isForceAuthn()) {
            authenticationResult = authenticationContext.getActiveResults().get(authenticationFlowDescriptor.getId());
            if (!authenticationResult.test(profileRequestContext)) {
                this.log.debug("{} Active result for flow {} not reusable, ignoring", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
                authenticationResult = null;
            }
        }
        if (authenticationResult != null) {
            if (this.requestedPrincipalCtx == null) {
                selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                return;
            }
            for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
                PrincipalEvalPredicate predicate = this.requestedPrincipalCtx.getPredicate(principal);
                if (predicate == null) {
                    this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getClass());
                } else if (predicate.test(authenticationResult)) {
                    selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                    return;
                }
            }
        }
        if (authenticationContext.isPassive() && !authenticationFlowDescriptor.isPassiveAuthenticationSupported()) {
            this.log.error("{} Signaled flow {} does not support passive authentication", getLogPrefix(), authenticationFlowDescriptor.getId());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_PASSIVE);
            return;
        }
        if (this.requestedPrincipalCtx != null) {
            for (Principal principal2 : this.requestedPrincipalCtx.getRequestedPrincipals()) {
                PrincipalEvalPredicate predicate2 = this.requestedPrincipalCtx.getPredicate(principal2);
                if (predicate2 == null) {
                    this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal2.getClass());
                } else if (predicate2.test(authenticationFlowDescriptor) && authenticationFlowDescriptor.test(profileRequestContext)) {
                    selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
                    return;
                }
            }
        } else if (authenticationFlowDescriptor.test(profileRequestContext)) {
            selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
            return;
        }
        this.log.error("{} Signaled flow {} was not applicable to request", getLogPrefix(), authenticationFlowDescriptor.getId());
        ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : AuthnEventIds.NO_POTENTIAL_FLOW);
    }

    private void doSelectNoRequestedPrincipals(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} No specific Principals requested", getLogPrefix());
        if (authenticationContext.isForceAuthn()) {
            this.log.debug("{} Forced authentication requested, selecting an inactive flow", getLogPrefix());
            AuthenticationFlowDescriptor unattemptedInactiveFlow = getUnattemptedInactiveFlow(profileRequestContext, authenticationContext);
            if (unattemptedInactiveFlow != null) {
                selectInactiveFlow(profileRequestContext, authenticationContext, unattemptedInactiveFlow);
                return;
            } else {
                this.log.info("{} No potential flows left to choose from, authentication failed", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : this.noProxying ? AuthnEventIds.PROXY_COUNT_EXCEEDED : AuthnEventIds.NO_POTENTIAL_FLOW);
                return;
            }
        }
        AuthenticationResult authenticationResult = null;
        for (AuthenticationResult authenticationResult2 : authenticationContext.getActiveResults().values()) {
            if (authenticationResult2.test(profileRequestContext)) {
                authenticationResult = authenticationResult2;
                if (this.preferredPrincipalCtx == null || this.preferredPrincipalCtx.isAcceptable(authenticationResult2)) {
                    break;
                }
            } else {
                this.log.debug("{} Active result for flow {} not reusable, ignoring", getLogPrefix(), authenticationResult2.getAuthenticationFlowId());
            }
        }
        if (authenticationResult != null) {
            selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
            return;
        }
        this.log.debug("{} No usable active results available, selecting an inactive flow", getLogPrefix());
        AuthenticationFlowDescriptor unattemptedInactiveFlow2 = getUnattemptedInactiveFlow(profileRequestContext, authenticationContext);
        if (unattemptedInactiveFlow2 != null) {
            selectInactiveFlow(profileRequestContext, authenticationContext, unattemptedInactiveFlow2);
        } else {
            this.log.info("{} No potential flows left to choose from, authentication failed", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : this.noProxying ? AuthnEventIds.PROXY_COUNT_EXCEEDED : AuthnEventIds.NO_POTENTIAL_FLOW);
        }
    }

    @Nullable
    private AuthenticationFlowDescriptor getUnattemptedInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        AuthenticationFlowDescriptor authenticationFlowDescriptor = null;
        for (AuthenticationFlowDescriptor authenticationFlowDescriptor2 : authenticationContext.getPotentialFlows().values()) {
            if (!authenticationContext.getIntermediateFlows().containsKey(authenticationFlowDescriptor2.getId()) && (!authenticationContext.isPassive() || authenticationFlowDescriptor2.isPassiveAuthenticationSupported())) {
                if (!this.noProxying || !authenticationFlowDescriptor2.isProxyScopingEnforced()) {
                    if (authenticationFlowDescriptor2.test(profileRequestContext)) {
                        authenticationFlowDescriptor = authenticationFlowDescriptor2;
                        if (this.preferredPrincipalCtx == null || this.preferredPrincipalCtx.isAcceptable(authenticationFlowDescriptor2)) {
                            break;
                        }
                    } else {
                        continue;
                    }
                }
            }
        }
        return authenticationFlowDescriptor;
    }

    private void selectInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull AuthenticationFlowDescriptor authenticationFlowDescriptor) {
        this.log.debug("{} Selecting inactive authentication flow {}", getLogPrefix(), authenticationFlowDescriptor.getId());
        authenticationContext.setAttemptedFlow(authenticationFlowDescriptor);
        ActionSupport.buildEvent(profileRequestContext, authenticationFlowDescriptor.getId());
    }

    private void selectActiveResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull AuthenticationResult authenticationResult) {
        this.log.debug("{} Reusing active result {}", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
        authenticationResult.setLastActivityInstantToNow();
        authenticationContext.setAuthenticationResult(authenticationResult);
        ActionSupport.buildProceedEvent(profileRequestContext);
    }

    private void doSelectRequestedPrincipals(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} Specific principals requested with '{}' operator: {}", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), this.requestedPrincipalCtx.getRequestedPrincipals());
        if (authenticationContext.isForceAuthn()) {
            this.log.debug("{} Forced authentication requested, selecting an inactive flow", getLogPrefix());
            selectRequestedInactiveFlow(profileRequestContext, authenticationContext);
        } else if (!authenticationContext.getActiveResults().isEmpty()) {
            selectRequestedFlow(profileRequestContext, authenticationContext, authenticationContext.getActiveResults());
        } else {
            this.log.debug("{} No active results available, selecting an inactive flow", getLogPrefix());
            selectRequestedInactiveFlow(profileRequestContext, authenticationContext);
        }
    }

    private void selectRequestedInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Map<String, AuthenticationFlowDescriptor> potentialFlows = authenticationContext.getPotentialFlows();
        for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
            this.log.debug("{} Checking for inactive flow compatible with operator '{}' and principal '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getName());
            PrincipalEvalPredicate predicate = this.requestedPrincipalCtx.getPredicate(principal);
            if (predicate != null) {
                for (AuthenticationFlowDescriptor authenticationFlowDescriptor : potentialFlows.values()) {
                    if (!authenticationContext.getIntermediateFlows().containsKey(authenticationFlowDescriptor.getId()) && predicate.test(authenticationFlowDescriptor) && authenticationFlowDescriptor.test(profileRequestContext) && (!authenticationContext.isPassive() || authenticationFlowDescriptor.isPassiveAuthenticationSupported())) {
                        if (!this.noProxying || !authenticationFlowDescriptor.isProxyScopingEnforced()) {
                            selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
                            return;
                        }
                        this.log.debug("{} Flow '{}' disallowed by effective proxy count of zero", getLogPrefix(), authenticationFlowDescriptor.getId());
                    }
                }
            } else {
                this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getClass());
            }
        }
        this.log.info("{} None of the potential authentication flows can satisfy the request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : this.noProxying ? AuthnEventIds.PROXY_COUNT_EXCEEDED : AuthnEventIds.REQUEST_UNSUPPORTED);
    }

    private void selectRequestedFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @NonnullElements @Nonnull Map<String, AuthenticationResult> map) {
        if (this.favorSSO) {
            this.log.debug("{} Giving priority to active results that meet request requirements");
            for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
                this.log.debug("{} Checking for an active result compatible with operator '{}' and principal '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getName());
                PrincipalEvalPredicate predicate = this.requestedPrincipalCtx.getPredicate(principal);
                if (predicate != null) {
                    for (AuthenticationResult authenticationResult : map.values()) {
                        if (authenticationResult.test(profileRequestContext) && predicate.test(authenticationResult)) {
                            selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                            return;
                        }
                        this.log.debug("{} Active result for flow {} not usable, ignoring", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
                    }
                } else {
                    this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getClass());
                }
            }
            selectRequestedInactiveFlow(profileRequestContext, authenticationContext);
            return;
        }
        Map<String, AuthenticationFlowDescriptor> potentialFlows = authenticationContext.getPotentialFlows();
        for (Principal principal2 : this.requestedPrincipalCtx.getRequestedPrincipals()) {
            this.log.debug("{} Checking for an inactive flow or active result compatible with operator '{}' and principal '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal2.getName());
            PrincipalEvalPredicate predicate2 = this.requestedPrincipalCtx.getPredicate(principal2);
            if (predicate2 != null) {
                for (AuthenticationFlowDescriptor authenticationFlowDescriptor : potentialFlows.values()) {
                    if (!authenticationContext.getIntermediateFlows().containsKey(authenticationFlowDescriptor.getId()) && predicate2.test(authenticationFlowDescriptor) && authenticationFlowDescriptor.test(profileRequestContext)) {
                        AuthenticationResult authenticationResult2 = map.get(authenticationFlowDescriptor.getId());
                        if (authenticationResult2 != null && authenticationResult2.test(profileRequestContext) && predicate2.test(authenticationResult2)) {
                            selectActiveResult(profileRequestContext, authenticationContext, authenticationResult2);
                            return;
                        }
                        if (authenticationResult2 != null) {
                            this.log.debug("{} Active result for flow {} not usable, ignoring", getLogPrefix(), authenticationResult2.getAuthenticationFlowId());
                        }
                        if (!authenticationContext.isPassive() || authenticationFlowDescriptor.isPassiveAuthenticationSupported()) {
                            if (!this.noProxying || !authenticationFlowDescriptor.isProxyScopingEnforced()) {
                                selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
                                return;
                            }
                            this.log.debug("{} Flow '{}' disallowed by effective proxy count of zero", getLogPrefix(), authenticationFlowDescriptor.getId());
                        }
                    }
                }
            } else {
                this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal2.getClass());
            }
        }
        this.log.info("{} None of the potential authentication flows can satisfy the request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? AuthnEventIds.NO_PASSIVE : this.noProxying ? AuthnEventIds.PROXY_COUNT_EXCEEDED : AuthnEventIds.REQUEST_UNSUPPORTED);
    }
}
