package net.shibboleth.idp.authn;

import com.google.common.base.Predicates;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.NotLive;
import net.shibboleth.utilities.java.support.annotation.constraint.Unmodifiable;
import net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-api-4.3.1.jar:net/shibboleth/idp/authn/AbstractCredentialValidator.class */
public abstract class AbstractCredentialValidator extends AbstractIdentifiedInitializableComponent implements CredentialValidator, PrincipalSupportingComponent {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) AbstractCredentialValidator.class);

    @Nonnull
    private Predicate<ProfileRequestContext> activationCondition = Predicates.alwaysTrue();

    @Nullable
    private String logPrefix;

    @Nullable
    private Subject customPrincipals;

    @Override // net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent
    public synchronized void setId(String str) {
        super.setId(str);
    }

    public void setActivationCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.activationCondition = (Predicate) Constraint.isNotNull(predicate, "Activation condition cannot be null");
    }

    @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
    @NonnullElements
    @Nonnull
    @NotLive
    @Unmodifiable
    public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> cls) {
        return this.customPrincipals != null ? this.customPrincipals.getPrincipals(cls) : Collections.emptySet();
    }

    public void setSupportedPrincipals(@NonnullElements @Nullable Collection<Principal> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (collection == null) {
            this.customPrincipals = null;
            return;
        }
        Set copyOf = Set.copyOf(collection);
        if (copyOf.isEmpty()) {
            this.customPrincipals = null;
        } else {
            this.customPrincipals = new Subject();
            this.customPrincipals.getPrincipals().addAll(copyOf);
        }
    }

    @Override // net.shibboleth.idp.authn.CredentialValidator
    public Subject validate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        if (!this.activationCondition.test(profileRequestContext)) {
            this.log.debug("{} Activation condition was false, ignoring request", getLogPrefix());
            return null;
        }
        if (isAcceptable((RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class), this.customPrincipals, getId())) {
            return doValidate(profileRequestContext, authenticationContext, warningHandler, errorHandler);
        }
        return null;
    }

    @Nullable
    protected abstract Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception;

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public Subject populateSubject(@Nonnull Subject subject) {
        if (this.customPrincipals != null) {
            subject.getPrincipals().addAll(this.customPrincipals.getPrincipals());
        }
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotEmpty
    @Nonnull
    public String getLogPrefix() {
        if (this.logPrefix == null) {
            this.logPrefix = "Credential Validator " + (getId() != null ? getId() : "(unknown)") + ":";
        }
        return this.logPrefix;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAcceptable(@Nullable RequestedPrincipalContext requestedPrincipalContext, @Nullable final Subject subject, @NotEmpty @Nonnull String str) {
        if (subject == null || requestedPrincipalContext == null || requestedPrincipalContext.getOperator() == null) {
            return true;
        }
        this.log.debug("{} Request contains principal requirements, checking validator '{}' for compatibility", getLogPrefix(), str);
        for (Principal principal : requestedPrincipalContext.getRequestedPrincipals()) {
            PrincipalEvalPredicateFactory lookup = requestedPrincipalContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), requestedPrincipalContext.getOperator());
            if (lookup != null) {
                PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                if (predicate.test(new PrincipalSupportingComponent() { // from class: net.shibboleth.idp.authn.AbstractCredentialValidator.1
                    @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
                    public <T extends Principal> Set<T> getSupportedPrincipals(Class<T> cls) {
                        return subject.getPrincipals(cls);
                    }
                })) {
                    this.log.debug("{} Validator '{}' compatible with principal type '{}' and operator '{}'", getLogPrefix(), str, principal.getClass(), requestedPrincipalContext.getOperator());
                    requestedPrincipalContext.setMatchingPrincipal(predicate.getMatchingPrincipal());
                    return true;
                }
                this.log.debug("{} Validator '{}' not compatible with principal type '{}' and operator '{}'", getLogPrefix(), str, principal.getClass(), requestedPrincipalContext.getOperator());
            } else {
                this.log.debug("{} No comparison logic registered for principal type '{}' and operator '{}'", getLogPrefix(), principal.getClass(), requestedPrincipalContext.getOperator());
            }
        }
        this.log.debug("{} Skipping validator '{}', not compatible with request's principal requirements", getLogPrefix(), str);
        return false;
    }
}
