package net.shibboleth.idp.saml.profile.impl;

import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.config.navigate.ForceAuthnProfileConfigPredicate;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.idp.saml.saml2.profile.config.logic.IgnoreScopingProfileConfigPredicate;
import net.shibboleth.idp.saml.saml2.profile.config.navigate.ProxyCountLookupFunction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.IDPList;
import org.opensaml.saml.saml2.core.Scoping;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.3.3.jar:net/shibboleth/idp/saml/profile/impl/InitializeAuthenticationContext.class */
public class InitializeAuthenticationContext extends AbstractProfileAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) InitializeAuthenticationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Predicate<ProfileRequestContext> forceAuthnPredicate = new ForceAuthnProfileConfigPredicate();

    @Nonnull
    private Predicate<ProfileRequestContext> ignoreScopingPredicate = new IgnoreScopingProfileConfigPredicate();

    @Nullable
    private Function<ProfileRequestContext, Integer> proxyCountLookupStrategy = new ProxyCountLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, AuthnRequest> requestLookupStrategy = new MessageLookup(AuthnRequest.class).compose(new InboundMessageContextLookup());

    @Nullable
    private AuthnRequest authnRequest;

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setForceAuthnPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.forceAuthnPredicate = (Predicate) Constraint.isNotNull(predicate, "Forced authentication predicate cannot be null");
    }

    public void setIgnoreScopingPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.ignoreScopingPredicate = (Predicate) Constraint.isNotNull(predicate, "Ignore Scoping predicate cannot be null");
    }

    public void setProxyCountLookupStrategy(@Nonnull Function<ProfileRequestContext, Integer> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.proxyCountLookupStrategy = (Function) Constraint.isNotNull(function, "Proxy count lookup strategy cannot be null");
    }

    public void setRequestLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnRequest> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requestLookupStrategy = (Function) Constraint.isNotNull(function, "AuthnRequest lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.authnRequest = this.requestLookupStrategy.apply(profileRequestContext);
        return true;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        SubjectContext subjectContext;
        AuthenticationContext authenticationContext = new AuthenticationContext();
        if (this.authnRequest != null) {
            if (!processScoping(profileRequestContext, authenticationContext)) {
                return;
            }
            authenticationContext.setForceAuthn(this.authnRequest.isForceAuthn().booleanValue());
            authenticationContext.setIsPassive(this.authnRequest.isPassive().booleanValue());
            if (this.authnRequest.getSubject() != null && this.authnRequest.getSubject().getNameID() != null && (subjectContext = (SubjectContext) profileRequestContext.getSubcontext(SubjectContext.class)) != null && subjectContext.getPrincipalName() != null) {
                authenticationContext.setRequiredName(subjectContext.getPrincipalName());
                profileRequestContext.removeSubcontext(subjectContext);
            }
        }
        if (!authenticationContext.isForceAuthn()) {
            authenticationContext.setForceAuthn(this.forceAuthnPredicate.test(profileRequestContext));
        }
        Integer proxyCount = authenticationContext.getProxyCount();
        Integer apply = this.proxyCountLookupStrategy.apply(profileRequestContext);
        if (apply != null && apply.intValue() < 0) {
            apply = 0;
        }
        if (proxyCount == null) {
            authenticationContext.setProxyCount(apply);
        } else if (apply != null) {
            authenticationContext.setProxyCount(Integer.valueOf(Integer.min(apply.intValue(), proxyCount.intValue())));
            this.log.debug("{} Combined requested and configured proxy count: {}", getLogPrefix(), authenticationContext.getProxyCount());
        }
        profileRequestContext.addSubcontext(authenticationContext, true);
        this.log.debug("{} Created authentication context: {}", getLogPrefix(), authenticationContext);
    }

    private boolean processScoping(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Scoping scoping = this.authnRequest.getScoping();
        if (scoping == null) {
            this.log.debug("{} AuthnRequest did not contain Scoping, nothing to do", getLogPrefix());
            return true;
        }
        if (this.ignoreScopingPredicate.test(profileRequestContext)) {
            this.log.warn("{} Ignoring inbound Scoping element in AuthnRequest in violation of standard", getLogPrefix());
            return true;
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply != null && apply.getProfileConfig() != null && (apply.getProfileConfig() instanceof BrowserSSOProfileConfiguration) && ((BrowserSSOProfileConfiguration) apply.getProfileConfig()).isFeatureDisallowed(profileRequestContext, 2)) {
            this.log.warn("{} Incoming Scoping disallowed by profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.ACCESS_DENIED);
            return false;
        }
        IDPList iDPList = scoping.getIDPList();
        if (iDPList != null && iDPList.getIDPEntrys() != null) {
            authenticationContext.getProxiableAuthorities().addAll((Set) iDPList.getIDPEntrys().stream().map((v0) -> {
                return v0.getProviderID();
            }).filter(str -> {
                return str != null;
            }).collect(Collectors.toUnmodifiableSet()));
        }
        if (scoping.getProxyCount() == null) {
            return true;
        }
        authenticationContext.setProxyCount(Integer.valueOf(Integer.max(0, scoping.getProxyCount().intValue())));
        return true;
    }
}
