package net.shibboleth.idp.authn.impl;

import java.util.Collection;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.principal.AuthenticationResultPrincipal;
import net.shibboleth.idp.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.idp.profile.context.navigate.ResponderIdLookupFunction;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.3.jar:net/shibboleth/idp/authn/impl/FinalizeMultiFactorAuthentication.class */
public class FinalizeMultiFactorAuthentication extends AbstractAuthenticationAction {

    @NonnullAfterInit
    private Function<ProfileRequestContext, AuthenticationResult> resultMergingStrategy;

    @Nullable
    private Predicate<ProfileRequestContext> resultCachingPredicate;

    @Nullable
    private MultiFactorAuthenticationContext mfaContext;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) FinalizeMultiFactorAuthentication.class);

    @Nonnull
    private Function<ProfileRequestContext, MultiFactorAuthenticationContext> multiFactorContextLookupStrategy = new ChildContextLookup(MultiFactorAuthenticationContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nullable
    private Function<ProfileRequestContext, String> requesterLookupStrategy = new RelyingPartyIdLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> responderLookupStrategy = new ResponderIdLookupFunction();

    /* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.3.jar:net/shibboleth/idp/authn/impl/FinalizeMultiFactorAuthentication$DefaultResultMergingStrategy.class */
    public static class DefaultResultMergingStrategy implements Function<ProfileRequestContext, AuthenticationResult> {
        @Override // java.util.function.Function
        @Nullable
        public AuthenticationResult apply(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext authenticationContext;
            MultiFactorAuthenticationContext multiFactorAuthenticationContext;
            if (profileRequestContext == null || (authenticationContext = (AuthenticationContext) profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || (multiFactorAuthenticationContext = (MultiFactorAuthenticationContext) authenticationContext.getSubcontext(MultiFactorAuthenticationContext.class)) == null) {
                return null;
            }
            Collection<AuthenticationResult> values = multiFactorAuthenticationContext.getActiveResults().values();
            if (values.isEmpty()) {
                return null;
            }
            boolean z = true;
            Subject subject = new Subject();
            for (AuthenticationResult authenticationResult : values) {
                subject.getPrincipals().add(new AuthenticationResultPrincipal(authenticationResult));
                subject.getPrincipals().addAll(authenticationResult.getSubject().getPrincipals());
                subject.getPublicCredentials().addAll(authenticationResult.getSubject().getPublicCredentials());
                subject.getPrivateCredentials().addAll(authenticationResult.getSubject().getPrivateCredentials());
                z = z && authenticationResult.isPreviousResult();
            }
            AuthenticationResult authenticationResult2 = new AuthenticationResult(multiFactorAuthenticationContext.getAuthenticationFlowDescriptor().getId(), subject);
            authenticationResult2.setPreviousResult(z);
            return authenticationResult2;
        }
    }

    public void setMultiFactorContextLookupStrategy(@Nonnull Function<ProfileRequestContext, MultiFactorAuthenticationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.multiFactorContextLookupStrategy = (Function) Constraint.isNotNull(function, "MultiFactorAuthenticationContext lookup strategy cannot be null");
    }

    public void setResultMergingStrategy(@Nullable Function<ProfileRequestContext, AuthenticationResult> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.resultMergingStrategy = function;
    }

    public void setResultCachingPredicate(@Nullable Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.resultCachingPredicate = predicate;
    }

    public void setRequesterLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requesterLookupStrategy = function;
    }

    public void setResponderLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responderLookupStrategy = function;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.resultMergingStrategy == null) {
            this.resultMergingStrategy = new DefaultResultMergingStrategy();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.mfaContext = this.multiFactorContextLookupStrategy.apply(profileRequestContext);
        if (this.mfaContext != null) {
            return true;
        }
        this.log.error("{} No MultiFactorAuthenticationContext found by lookup strategy", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} MFA complete, producing merged result", getLogPrefix());
        AuthenticationResult apply = this.resultMergingStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("{} Unable to produce merged AuthenticationResult", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX);
            return;
        }
        authenticationContext.setAuthenticationResult(apply);
        BiConsumer<ProfileRequestContext, Subject> subjectDecorator = authenticationContext.getAttemptedFlow().getSubjectDecorator();
        if (subjectDecorator != null) {
            subjectDecorator.accept(profileRequestContext, apply.getSubject());
        }
        if (authenticationContext.isResultCacheable() && this.resultCachingPredicate != null) {
            authenticationContext.setResultCacheable(this.resultCachingPredicate.test(profileRequestContext));
            this.log.info("{} Predicate indicates authentication result {} be cacheable in a session", getLogPrefix(), authenticationContext.isResultCacheable() ? "will" : "will not");
        }
        SubjectCanonicalizationContext subjectCanonicalizationContext = new SubjectCanonicalizationContext();
        subjectCanonicalizationContext.setSubject(apply.getSubject());
        if (this.requesterLookupStrategy != null) {
            subjectCanonicalizationContext.setRequesterId(this.requesterLookupStrategy.apply(profileRequestContext));
        }
        if (this.responderLookupStrategy != null) {
            subjectCanonicalizationContext.setResponderId(this.responderLookupStrategy.apply(profileRequestContext));
        }
        profileRequestContext.addSubcontext(subjectCanonicalizationContext, true);
    }
}
