package net.shibboleth.idp.saml.saml2.profile.delegation.impl;

import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.navigate.ResponderIdLookupFunction;
import net.shibboleth.idp.saml.authn.principal.NameIDPrincipal;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.xml.SerializeSupport;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.messaging.context.SAMLPresenterEntityContext;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.3.3.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/ProcessDelegatedAssertion.class */
public class ProcessDelegatedAssertion extends AbstractProfileAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) ProcessDelegatedAssertion.class);

    @Nullable
    private Function<ProfileRequestContext, String> requesterLookupStrategy = new DefaultC14NRequesterLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> responderLookupStrategy = new ResponderIdLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, Assertion> assertionTokenStrategy = new DelegatedAssertionLookupStrategy();
    private Assertion assertion;
    private NameID nameID;

    /* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.3.3.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/ProcessDelegatedAssertion$DefaultC14NRequesterLookupFunction.class */
    public class DefaultC14NRequesterLookupFunction implements Function<ProfileRequestContext, String> {
        public DefaultC14NRequesterLookupFunction() {
        }

        @Override // java.util.function.Function
        public String apply(ProfileRequestContext profileRequestContext) {
            SAMLPresenterEntityContext sAMLPresenterEntityContext;
            if (ProcessDelegatedAssertion.this.nameID.getSPNameQualifier() != null) {
                ProcessDelegatedAssertion.this.log.debug("Saw delegated Assertion Subject NameID SPNameQualifier: {}", ProcessDelegatedAssertion.this.nameID.getSPNameQualifier());
                return ProcessDelegatedAssertion.this.nameID.getSPNameQualifier();
            }
            if (profileRequestContext == null || profileRequestContext.getInboundMessageContext() == null || (sAMLPresenterEntityContext = (SAMLPresenterEntityContext) profileRequestContext.getInboundMessageContext().getSubcontext(SAMLPresenterEntityContext.class)) == null) {
                return null;
            }
            ProcessDelegatedAssertion.this.log.debug("Saw SAML presenter entityID: {}", sAMLPresenterEntityContext.getEntityId());
            return sAMLPresenterEntityContext.getEntityId();
        }
    }

    public void setAssertionTokenStrategy(@Nonnull Function<ProfileRequestContext, Assertion> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionTokenStrategy = (Function) Constraint.isNotNull(function, "Assertion token strategy may not be null");
    }

    public void setRequesterLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requesterLookupStrategy = function;
    }

    public void setResponderLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responderLookupStrategy = function;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.assertion = this.assertionTokenStrategy.apply(profileRequestContext);
        if (this.assertion == null) {
            this.log.warn("{} No valid SAML 2 Assertion available within the request context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS);
            return false;
        }
        Subject subject = this.assertion.getSubject();
        if (subject != null && subject.getNameID() != null) {
            this.nameID = subject.getNameID();
            return true;
        }
        this.log.warn("{} SAML 2 Assertion does not contain either a Subject or a NameID", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
        return false;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.log.isDebugEnabled()) {
            try {
                this.log.debug("{} Authenticated user based on inbound SAML 2 Assertion token with NameID: {}", getLogPrefix(), SerializeSupport.nodeToString(XMLObjectSupport.marshall(this.nameID)));
            } catch (MarshallingException e) {
                this.log.debug("{} Could not marshall SAML 2 NameID for logging purposes", getLogPrefix(), e);
            }
        }
        javax.security.auth.Subject subject = new javax.security.auth.Subject();
        subject.getPrincipals().add(new NameIDPrincipal(this.nameID));
        SubjectCanonicalizationContext subjectCanonicalizationContext = new SubjectCanonicalizationContext();
        subjectCanonicalizationContext.setSubject(subject);
        String str = null;
        if (this.requesterLookupStrategy != null) {
            str = this.requesterLookupStrategy.apply(profileRequestContext);
        }
        if (str != null) {
            this.log.debug("Resolved effective SAML requester entityID for Subject c14n: {}", str);
            subjectCanonicalizationContext.setRequesterId(str);
        } else {
            this.log.warn("Unable to determine effective SAML requester for c14n, Subject c14n may fail, depending on NameID type");
        }
        if (this.responderLookupStrategy != null) {
            subjectCanonicalizationContext.setResponderId(this.responderLookupStrategy.apply(profileRequestContext));
        }
        profileRequestContext.addSubcontext(subjectCanonicalizationContext, true);
    }
}
