package net.shibboleth.idp.authn.impl;

import com.google.common.base.Strings;
import java.net.InetAddress;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UserAgentContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.idp.profile.IdPAuditFields;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.net.IPRange;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.0.0.jar:net/shibboleth/idp/authn/impl/ValidateUserAgentAddress.class */
public class ValidateUserAgentAddress extends AbstractAuditingValidationAction {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.address";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ValidateUserAgentAddress.class);

    @Nonnull
    private Map<String, Collection<IPRange>> mappings;

    @NonnullBeforeExec
    private UserAgentContext uaContext;

    @Nullable
    private String principalName;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ValidateUserAgentAddress() {
        setMetricName(DEFAULT_METRIC_NAME);
        this.mappings = CollectionSupport.emptyMap();
    }

    public void setMappings(@Nullable Map<String, Collection<IPRange>> map) {
        checkSetterPreconditions();
        if (map == null) {
            this.mappings = CollectionSupport.emptyMap();
            return;
        }
        this.mappings = new HashMap(map.size());
        for (Map.Entry<String, Collection<IPRange>> entry : map.entrySet()) {
            if (!Strings.isNullOrEmpty(entry.getKey())) {
                this.mappings.put(entry.getKey(), List.copyOf(entry.getValue()));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction, net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.uaContext = (UserAgentContext) authenticationContext.getSubcontext(UserAgentContext.class);
        if (this.uaContext == null) {
            this.log.debug("{} No UserAgentContext available within authentication context", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS);
            return false;
        }
        if (this.uaContext.getAddress() != null) {
            return true;
        }
        this.log.debug("{} No address available within UserAgentContext", getLogPrefix());
        handleError(profileRequestContext, authenticationContext, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        InetAddress address = this.uaContext.getAddress();
        if (!$assertionsDisabled && address == null) {
            throw new AssertionError();
        }
        for (Map.Entry<String, Collection<IPRange>> entry : this.mappings.entrySet()) {
            Collection<IPRange> value = entry.getValue();
            if (!$assertionsDisabled && value == null) {
                throw new AssertionError();
            }
            if (isAuthenticated(address, value)) {
                this.principalName = entry.getKey();
                this.log.info("{} Authenticated user agent with address {} as {}", getLogPrefix(), address.getHostAddress(), this.principalName);
                recordSuccess(profileRequestContext);
                buildAuthenticationResult(profileRequestContext, authenticationContext);
                return;
            }
        }
        this.log.debug("{} User agent with address {} was not authenticated", getLogPrefix(), address.getHostAddress());
        handleError(profileRequestContext, authenticationContext, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS);
        recordFailure(profileRequestContext);
    }

    private boolean isAuthenticated(@Nonnull InetAddress inetAddress, @Nonnull Collection<IPRange> collection) {
        byte[] address = inetAddress.getAddress();
        if (!$assertionsDisabled && address == null) {
            throw new AssertionError();
        }
        Iterator<IPRange> it = collection.iterator();
        while (it.hasNext()) {
            if (it.next().contains(address)) {
                return true;
            }
        }
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        if (!$assertionsDisabled && this.principalName == null) {
            throw new AssertionError();
        }
        subject.getPrincipals().add(new UsernamePrincipal(this.principalName));
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
    @Unmodifiable
    @NotLive
    @Nullable
    public Map<String, String> getAuditFields(@Nonnull ProfileRequestContext profileRequestContext) {
        return this.principalName != null ? CollectionSupport.singletonMap(IdPAuditFields.USERNAME, this.principalName) : super.getAuditFields(profileRequestContext);
    }

    static {
        $assertionsDisabled = !ValidateUserAgentAddress.class.desiredAssertionStatus();
    }
}
