package net.shibboleth.idp.authn.impl;

import java.security.Principal;
import java.time.Instant;
import java.util.Collection;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.attribute.filter.AttributeFilter;
import net.shibboleth.idp.attribute.filter.AttributeFilterException;
import net.shibboleth.idp.attribute.filter.context.AttributeFilterContext;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.CertificateContext;
import net.shibboleth.idp.authn.context.ExternalAuthenticationContext;
import net.shibboleth.idp.authn.principal.IdPAttributePrincipal;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.idp.profile.IdPAuditFields;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.NonnullSupplier;
import net.shibboleth.shared.service.ReloadableService;
import net.shibboleth.shared.service.ServiceException;
import net.shibboleth.shared.service.ServiceableComponent;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.0.0.jar:net/shibboleth/idp/authn/impl/ValidateExternalAuthentication.class */
public class ValidateExternalAuthentication extends AbstractAuditingValidationAction {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.external";

    @Nonnull
    private final Logger log;

    @Nullable
    private ReloadableService<AttributeFilter> attributeFilterService;

    @Nullable
    private MetadataResolver metadataResolver;

    @Nullable
    private Pattern matchExpression;

    @NonnullBeforeExec
    private ExternalAuthenticationContext extContext;

    @Nullable
    private AttributeContext attributeContext;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.0.0.jar:net/shibboleth/idp/authn/impl/ValidateExternalAuthentication$CertificateCleanupHook.class */
    public static class CertificateCleanupHook implements Consumer<ProfileRequestContext> {
        @Override // java.util.function.Consumer
        public void accept(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext authenticationContext;
            CertificateContext certificateContext;
            if (profileRequestContext == null || (authenticationContext = (AuthenticationContext) profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || (certificateContext = (CertificateContext) authenticationContext.getSubcontext(CertificateContext.class)) == null) {
                return;
            }
            authenticationContext.removeSubcontext(certificateContext);
        }
    }

    public ValidateExternalAuthentication() {
        this(null);
    }

    public ValidateExternalAuthentication(@Nullable ReloadableService<AttributeFilter> reloadableService) {
        this.log = LoggerFactory.getLogger((Class<?>) ValidateExternalAuthentication.class);
        setMetricName(DEFAULT_METRIC_NAME);
        this.attributeFilterService = reloadableService;
    }

    public void setMatchExpression(@Nullable Pattern pattern) {
        checkSetterPreconditions();
        if (pattern == null || pattern.pattern().isEmpty()) {
            this.matchExpression = null;
        } else {
            this.matchExpression = pattern;
        }
    }

    public void setMetadataResolver(@Nullable MetadataResolver metadataResolver) {
        checkSetterPreconditions();
        this.metadataResolver = metadataResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction, net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.extContext = (ExternalAuthenticationContext) authenticationContext.getSubcontext(ExternalAuthenticationContext.class);
        if (this.extContext != null) {
            return true;
        }
        this.log.debug("{} No ExternalAuthenticationContext available within authentication context", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX);
        recordFailure(profileRequestContext);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Exception authnException = this.extContext.getAuthnException();
        String principalName = this.extContext.getPrincipalName();
        if (authnException != null) {
            this.log.info("{} External authentication produced exception", getLogPrefix(), this.extContext.getAuthnException());
            handleError(profileRequestContext, authenticationContext, authnException, AuthnEventIds.AUTHN_EXCEPTION);
            recordFailure(profileRequestContext);
            return;
        }
        if (this.extContext.getAuthnError() != null) {
            this.log.info("{} External authentication produced error message: {}", getLogPrefix(), this.extContext.getAuthnError());
            handleError(profileRequestContext, authenticationContext, this.extContext.getAuthnError(), AuthnEventIds.AUTHN_EXCEPTION);
            recordFailure(profileRequestContext);
            return;
        }
        if (this.extContext.getSubject() != null) {
            this.log.info("{} External authentication succeeded for Subject", getLogPrefix());
        } else if (this.extContext.getPrincipal() != null) {
            this.log.info("{} External authentication succeeded for Principal: {}", getLogPrefix(), this.extContext.getPrincipal());
            Principal principal = this.extContext.getPrincipal();
            if (!$assertionsDisabled && principal == null) {
                throw new AssertionError();
            }
            this.extContext.setSubject(new Subject(false, CollectionSupport.singleton(principal), CollectionSupport.emptySet(), CollectionSupport.emptySet()));
        } else if (principalName == null) {
            this.log.info("{} External authentication failed, no user identity or error information returned", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS);
            return;
        } else {
            this.log.info("{} External authentication succeeded for user: {}", getLogPrefix(), principalName);
            this.extContext.setSubject(new Subject(false, CollectionSupport.singleton(new UsernamePrincipal(principalName)), CollectionSupport.emptySet(), CollectionSupport.emptySet()));
        }
        Subject subject = this.extContext.getSubject();
        if (!$assertionsDisabled && subject == null) {
            throw new AssertionError();
        }
        if (!checkUsername(subject)) {
            handleError(profileRequestContext, authenticationContext, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS);
            recordFailure(profileRequestContext);
            return;
        }
        recordSuccess(profileRequestContext);
        if (!this.extContext.getAuthenticatingAuthorities().isEmpty()) {
            subject.getPrincipals().add(new ProxyAuthenticationPrincipal(this.extContext.getAuthenticatingAuthorities()));
        }
        if (this.extContext.doNotCache()) {
            this.log.debug("{} Disabling caching of authentication result", getLogPrefix());
            authenticationContext.setResultCacheable(false);
        }
        if (!$assertionsDisabled && this.extContext == null) {
            throw new AssertionError();
        }
        filterAttributes(this.extContext);
        buildAuthenticationResult(profileRequestContext, authenticationContext);
        AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
        if (authenticationResult != null) {
            Instant authnInstant = this.extContext.getAuthnInstant();
            if (authnInstant != null) {
                authenticationResult.setAuthenticationInstant(authnInstant);
            }
            if (this.extContext.isPreviousResult()) {
                authenticationResult.setPreviousResult(true);
            }
        }
    }

    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        if (!$assertionsDisabled && !isPreExecuteCalled()) {
            throw new AssertionError();
        }
        Subject subject2 = (Subject) Constraint.isNotNull(this.extContext.getSubject(), "external Authn Subject cannot be null");
        subject2.getPrincipals().addAll(subject.getPrincipals());
        AttributeContext attributeContext = this.attributeContext;
        if (attributeContext != null && !attributeContext.getIdPAttributes().isEmpty()) {
            this.log.debug("{} Adding filtered inbound attributes to Subject", getLogPrefix());
            subject2.getPrincipals().addAll((Collection) ((NonnullSupplier) attributeContext.getIdPAttributes().values().stream().map(idPAttribute -> {
                if ($assertionsDisabled || idPAttribute != null) {
                    return new IdPAttributePrincipal(idPAttribute);
                }
                throw new AssertionError();
            }).collect(CollectionSupport.nonnullCollector(Collectors.toList()))).get());
        }
        return subject2;
    }

    private boolean checkUsername(@Nonnull Subject subject) {
        if (this.matchExpression == null) {
            return true;
        }
        String username = getUsername(subject);
        if (username == null) {
            this.log.info("{} Match expression set, but no UsernamePrincipal found");
            return false;
        }
        if (!$assertionsDisabled && this.matchExpression == null) {
            throw new AssertionError();
        }
        if (this.matchExpression.matcher(username).matches()) {
            return true;
        }
        this.log.info("{} Username {} did not match expression", getLogPrefix(), username);
        return false;
    }

    @Nullable
    private String getUsername(@Nonnull Subject subject) {
        Set principals = subject.getPrincipals(UsernamePrincipal.class);
        if (principals == null || principals.isEmpty()) {
            return null;
        }
        return ((UsernamePrincipal) principals.iterator().next()).getName();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction
    @Unmodifiable
    @NotLive
    @Nullable
    public Map<String, String> getAuditFields(@Nonnull ProfileRequestContext profileRequestContext) {
        String username;
        Subject subject = this.extContext != null ? this.extContext.getSubject() : null;
        return (subject == null || (username = getUsername(subject)) == null) ? super.getAuditFields(profileRequestContext) : CollectionSupport.singletonMap(IdPAuditFields.USERNAME, username);
    }

    private void filterAttributes(@Nonnull ExternalAuthenticationContext externalAuthenticationContext) {
        AttributeContext attributeContext = (AttributeContext) externalAuthenticationContext.getSubcontext(AttributeContext.class);
        if (attributeContext == null) {
            this.log.debug("{} No attribute context, no attributes to filter", getLogPrefix());
            return;
        }
        this.attributeContext = attributeContext;
        if (attributeContext.getIdPAttributes().isEmpty()) {
            this.log.debug("{} No attributes to filter", getLogPrefix());
            return;
        }
        if (this.attributeFilterService == null) {
            this.log.warn("{} No AttributeFilter service provided, clearing inbound attributes", getLogPrefix());
            attributeContext.setIdPAttributes(null);
            return;
        }
        AttributeFilterContext attributeFilterContext = (AttributeFilterContext) externalAuthenticationContext.ensureSubcontext(AttributeFilterContext.class);
        populateFilterContext(attributeFilterContext);
        if (!$assertionsDisabled && this.attributeFilterService == null) {
            throw new AssertionError();
        }
        try {
            ServiceableComponent<AttributeFilter> serviceableComponent = this.attributeFilterService.getServiceableComponent();
            try {
                serviceableComponent.getComponent().filterAttributes(attributeFilterContext);
                attributeFilterContext.removeFromParent();
                attributeContext.setIdPAttributes(attributeFilterContext.getFilteredIdPAttributes().values());
                if (serviceableComponent != null) {
                    serviceableComponent.close();
                }
            } finally {
            }
        } catch (AttributeFilterException e) {
            this.log.error("{} Error while filtering inbound attributes", getLogPrefix(), e);
            attributeContext.setIdPAttributes(null);
        } catch (ServiceException e2) {
            this.log.error("{} Invalid AttributeFilter configuration", getLogPrefix(), e2);
            attributeContext.setIdPAttributes(null);
        }
    }

    private void populateFilterContext(@Nonnull AttributeFilterContext attributeFilterContext) {
        AttributeContext attributeContext = this.attributeContext;
        ExternalAuthenticationContext externalAuthenticationContext = this.extContext;
        if (!$assertionsDisabled && (attributeContext == null || externalAuthenticationContext == null)) {
            throw new AssertionError();
        }
        attributeFilterContext.setDirection(AttributeFilterContext.Direction.INBOUND).setPrefilteredIdPAttributes(attributeContext.getIdPAttributes().values()).setMetadataResolver(this.metadataResolver).setRequesterMetadataContextLookupStrategy(null).setProxiedRequesterContextLookupStrategy(null);
        if (externalAuthenticationContext.getAuthenticatingAuthorities().isEmpty()) {
            return;
        }
        attributeFilterContext.setAttributeIssuerID(externalAuthenticationContext.getAuthenticatingAuthorities().iterator().next());
    }

    static {
        $assertionsDisabled = !ValidateExternalAuthentication.class.desiredAssertionStatus();
    }
}
