package net.shibboleth.idp.authn;

import java.security.Principal;
import java.util.Collection;
import java.util.Set;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.AbstractIdentifiedInitializableComponent;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-authn-api-5.0.0.jar:net/shibboleth/idp/authn/AbstractCredentialValidator.class */
public abstract class AbstractCredentialValidator extends AbstractIdentifiedInitializableComponent implements CredentialValidator, PrincipalSupportingComponent {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) AbstractCredentialValidator.class);

    @Nonnull
    private Predicate<ProfileRequestContext> activationCondition = PredicateSupport.alwaysTrue();

    @Nullable
    private String logPrefix;

    @Nullable
    private Subject customPrincipals;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Override // net.shibboleth.shared.component.AbstractIdentifiedInitializableComponent, net.shibboleth.shared.component.IdentifiableComponent
    public synchronized void setId(@Nonnull String str) {
        super.setId(str);
    }

    public void setActivationCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.activationCondition = (Predicate) Constraint.isNotNull(predicate, "Activation condition cannot be null");
    }

    @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
    @Unmodifiable
    @Nonnull
    @NotLive
    public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> cls) {
        Set<T> principals;
        Subject subject = this.customPrincipals;
        if (subject != null && (principals = subject.getPrincipals(cls)) != null) {
            return principals;
        }
        return CollectionSupport.emptySet();
    }

    public void setSupportedPrincipals(@Nullable Collection<Principal> collection) {
        checkSetterPreconditions();
        if (collection == null) {
            this.customPrincipals = null;
            return;
        }
        Set copyToSet = CollectionSupport.copyToSet(collection);
        if (copyToSet.isEmpty()) {
            this.customPrincipals = null;
        } else {
            this.customPrincipals = new Subject();
            this.customPrincipals.getPrincipals().addAll(copyToSet);
        }
    }

    @Override // net.shibboleth.idp.authn.CredentialValidator
    public Subject validate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        checkComponentActive();
        if (!this.activationCondition.test(profileRequestContext)) {
            this.log.debug("{} Activation condition was false, ignoring request", getLogPrefix());
            return null;
        }
        if (isAcceptable((RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class), this.customPrincipals, ensureId())) {
            return doValidate(profileRequestContext, authenticationContext, warningHandler, errorHandler);
        }
        return null;
    }

    @Nullable
    protected abstract Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception;

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public Subject populateSubject(@Nonnull Subject subject) {
        Subject subject2 = this.customPrincipals;
        if (subject2 != null) {
            subject.getPrincipals().addAll(subject2.getPrincipals());
        }
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    @NotEmpty
    public String getLogPrefix() {
        if (this.logPrefix == null) {
            this.logPrefix = "Credential Validator " + (getId() != null ? getId() : "(unknown)") + ":";
            return this.logPrefix;
        }
        if ($assertionsDisabled || this.logPrefix != null) {
            return this.logPrefix;
        }
        throw new AssertionError();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isAcceptable(@Nullable RequestedPrincipalContext requestedPrincipalContext, @Nullable final Subject subject, @Nonnull @NotEmpty String str) {
        if (subject == null || requestedPrincipalContext == null) {
            return true;
        }
        String operator = requestedPrincipalContext.getOperator();
        if (operator != null) {
            this.log.debug("{} Request contains principal requirements, checking validator '{}' for compatibility", getLogPrefix(), str);
            for (Principal principal : requestedPrincipalContext.getRequestedPrincipals()) {
                PrincipalEvalPredicateFactory lookup = requestedPrincipalContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), operator);
                if (lookup != null) {
                    PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                    if (predicate.test(new PrincipalSupportingComponent() { // from class: net.shibboleth.idp.authn.AbstractCredentialValidator.1
                        static final /* synthetic */ boolean $assertionsDisabled;

                        @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
                        @Nonnull
                        public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> cls) {
                            Set<T> principals = subject.getPrincipals(cls);
                            if ($assertionsDisabled || principals != null) {
                                return principals;
                            }
                            throw new AssertionError();
                        }

                        static {
                            $assertionsDisabled = !AbstractCredentialValidator.class.desiredAssertionStatus();
                        }
                    })) {
                        this.log.debug("{} Validator '{}' compatible with principal type '{}' and operator '{}'", getLogPrefix(), str, principal.getClass(), requestedPrincipalContext.getOperator());
                        requestedPrincipalContext.setMatchingPrincipal(predicate.getMatchingPrincipal());
                        return true;
                    }
                    this.log.debug("{} Validator '{}' not compatible with principal type '{}' and operator '{}'", getLogPrefix(), str, principal.getClass(), requestedPrincipalContext.getOperator());
                } else {
                    this.log.debug("{} No comparison logic registered for principal type '{}' and operator '{}'", getLogPrefix(), principal.getClass(), requestedPrincipalContext.getOperator());
                }
            }
        }
        this.log.debug("{} Skipping validator '{}', not compatible with request's principal requirements", getLogPrefix(), str);
        return false;
    }

    static {
        $assertionsDisabled = !AbstractCredentialValidator.class.desiredAssertionStatus();
    }
}
