package net.shibboleth.idp.authn;

import com.codahale.metrics.MetricRegistry;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.AuthenticationErrorContext;
import net.shibboleth.idp.authn.context.AuthenticationWarningContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.profile.context.navigate.IssuerLookupFunction;
import net.shibboleth.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.core.metrics.MetricsSupport;
import org.opensaml.messaging.context.BaseContext;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:WEB-INF/lib/idp-authn-api-5.0.0.jar:net/shibboleth/idp/authn/AbstractValidationAction.class */
public abstract class AbstractValidationAction extends AbstractAuthenticationAction implements PrincipalSupportingComponent {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.validation";

    @Nullable
    private Consumer<ProfileRequestContext> cleanupHook;

    @Nullable
    private Predicate<ProfileRequestContext> resultCachingPredicate;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) AbstractValidationAction.class);

    @Nonnull
    @NotEmpty
    private String metricName = DEFAULT_METRIC_NAME;
    private boolean addDefaultPrincipals = true;

    @Nonnull
    private final Subject authenticatedSubject = new Subject();
    private boolean clearErrorContext = true;

    @Nonnull
    private Map<String, Collection<String>> classifiedMessages = CollectionSupport.emptyMap();

    @Nullable
    private Function<ProfileRequestContext, String> requesterLookupStrategy = new RelyingPartyIdLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> responderLookupStrategy = new IssuerLookupFunction();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/idp-authn-api-5.0.0.jar:net/shibboleth/idp/authn/AbstractValidationAction$MessageChecker.class */
    public class MessageChecker implements Predicate<String> {

        @Nonnull
        @NotEmpty
        private final String s;

        public MessageChecker(@Nonnull @NotEmpty String str) {
            Constraint.isFalse(Strings.isNullOrEmpty(str), "Message cannot be null or empty");
            this.s = str;
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return this.s.contains(str);
        }
    }

    @Nonnull
    @NotEmpty
    public String getMetricName() {
        return this.metricName;
    }

    public void setMetricName(@Nonnull @NotEmpty String str) {
        checkSetterPreconditions();
        this.metricName = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Metric name cannot be null or empty");
    }

    public boolean addDefaultPrincipals() {
        return this.addDefaultPrincipals;
    }

    public void setAddDefaultPrincipals(boolean z) {
        checkSetterPreconditions();
        this.addDefaultPrincipals = z;
    }

    @Unmodifiable
    @Nonnull
    @NotLive
    public Map<String, Collection<String>> getClassifiedErrors() {
        Map<String, Collection<String>> unmodifiableMap = Collections.unmodifiableMap(this.classifiedMessages);
        if ($assertionsDisabled || unmodifiableMap != null) {
            return unmodifiableMap;
        }
        throw new AssertionError();
    }

    public void setClassifiedMessages(@Nullable Map<String, Collection<String>> map) {
        checkSetterPreconditions();
        if (map == null) {
            this.classifiedMessages = CollectionSupport.emptyMap();
            return;
        }
        this.classifiedMessages = new LinkedHashMap();
        for (Map.Entry<String, Collection<String>> entry : map.entrySet()) {
            if (entry.getKey() != null && !entry.getKey().isEmpty() && entry.getValue() != null && !entry.getValue().isEmpty()) {
                this.classifiedMessages.put(entry.getKey(), CollectionSupport.copyToList(entry.getValue()));
            }
        }
    }

    @Nullable
    public Predicate<ProfileRequestContext> getResultCachingPredicate() {
        return this.resultCachingPredicate;
    }

    public void setResultCachingPredicate(@Nullable Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.resultCachingPredicate = predicate;
    }

    @Nullable
    public Consumer<ProfileRequestContext> getCleanupHook() {
        return this.cleanupHook;
    }

    public void setCleanupHook(@Nullable Consumer<ProfileRequestContext> consumer) {
        checkSetterPreconditions();
        this.cleanupHook = consumer;
    }

    @Nullable
    public Function<ProfileRequestContext, String> getRequesterLookupStrategy() {
        return this.requesterLookupStrategy;
    }

    public void setRequesterLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.requesterLookupStrategy = function;
    }

    @Nullable
    public Function<ProfileRequestContext, String> getResponderLookupStrategy() {
        return this.responderLookupStrategy;
    }

    public void setResponderLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.responderLookupStrategy = function;
    }

    @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
    @Unmodifiable
    @Nonnull
    @NotLive
    public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> cls) {
        Set<T> principals = getSubject().getPrincipals(cls);
        if ($assertionsDisabled || principals != null) {
            return principals;
        }
        throw new AssertionError();
    }

    public void setSupportedPrincipals(@Nullable Collection<Principal> collection) {
        checkSetterPreconditions();
        getSubject().getPrincipals().clear();
        if (collection == null || collection.isEmpty()) {
            return;
        }
        getSubject().getPrincipals().addAll(Set.copyOf(collection));
    }

    @Nonnull
    protected Subject getSubject() {
        return this.authenticatedSubject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        String apply;
        String operator;
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.info("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX);
            return false;
        }
        if (this.clearErrorContext) {
            authenticationContext.removeSubcontext(AuthenticationErrorContext.class);
        }
        RequestedPrincipalContext requestedPrincipalContext = (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        if (requestedPrincipalContext == null || getSubject().getPrincipals().isEmpty() || (operator = requestedPrincipalContext.getOperator()) == null) {
            Function<ProfileRequestContext, String> fixedEventLookupStrategy = authenticationContext.getFixedEventLookupStrategy();
            if (fixedEventLookupStrategy == null || (apply = fixedEventLookupStrategy.apply(profileRequestContext)) == null) {
                return true;
            }
            this.log.info("{} Signaling fixed event: {}", getLogPrefix(), apply);
            ActionSupport.buildEvent(profileRequestContext, apply);
            return false;
        }
        this.log.debug("{} Request contains principal requirements, evaluating for compatibility", getLogPrefix());
        for (Principal principal : requestedPrincipalContext.getRequestedPrincipals()) {
            PrincipalEvalPredicateFactory lookup = requestedPrincipalContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), operator);
            if (lookup != null) {
                PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                if (predicate.test(this)) {
                    this.log.debug("{} Compatible with principal type '{}' and operator '{}'", getLogPrefix(), principal.getClass(), operator);
                    requestedPrincipalContext.setMatchingPrincipal(predicate.getMatchingPrincipal());
                    return true;
                }
                this.log.debug("{} Not compatible with principal type '{}' and operator '{}'", getLogPrefix(), principal.getClass(), operator);
            } else {
                this.log.debug("{} No comparison logic registered for principal type '{}' and operator '{}'", getLogPrefix(), principal.getClass(), operator);
            }
        }
        this.log.info("{} Skipping validator, not compatible with request's principal requirements", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.REQUEST_UNSUPPORTED);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void buildAuthenticationResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        AuthenticationFlowDescriptor attemptedFlow = authenticationContext.getAttemptedFlow();
        if (!$assertionsDisabled && attemptedFlow == null) {
            throw new AssertionError();
        }
        if (this.addDefaultPrincipals) {
            this.log.debug("{} Adding custom Principal(s) defined on underlying flow descriptor", getLogPrefix());
            getSubject().getPrincipals().addAll(attemptedFlow.getSupportedPrincipals());
        }
        AuthenticationResult newAuthenticationResult = attemptedFlow.newAuthenticationResult(populateSubject(getSubject()));
        authenticationContext.setAuthenticationResult(newAuthenticationResult);
        if (authenticationContext.isResultCacheable() && this.resultCachingPredicate != null) {
            authenticationContext.setResultCacheable(this.resultCachingPredicate.test(profileRequestContext));
            this.log.info("{} Predicate indicates authentication result {} be cacheable in a session", getLogPrefix(), authenticationContext.isResultCacheable() ? "will" : "will not");
        }
        BiConsumer<ProfileRequestContext, Subject> subjectDecorator = attemptedFlow.getSubjectDecorator();
        if (subjectDecorator != null) {
            subjectDecorator.accept(profileRequestContext, newAuthenticationResult.getSubject());
        }
        SubjectCanonicalizationContext subjectCanonicalizationContext = new SubjectCanonicalizationContext();
        subjectCanonicalizationContext.setSubject(newAuthenticationResult.getSubject());
        if (this.requesterLookupStrategy != null) {
            subjectCanonicalizationContext.setRequesterId(this.requesterLookupStrategy.apply(profileRequestContext));
        }
        if (this.responderLookupStrategy != null) {
            subjectCanonicalizationContext.setResponderId(this.responderLookupStrategy.apply(profileRequestContext));
        }
        ((BaseContext) Constraint.isNotNull(authenticationContext.getParent(), "Parent context cannot be null")).addSubcontext(subjectCanonicalizationContext, true);
    }

    @Nonnull
    protected abstract Subject populateSubject(@Nonnull Subject subject);

    /* JADX INFO: Access modifiers changed from: protected */
    public void recordSuccess(@Nonnull ProfileRequestContext profileRequestContext) {
        MetricRegistry metricRegistry = MetricsSupport.getMetricRegistry();
        if (metricRegistry != null) {
            metricRegistry.counter(getMetricName() + ".successes").inc();
        }
        if (this.cleanupHook != null) {
            this.cleanupHook.accept(profileRequestContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void recordFailure(@Nonnull ProfileRequestContext profileRequestContext) {
        MetricRegistry metricRegistry = MetricsSupport.getMetricRegistry();
        if (metricRegistry != null) {
            metricRegistry.counter(getMetricName() + ".failures").inc();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Exception exc, @Nonnull @NotEmpty String str) {
        ((AuthenticationErrorContext) authenticationContext.ensureSubcontext(AuthenticationErrorContext.class)).getExceptions().add(exc);
        handleError(profileRequestContext, authenticationContext, exc.getMessage(), str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleError(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String str, @Nonnull @NotEmpty String str2) {
        boolean z = false;
        if (!Strings.isNullOrEmpty(str)) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError();
            }
            MessageChecker messageChecker = new MessageChecker(str);
            for (Map.Entry<String, Collection<String>> entry : this.classifiedMessages.entrySet()) {
                Collection<String> value = entry.getValue();
                Objects.requireNonNull(messageChecker);
                if (Iterables.any(value, messageChecker::test)) {
                    String key = entry.getKey();
                    if (!$assertionsDisabled && key == null) {
                        throw new AssertionError();
                    }
                    ((AuthenticationErrorContext) authenticationContext.ensureSubcontext(AuthenticationErrorContext.class)).addClassifiedError(key);
                    if (!z) {
                        z = true;
                        ActionSupport.buildEvent(profileRequestContext, key);
                    }
                }
            }
        }
        if (z) {
            return;
        }
        ((AuthenticationErrorContext) authenticationContext.ensureSubcontext(AuthenticationErrorContext.class)).addClassifiedError(str2);
        ActionSupport.buildEvent(profileRequestContext, str2);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleWarning(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String str, @Nonnull @NotEmpty String str2) {
        boolean z = false;
        if (!Strings.isNullOrEmpty(str)) {
            if (!$assertionsDisabled && str == null) {
                throw new AssertionError();
            }
            MessageChecker messageChecker = new MessageChecker(str);
            for (Map.Entry<String, Collection<String>> entry : this.classifiedMessages.entrySet()) {
                Collection<String> value = entry.getValue();
                Objects.requireNonNull(messageChecker);
                if (Iterables.any(value, messageChecker::test)) {
                    String key = entry.getKey();
                    if (!$assertionsDisabled && key == null) {
                        throw new AssertionError();
                    }
                    ((AuthenticationWarningContext) authenticationContext.ensureSubcontext(AuthenticationWarningContext.class)).addClassifiedWarning(key);
                    if (!z) {
                        z = true;
                        ActionSupport.buildEvent(profileRequestContext, key);
                    }
                }
            }
        }
        if (z) {
            return;
        }
        ((AuthenticationWarningContext) authenticationContext.ensureSubcontext(AuthenticationWarningContext.class)).addClassifiedWarning(str2);
        ActionSupport.buildEvent(profileRequestContext, str2);
    }

    static {
        $assertionsDisabled = !AbstractValidationAction.class.desiredAssertionStatus();
    }
}
