package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.openid.connect.sdk.claims.ACR;
import com.nimbusds.openid.connect.sdk.claims.ClaimRequirement;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.PreferredPrincipalContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultRequestedAcrLookupFunction;
import net.shibboleth.oidc.authn.principal.AuthenticationContextClassReferencePrincipal;
import net.shibboleth.oidc.profile.config.navigate.AcrClaimAlwaysEssentialLookupFunction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ProcessRequestedAuthnContext.class */
public class ProcessRequestedAuthnContext extends AbstractOIDCAuthenticationResponseAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ProcessRequestedAuthnContext.class);

    @Nonnull
    private Function<ProfileRequestContext, List<ACR>> acrLookupStrategy = new DefaultRequestedAcrLookupFunction();

    @Nonnull
    private Predicate<ProfileRequestContext> acrAlwaysEssentialLookupStrategy = new AcrClaimAlwaysEssentialLookupFunction();

    @Nullable
    private AuthenticationContext authenticationContext;
    private List<ACR> acrValues;
    private ClaimsSetRequest.Entry acrClaim;

    public void setAcrLookupStrategy(@Nonnull Function<ProfileRequestContext, List<ACR>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.acrLookupStrategy = (Function) Constraint.isNotNull(function, "Acr lookup strategy cannot be null");
    }

    public void setAcrAlwaysEssentialLookupStrategy(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.acrAlwaysEssentialLookupStrategy = (Predicate) Constraint.isNotNull(predicate, "AcrAlwaysEssentialLookupStrategy lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction, net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.acrValues = this.acrLookupStrategy.apply(profileRequestContext);
        if (getOidcResponseContext().getRequestedClaims() != null && getOidcResponseContext().getRequestedClaims().getIDTokenClaimsRequest() != null) {
            Iterator it = getOidcResponseContext().getRequestedClaims().getIDTokenClaimsRequest().getEntries().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ClaimsSetRequest.Entry entry = (ClaimsSetRequest.Entry) it.next();
                if ("acr".equals(entry.getClaimName())) {
                    this.acrClaim = entry;
                    break;
                }
            }
        }
        if ((this.acrValues == null || this.acrValues.isEmpty()) && (this.acrClaim == null || (this.acrClaim.getValuesAsListOfStrings() == null && this.acrClaim.getValueAsString() == null))) {
            this.log.debug("No acr values nor acr claim values in request, nothing to do");
            return false;
        }
        this.authenticationContext = profileRequestContext.getSubcontext(AuthenticationContext.class);
        if (this.authenticationContext != null) {
            return true;
        }
        this.log.error("{} No authentication context", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ArrayList arrayList = new ArrayList();
        boolean z = false;
        if (this.acrValues != null && !this.acrValues.isEmpty()) {
            for (ACR acr : this.acrValues) {
                this.log.debug("{} Located acr value {} in request", getLogPrefix(), acr.getValue());
                arrayList.add(new AuthenticationContextClassReferencePrincipal(acr.getValue()));
            }
        } else if (this.acrClaim != null && this.acrClaim.getValueAsString() != null) {
            z = this.acrClaim.getClaimRequirement().equals(ClaimRequirement.ESSENTIAL);
            this.log.debug("{} Located {} acr claim {} in id token section of claims request", new Object[]{getLogPrefix(), this.acrClaim.getClaimRequirement().toString(), this.acrClaim.getValueAsString()});
            arrayList.add(new AuthenticationContextClassReferencePrincipal(this.acrClaim.getValueAsString()));
        } else if (this.acrClaim != null && (this.acrClaim.getValueAsString() == null || !this.acrClaim.getValueAsString().isEmpty())) {
            z = this.acrClaim.getClaimRequirement().equals(ClaimRequirement.ESSENTIAL);
            for (String str : this.acrClaim.getValuesAsListOfStrings()) {
                this.log.debug("{} Located {} acr claim {} in id token section of claims request", new Object[]{getLogPrefix(), this.acrClaim.getClaimRequirement().toString(), str});
                arrayList.add(new AuthenticationContextClassReferencePrincipal(str));
            }
        }
        if (arrayList.isEmpty()) {
            this.log.debug("{} request did not contain any acr values, nothing to do", getLogPrefix());
            return;
        }
        if (!z && !this.acrAlwaysEssentialLookupStrategy.test(profileRequestContext)) {
            PreferredPrincipalContext preferredPrincipalContext = new PreferredPrincipalContext();
            preferredPrincipalContext.setPreferredPrincipals(arrayList);
            this.authenticationContext.addSubcontext(preferredPrincipalContext, true);
            this.log.debug("{} Created preferred principal context", getLogPrefix());
            return;
        }
        RequestedPrincipalContext requestedPrincipalContext = new RequestedPrincipalContext();
        requestedPrincipalContext.setOperator(AuthnContextComparisonTypeEnumeration.EXACT.toString());
        requestedPrincipalContext.setRequestedPrincipals(arrayList);
        this.authenticationContext.addSubcontext(requestedPrincipalContext, true);
        this.log.debug("{} Created requested principal context", getLogPrefix());
    }
}
