package net.shibboleth.idp.authn.impl;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.idp.session.context.SessionContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/FinalizeAuthentication.class */
public class FinalizeAuthentication extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(FinalizeAuthentication.class);

    @NonnullElements
    @Nonnull
    private Map<Principal, Integer> weightMap = Collections.emptyMap();

    @Nullable
    private String canonicalPrincipalName;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/shibboleth/idp/authn/impl/FinalizeAuthentication$WeightedComparator.class */
    public class WeightedComparator implements Comparator {
        private WeightedComparator() {
        }

        @Override // java.util.Comparator
        public int compare(Object obj, Object obj2) {
            int intValue = FinalizeAuthentication.this.weightMap.containsKey(obj) ? ((Integer) FinalizeAuthentication.this.weightMap.get(obj)).intValue() : 0;
            int intValue2 = FinalizeAuthentication.this.weightMap.containsKey(obj2) ? ((Integer) FinalizeAuthentication.this.weightMap.get(obj2)).intValue() : 0;
            if (intValue < intValue2) {
                return -1;
            }
            return intValue > intValue2 ? 1 : 0;
        }
    }

    public void setWeightMap(@NonnullElements @Nullable Map<Principal, Integer> map) {
        if (map == null) {
            this.weightMap = Collections.emptyMap();
            return;
        }
        this.weightMap = new HashMap(map.size());
        for (Map.Entry<Principal, Integer> entry : map.entrySet()) {
            if (entry.getKey() != null && entry.getValue() != null) {
                this.weightMap.put(entry.getKey(), entry.getValue());
            }
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        SessionContext subcontext;
        SubjectCanonicalizationContext subcontext2 = profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class);
        if (subcontext2 != null) {
            this.canonicalPrincipalName = subcontext2.getPrincipalName();
            profileRequestContext.removeSubcontext(subcontext2);
            this.log.debug("{} Canonical principal name was established as '{}'", getLogPrefix(), this.canonicalPrincipalName);
        }
        if (this.canonicalPrincipalName == null && (subcontext = profileRequestContext.getSubcontext(SessionContext.class)) != null && subcontext.getIdPSession() != null) {
            this.canonicalPrincipalName = subcontext.getIdPSession().getPrincipalName();
            this.log.debug("{} Canonical principal name established from session as '{}'", getLogPrefix(), this.canonicalPrincipalName);
        }
        RequestedPrincipalContext requestedPrincipalContext = (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        if (requestedPrincipalContext != null) {
            AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
            if (authenticationResult == null) {
                this.log.warn("{} Authentication result missing from context?", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "RequestUnsupported");
                return false;
            }
            Principal matchingPrincipal = requestedPrincipalContext.getMatchingPrincipal();
            if (matchingPrincipal != null && !authenticationResult.getSupportedPrincipals(matchingPrincipal.getClass()).contains(matchingPrincipal)) {
                this.log.debug("{} Authentication result lacks originally projected matching principal '{}', reevaluating", getLogPrefix(), matchingPrincipal.getName());
                requestedPrincipalContext.setMatchingPrincipal((Principal) null);
            }
            requestedPrincipalContext.setMatchingPrincipal(findMatchingPrincipal(authenticationContext, requestedPrincipalContext));
            if (requestedPrincipalContext.getMatchingPrincipal() == null) {
                this.log.warn("{} Authentication result for flow {} did not satisfy the request", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
                ActionSupport.buildEvent(profileRequestContext, "RequestUnsupported");
                return false;
            }
        } else {
            this.log.debug("{} Request did not have explicit authentication requirements, result is accepted", getLogPrefix());
        }
        return super.doPreExecute(profileRequestContext, authenticationContext);
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (this.canonicalPrincipalName != null) {
            SubjectContext subcontext = profileRequestContext.getSubcontext(SubjectContext.class, true);
            if (subcontext.getPrincipalName() != null && !this.canonicalPrincipalName.equals(subcontext.getPrincipalName())) {
                this.log.warn("{} Result of authentication ({}) does not match existing subject in context ({})", new Object[]{getLogPrefix(), this.canonicalPrincipalName, subcontext.getPrincipalName()});
                ActionSupport.buildEvent(profileRequestContext, "InvalidSubjectContext");
                return;
            }
            subcontext.setPrincipalName(this.canonicalPrincipalName);
            Map authenticationResults = subcontext.getAuthenticationResults();
            authenticationResults.putAll(authenticationContext.getActiveResults());
            AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
            if (authenticationResult != null) {
                authenticationResults.put(authenticationResult.getAuthenticationFlowId(), authenticationResult);
            }
        }
        authenticationContext.setCompletionInstant();
    }

    @Nullable
    protected Principal findMatchingPrincipal(@Nonnull AuthenticationContext authenticationContext, @Nonnull RequestedPrincipalContext requestedPrincipalContext) {
        ArrayList arrayList = new ArrayList();
        for (Principal principal : requestedPrincipalContext.getRequestedPrincipals()) {
            this.log.debug("{} Checking result for compatibility with operator '{}' and principal '{}'", new Object[]{getLogPrefix(), requestedPrincipalContext.getOperator(), principal.getName()});
            PrincipalEvalPredicateFactory lookup = requestedPrincipalContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), requestedPrincipalContext.getOperator());
            if (lookup != null) {
                PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                arrayList.clear();
                for (final Principal principal2 : authenticationContext.getAuthenticationResult().getSupportedPrincipals(principal.getClass())) {
                    if (predicate.apply(new PrincipalSupportingComponent() { // from class: net.shibboleth.idp.authn.impl.FinalizeAuthentication.1
                        public <T extends Principal> Set<T> getSupportedPrincipals(Class<T> cls) {
                            return Collections.singleton(principal2);
                        }
                    })) {
                        this.log.debug("{} Principal '{}' in authentication result satisfies request for principal '{}'", new Object[]{getLogPrefix(), principal2.getName(), principal.getName()});
                        arrayList.add(principal2);
                    }
                }
                if (!arrayList.isEmpty()) {
                    break;
                }
            } else {
                this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", new Object[]{getLogPrefix(), requestedPrincipalContext.getOperator(), principal.getClass()});
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        if (arrayList.size() == 1 || this.weightMap.isEmpty()) {
            return (Principal) arrayList.get(0);
        }
        Object[] array = arrayList.toArray();
        Arrays.sort(array, new WeightedComparator());
        return (Principal) array[array.length - 1];
    }
}
