package net.shibboleth.idp.saml.saml2.profile.delegation.impl;

import com.google.common.base.Function;
import com.google.common.base.Predicate;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.idwsf.profile.config.SSOSProfileConfiguration;
import net.shibboleth.idp.saml.xmlobject.DelegationPolicy;
import net.shibboleth.utilities.java.support.annotation.Prototype;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.Conditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Prototype
/* loaded from: input_file:BOOT-INF/lib/idp-saml-impl-3.3.2.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/EvaluateDelegationPolicy.class */
public class EvaluateDelegationPolicy extends AbstractProfileAction {
    public static final Long DEFAULT_POLICY_MAX_CHAIN_LENGTH = 1L;
    private Logger log = LoggerFactory.getLogger((Class<?>) EvaluateDelegationPolicy.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<ProfileRequestContext, Assertion> assertionTokenStrategy = new DelegatedAssertionLookupStrategy();

    @Nonnull
    private Function<ProfileRequestContext, Long> policyMaxChainLengthStrategy = new PolicyMaxChainLengthStrategy();
    private Assertion assertionToken;
    private Long policyMaxChainLength;
    private Long tokenChainLength;
    private Predicate<ProfileRequestContext> delegationPredicate;

    /* loaded from: input_file:BOOT-INF/lib/idp-saml-impl-3.3.2.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/EvaluateDelegationPolicy$PolicyMaxChainLengthStrategy.class */
    public class PolicyMaxChainLengthStrategy implements Function<ProfileRequestContext, Long> {
        public PolicyMaxChainLengthStrategy() {
        }

        @Override // com.google.common.base.Function, java.util.function.Function
        @Nullable
        public Long apply(@Nullable ProfileRequestContext profileRequestContext) {
            List<XMLObject> children;
            if (EvaluateDelegationPolicy.this.assertionToken == null || EvaluateDelegationPolicy.this.assertionToken.getAdvice() == null || (children = EvaluateDelegationPolicy.this.assertionToken.getAdvice().getChildren(DelegationPolicy.DEFAULT_ELEMENT_NAME)) == null || children.isEmpty()) {
                return null;
            }
            return ((DelegationPolicy) children.get(0)).getMaximumTokenDelegationChainLength();
        }
    }

    public void setPolicyMaxChainLengthStrategy(@Nonnull Function<ProfileRequestContext, Long> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.policyMaxChainLengthStrategy = (Function) Constraint.isNotNull(function, "Policy max chain length strategy may not be null");
    }

    public void setAssertionTokenStrategy(@Nonnull Function<ProfileRequestContext, Assertion> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionTokenStrategy = (Function) Constraint.isNotNull(function, "Assertion token strategy may not be null");
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy may not be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(ProfileRequestContext profileRequestContext) {
        return super.doPreExecute(profileRequestContext) && doPreExecuteInbound(profileRequestContext) && doPreExecuteRelyingParty(profileRequestContext);
    }

    protected boolean doPreExecuteInbound(@Nonnull ProfileRequestContext profileRequestContext) {
        this.assertionToken = this.assertionTokenStrategy.apply(profileRequestContext);
        if (this.assertionToken == null) {
            this.log.warn("{} No valid SAML 2 Assertion available within the request context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS);
            return false;
        }
        this.tokenChainLength = getTokenDelegationChainLength(this.assertionToken);
        this.policyMaxChainLength = getPolicyMaxDelegationChainLength(profileRequestContext);
        return true;
    }

    protected boolean doPreExecuteRelyingParty(@Nonnull ProfileRequestContext profileRequestContext) {
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("No RelyingPartyContext was available");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        if (apply.getProfileConfig() instanceof SSOSProfileConfiguration) {
            this.delegationPredicate = ((SSOSProfileConfiguration) apply.getProfileConfig()).getDelegationPredicate();
            return true;
        }
        this.log.warn("Relying party profile configuration was not SSOSProfileConfiguration");
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        return false;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (checkAllowedDelegate(profileRequestContext)) {
            checkTokenDelegationChainLength(profileRequestContext);
        }
    }

    protected boolean checkAllowedDelegate(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.delegationPredicate.apply(profileRequestContext)) {
            this.log.debug("Delegation predicate eval indicates delegated token use is allowed");
            return true;
        }
        this.log.warn("Delegation predicate eval indicates delegated token use NOT allowed");
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_SEC_CFG);
        return false;
    }

    protected boolean checkTokenDelegationChainLength(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.tokenChainLength == null || this.tokenChainLength.longValue() <= 0) {
            this.log.debug("Token did not have delegation chain, this must be initial delegation request, check passes");
            return true;
        }
        this.log.debug("Token delegation chain length was '{}', policy max was '{}'", this.tokenChainLength, this.policyMaxChainLength);
        if (this.tokenChainLength.longValue() < this.policyMaxChainLength.longValue()) {
            this.log.debug("Token delegation chain length is OK");
            return true;
        }
        if (this.tokenChainLength.longValue() > this.policyMaxChainLength.longValue()) {
            this.log.warn("Presented token delegation chain length exceeds policy max, and fails acceptance");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_SEC_CFG);
            return false;
        }
        if (!this.tokenChainLength.equals(this.policyMaxChainLength)) {
            return true;
        }
        this.log.warn("Token delegation chain length is equal to policy max, can't issue a new token from this token");
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_SEC_CFG);
        return false;
    }

    protected Long getTokenDelegationChainLength(@Nonnull Assertion assertion) {
        DelegationRestrictionType delegationRestrictionCondition = getDelegationRestrictionCondition(assertion.getConditions());
        if (delegationRestrictionCondition == null || delegationRestrictionCondition.getDelegates() == null) {
            return null;
        }
        return Long.valueOf(delegationRestrictionCondition.getDelegates().size());
    }

    protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable Conditions conditions) {
        if (conditions == null) {
            return null;
        }
        for (Condition condition : conditions.getConditions()) {
            if (DelegationRestrictionType.TYPE_NAME.equals(condition.getSchemaType())) {
                if (condition instanceof DelegationRestrictionType) {
                    return (DelegationRestrictionType) condition;
                }
                this.log.warn("Saw Condition of xsi:type DelegationRestrictionType, but incorrect class instance: {}", condition.getClass().getName());
            }
        }
        return null;
    }

    @Nonnull
    protected Long getPolicyMaxDelegationChainLength(@Nonnull ProfileRequestContext profileRequestContext) {
        Long apply = this.policyMaxChainLengthStrategy.apply(profileRequestContext);
        if (apply != null) {
            this.log.debug("Strategy resolved policy max token delegation chain length: {}", apply);
            return apply;
        }
        this.log.debug("Returning default policy max token delegation chain length: {}", DEFAULT_POLICY_MAX_CHAIN_LENGTH);
        return DEFAULT_POLICY_MAX_CHAIN_LENGTH;
    }
}
