package net.shibboleth.idp.saml.saml2.profile.impl;

import com.google.common.base.Function;
import com.google.common.base.Functions;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.saml2.core.AuthnContextClassRef;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnContextDeclRef;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/idp-saml-impl-3.3.2.jar:net/shibboleth/idp/saml/saml2/profile/impl/ProcessRequestedAuthnContext.class */
public class ProcessRequestedAuthnContext extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ProcessRequestedAuthnContext.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<ProfileRequestContext, AuthnRequest> authnRequestLookupStrategy = Functions.compose(new MessageLookup(AuthnRequest.class), new InboundMessageContextLookup());

    @NonnullElements
    @Nonnull
    private Set<String> ignoredContexts = Collections.singleton("urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");

    @Nullable
    private AuthnRequest authnRequest;

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setAuthnRequestLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnRequest> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.authnRequestLookupStrategy = (Function) Constraint.isNotNull(function, "AuthnRequest lookup strategy cannot be null");
    }

    public void setIgnoredContexts(@NonnullElements @Nonnull Collection<String> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Collection<String> normalizeStringCollection = StringSupport.normalizeStringCollection(collection);
        if (normalizeStringCollection.isEmpty()) {
            this.ignoredContexts = Collections.emptySet();
        } else {
            this.ignoredContexts = new HashSet(normalizeStringCollection.size());
            this.ignoredContexts.addAll(normalizeStringCollection);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.authnRequest = this.authnRequestLookupStrategy.apply(profileRequestContext);
        if (this.authnRequest != null) {
            return true;
        }
        this.log.debug("{} AuthnRequest message was not returned by lookup strategy", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        RequestedAuthnContext requestedAuthnContext = this.authnRequest.getRequestedAuthnContext();
        if (requestedAuthnContext == null) {
            this.log.debug("{} AuthnRequest did not contain a RequestedAuthnContext, nothing to do", getLogPrefix());
            return;
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply != null && apply.getProfileConfig() != null && (apply.getProfileConfig() instanceof BrowserSSOProfileConfiguration) && ((BrowserSSOProfileConfiguration) apply.getProfileConfig()).isFeatureDisallowed(1)) {
            this.log.warn("{} Incoming RequestedAuthnContext disallowed by profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX);
            return;
        }
        ArrayList arrayList = new ArrayList();
        if (!requestedAuthnContext.getAuthnContextClassRefs().isEmpty()) {
            for (AuthnContextClassRef authnContextClassRef : requestedAuthnContext.getAuthnContextClassRefs()) {
                if (authnContextClassRef.getAuthnContextClassRef() != null) {
                    if (this.ignoredContexts.contains(authnContextClassRef.getAuthnContextClassRef())) {
                        this.log.info("{} Ignoring AuthnContextClassRef: {}", getLogPrefix(), authnContextClassRef.getAuthnContextClassRef());
                    } else {
                        arrayList.add(new AuthnContextClassRefPrincipal(authnContextClassRef.getAuthnContextClassRef()));
                    }
                }
            }
        } else if (!requestedAuthnContext.getAuthnContextDeclRefs().isEmpty()) {
            for (AuthnContextDeclRef authnContextDeclRef : requestedAuthnContext.getAuthnContextDeclRefs()) {
                if (authnContextDeclRef.getAuthnContextDeclRef() != null) {
                    if (this.ignoredContexts.contains(authnContextDeclRef.getAuthnContextDeclRef())) {
                        this.log.info("{} Ignoring AuthnContextDeclRef: {}", getLogPrefix(), authnContextDeclRef.getAuthnContextDeclRef());
                    } else {
                        arrayList.add(new AuthnContextDeclRefPrincipal(authnContextDeclRef.getAuthnContextDeclRef()));
                    }
                }
            }
        }
        if (arrayList.isEmpty()) {
            this.log.debug("{} RequestedAuthnContext did not contain any requested contexts, nothing to do", getLogPrefix());
            return;
        }
        RequestedPrincipalContext requestedPrincipalContext = new RequestedPrincipalContext();
        if (requestedAuthnContext.getComparison() != null) {
            requestedPrincipalContext.setOperator(requestedAuthnContext.getComparison().toString());
        } else {
            requestedPrincipalContext.setOperator(AuthnContextComparisonTypeEnumeration.EXACT.toString());
        }
        requestedPrincipalContext.setRequestedPrincipals(arrayList);
        authenticationContext.addSubcontext(requestedPrincipalContext, true);
        this.log.debug("{} RequestedPrincipalContext created with operator {} and {} custom principal(s)", getLogPrefix(), requestedPrincipalContext.getOperator(), Integer.valueOf(arrayList.size()));
    }
}
