package net.shibboleth.idp.saml.saml2.profile.delegation.impl;

import com.google.common.base.Function;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import javax.annotation.Nonnull;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.profile.context.navigate.SAMLMetadataContextLookupFunction;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.idp.saml.saml2.profile.delegation.DelegationContext;
import net.shibboleth.idp.saml.saml2.profile.delegation.DelegationRequest;
import net.shibboleth.utilities.java.support.annotation.Prototype;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.criterion.EntityIdCriterion;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.messaging.context.AttributeConsumingServiceContext;
import org.opensaml.saml.common.messaging.context.SAMLMetadataContext;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.saml2.core.Audience;
import org.opensaml.saml.saml2.core.AudienceRestriction;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.metadata.AttributeConsumingService;
import org.opensaml.saml.saml2.metadata.RequestedAttribute;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.security.credential.Credential;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Prototype
/* loaded from: input_file:BOOT-INF/lib/idp-saml-impl-3.3.3.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/PopulateDelegationContext.class */
public class PopulateDelegationContext extends AbstractProfileAction {

    @Nonnull
    private CredentialResolver credentialResolver;
    private DelegationRequest delegationRequested;
    private RelyingPartyContext relyingPartyContext;
    private boolean delegationAllowed;
    private String responderId;
    private String relyingPartyId;
    private RoleDescriptor roleDescriptor;
    private AttributeConsumingService attributeConsumingService;
    private List<Credential> confirmationCredentials;
    private final Logger log = LoggerFactory.getLogger((Class<?>) PopulateDelegationContext.class);
    private DelegationRequest defaultDelegationRequested = DelegationRequest.NOT_REQUESTED;

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<ProfileRequestContext, SAMLMetadataContext> samlMetadataContextLookupStrategy = new SAMLMetadataContextLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, DelegationContext> delegationContextLookupStrategy = new ChildContextLookup(DelegationContext.class, true);

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy may not be null");
    }

    public void setSAMLMetadataContextLookupStrategy(@Nonnull Function<ProfileRequestContext, SAMLMetadataContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.samlMetadataContextLookupStrategy = (Function) Constraint.isNotNull(function, "SAMLMetadataContext lookup strategy may not be null");
    }

    public void setDelegationContextLookupStrategy(@Nonnull Function<ProfileRequestContext, DelegationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.delegationContextLookupStrategy = (Function) Constraint.isNotNull(function, "DelegationContext lookup strategy may not be null");
    }

    public void setCredentialResolver(@Nonnull CredentialResolver credentialResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.credentialResolver = (CredentialResolver) Constraint.isNotNull(credentialResolver, "CredentialResolver may not be null");
    }

    @Nonnull
    public DelegationRequest getDefaultDelegationRequested() {
        return this.defaultDelegationRequested;
    }

    public void setDefaultDelegationRequested(@Nonnull DelegationRequest delegationRequest) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.defaultDelegationRequested = (DelegationRequest) Constraint.isNotNull(delegationRequest, "Default DelegationRequest may not be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.relyingPartyContextLookupStrategy == null) {
            throw new ComponentInitializationException("RelyingPartyContext lookup strategy may not be null");
        }
        if (this.samlMetadataContextLookupStrategy == null) {
            throw new ComponentInitializationException("SAMLMetadataContext lookup strategy may not be null");
        }
        if (this.credentialResolver == null) {
            throw new ComponentInitializationException("CredentialResolver may not be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        if (!super.doPreExecute(profileRequestContext) || !doPreExecuteInbound(profileRequestContext) || !doPreExecuteRelyingParty(profileRequestContext) || !doPreExecuteMetadata(profileRequestContext)) {
            return false;
        }
        this.delegationRequested = getDelegationRequested(profileRequestContext);
        if (DelegationRequest.NOT_REQUESTED.equals(this.delegationRequested)) {
            this.log.debug("Issuance of a delegated Assertion is not in effect, skipping further processing");
            return false;
        }
        this.confirmationCredentials = resolveConfirmationCredentials(profileRequestContext);
        return true;
    }

    protected boolean doPreExecuteInbound(@Nonnull ProfileRequestContext profileRequestContext) {
        if (profileRequestContext.getInboundMessageContext() == null || profileRequestContext.getInboundMessageContext().getMessage() == null) {
            this.log.warn("No inbound message context or message found");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
            return false;
        }
        if (profileRequestContext.getInboundMessageContext().getMessage() instanceof AuthnRequest) {
            return true;
        }
        this.log.debug("Request is not a SAML 2 AuthnRequest");
        return false;
    }

    protected boolean doPreExecuteRelyingParty(@Nonnull ProfileRequestContext profileRequestContext) {
        this.relyingPartyContext = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (this.relyingPartyContext == null) {
            this.log.warn("No RelyingPartyContext was available");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.relyingPartyId = this.relyingPartyContext.getRelyingPartyId();
        if (this.relyingPartyId == null) {
            this.log.warn("No relying party ID was available");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        if (!(this.relyingPartyContext.getProfileConfig() instanceof BrowserSSOProfileConfiguration)) {
            this.log.debug("ProfileConfiguration does not support delegation: {}", this.relyingPartyContext.getProfileConfig().getClass().getName());
            return false;
        }
        this.delegationAllowed = ((BrowserSSOProfileConfiguration) this.relyingPartyContext.getProfileConfig()).getAllowDelegation().apply(profileRequestContext);
        this.responderId = this.relyingPartyContext.getConfiguration().getResponderId();
        return true;
    }

    protected boolean doPreExecuteMetadata(@Nonnull ProfileRequestContext profileRequestContext) {
        SAMLMetadataContext apply = this.samlMetadataContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.debug("No SAMLMetadataContext was available, skipping further delegation processing");
            return false;
        }
        this.roleDescriptor = apply.getRoleDescriptor();
        if (this.roleDescriptor == null) {
            this.log.debug("No RoleDescriptor was available, skipping further delegation processing");
            return false;
        }
        AttributeConsumingServiceContext attributeConsumingServiceContext = (AttributeConsumingServiceContext) apply.getSubcontext(AttributeConsumingServiceContext.class);
        if (attributeConsumingServiceContext != null) {
            this.attributeConsumingService = attributeConsumingServiceContext.getAttributeConsumingService();
        }
        if (this.attributeConsumingService != null) {
            return true;
        }
        this.log.debug("No AttributeConsumingService was resolved, won't be able to determine delegation requested status via metadata");
        return true;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ComponentSupport.ifNotInitializedThrowUninitializedComponentException(this);
        switch (this.delegationRequested) {
            case NOT_REQUESTED:
                this.log.debug("Delegation was not requested");
                return;
            case REQUESTED_OPTIONAL:
                if (!this.delegationAllowed) {
                    this.log.debug("Delegation token issuance was requested (optional), but not allowed, skipping delegated assertion issuance");
                    return;
                }
                this.log.debug("Delegation token issuance was requested (optional) and allowed");
                if (this.confirmationCredentials == null || this.confirmationCredentials.isEmpty()) {
                    this.log.warn("Issuance of delegated token was indicated, but no confirmation credentials were available, skipping issuance");
                    return;
                } else {
                    createAndPopulateDelegationContext(profileRequestContext);
                    return;
                }
            case REQUESTED_REQUIRED:
                if (!this.delegationAllowed) {
                    this.log.warn("Delegation token issuance was requested (required), but disallowed by policy");
                    ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_SEC_CFG);
                    return;
                }
                this.log.debug("Delegation token issuance was requested (required) and allowed");
                if (this.confirmationCredentials != null && !this.confirmationCredentials.isEmpty()) {
                    createAndPopulateDelegationContext(profileRequestContext);
                    return;
                } else {
                    this.log.warn("Issuance of delegated token was indicated, but no confirmation credentials were available");
                    ActionSupport.buildEvent(profileRequestContext, EventIds.MESSAGE_PROC_ERROR);
                    return;
                }
            default:
                this.log.error("Unknown value '{}' for delegation request state", this.delegationRequested);
                return;
        }
    }

    private void createAndPopulateDelegationContext(ProfileRequestContext profileRequestContext) {
        DelegationContext apply = this.delegationContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("No DelegationContext was available");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        }
        apply.setIssuingDelegatedAssertion(true);
        apply.setDelegationRequested(this.delegationRequested);
        apply.setSubjectConfirmationCredentials(this.confirmationCredentials);
    }

    private List<Credential> resolveConfirmationCredentials(@Nonnull ProfileRequestContext profileRequestContext) {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new RoleDescriptorCriterion(this.roleDescriptor));
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        criteriaSet.add(new EntityIdCriterion(this.relyingPartyId));
        ArrayList arrayList = new ArrayList();
        try {
            for (Credential credential : this.credentialResolver.resolve(criteriaSet)) {
                if (credential != null) {
                    arrayList.add(credential);
                }
            }
            return arrayList;
        } catch (ResolverException e) {
            this.log.warn("Error resolving subject confirmation credentials for relying party: {}", this.relyingPartyId, e);
            return null;
        }
    }

    private DelegationRequest getDelegationRequested(@Nonnull ProfileRequestContext profileRequestContext) {
        if (isDelegationRequestedByAudience(profileRequestContext)) {
            this.log.debug("Delegation was requested via AuthnRequest Audience, treating as: {}", DelegationRequest.REQUESTED_REQUIRED);
            return DelegationRequest.REQUESTED_REQUIRED;
        }
        DelegationRequest delegationRequestedByMetadata = getDelegationRequestedByMetadata(profileRequestContext);
        if (delegationRequestedByMetadata != DelegationRequest.NOT_REQUESTED) {
            this.log.debug("Delegation was requested via metadata: {}", delegationRequestedByMetadata);
            return delegationRequestedByMetadata;
        }
        this.log.debug("Delegation request was not explicitly indicated, using default value: {}", getDefaultDelegationRequested());
        return getDefaultDelegationRequested();
    }

    @Nonnull
    private DelegationRequest getDelegationRequestedByMetadata(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.attributeConsumingService == null) {
            this.log.debug("No AttributeConsumingService was available");
            return DelegationRequest.NOT_REQUESTED;
        }
        for (RequestedAttribute requestedAttribute : this.attributeConsumingService.getRequestAttributes()) {
            if (Objects.equals("urn:liberty:ssos:2006-08", StringSupport.trimOrNull(requestedAttribute.getName()))) {
                this.log.debug("Saw requested attribute '{}' in metadata AttributeConsumingService for SP: {}", "urn:liberty:ssos:2006-08", this.relyingPartyId);
                if (requestedAttribute.isRequired().booleanValue()) {
                    this.log.debug("Metadata delegation request attribute indicated it was required");
                    return DelegationRequest.REQUESTED_REQUIRED;
                }
                this.log.debug("Metadata delegation request attribute indicated it was NOT required");
                return DelegationRequest.REQUESTED_OPTIONAL;
            }
        }
        return DelegationRequest.NOT_REQUESTED;
    }

    private boolean isDelegationRequestedByAudience(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!(profileRequestContext.getInboundMessageContext().getMessage() instanceof AuthnRequest)) {
            this.log.debug("Inbound SAML message was not an AuthnRequest: {}", profileRequestContext.getInboundMessageContext().getMessage().getClass().getName());
            return false;
        }
        AuthnRequest authnRequest = (AuthnRequest) profileRequestContext.getInboundMessageContext().getMessage();
        if (authnRequest.getConditions() == null) {
            return false;
        }
        Iterator<AudienceRestriction> it = authnRequest.getConditions().getAudienceRestrictions().iterator();
        while (it.hasNext()) {
            Iterator<Audience> it2 = it.next().getAudiences().iterator();
            while (it2.hasNext()) {
                if (Objects.equals(StringSupport.trimOrNull(it2.next().getAudienceURI()), this.responderId)) {
                    this.log.debug("Saw an AuthnRequest/Conditions/AudienceRestriction/Audience with value of '{}'", this.responderId);
                    return true;
                }
            }
        }
        return false;
    }
}
