package net.shibboleth.idp.saml.saml2.profile.delegation.impl;

import com.google.common.base.Function;
import com.google.common.base.Functions;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.saml.saml2.profile.delegation.LibertySSOSContext;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.joda.time.DateTime;
import org.opensaml.core.xml.io.MarshallingException;
import org.opensaml.core.xml.io.UnmarshallingException;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.opensaml.saml.common.messaging.context.SAMLPresenterEntityContext;
import org.opensaml.saml.ext.saml2delrestrict.Delegate;
import org.opensaml.saml.ext.saml2delrestrict.DelegationRestrictionType;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Condition;
import org.opensaml.saml.saml2.core.Conditions;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.profile.SAML2ActionSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/idp-saml-impl-3.3.1.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/AddDelegationRestrictionToAssertions.class */
public class AddDelegationRestrictionToAssertions extends AbstractProfileAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) AddDelegationRestrictionToAssertions.class);

    @Nonnull
    private Function<ProfileRequestContext, Response> responseLookupStrategy = Functions.compose(new MessageLookup(Response.class), new OutboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, SAMLPresenterEntityContext> presenterContextLookupStrategy = Functions.compose(new ChildContextLookup(SAMLPresenterEntityContext.class), new InboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, LibertySSOSContext> libertyContextLookupStrategy = new ChildContextLookup(LibertySSOSContext.class);

    @Nullable
    private List<Assertion> assertions;

    @Nullable
    private Assertion attestedAssertion;

    @Nullable
    private String attestedSubjectConfirmationMethod;

    @Nullable
    private String presenterEntityID;

    @Nullable
    private DateTime delegationInstant;

    public void setLibertyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, LibertySSOSContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.libertyContextLookupStrategy = (Function) Constraint.isNotNull(function, "Assertion token strategy may not be null");
    }

    public void setResponseLookupStrategy(@Nonnull Function<ProfileRequestContext, Response> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responseLookupStrategy = (Function) Constraint.isNotNull(function, "Response lookup strategy cannot be null");
    }

    public void setPresenterLookupStrategy(@Nonnull Function<ProfileRequestContext, SAMLPresenterEntityContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.presenterContextLookupStrategy = (Function) Constraint.isNotNull(function, "Response lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        Response apply = this.responseLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.debug("{} No SAML Response located in current profile request context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
            return false;
        }
        this.assertions = apply.getAssertions();
        if (this.assertions.isEmpty()) {
            this.log.debug("{} No assertions to modify", getLogPrefix());
            return false;
        }
        this.log.debug("{} Attempting to add a DelegationRestrictionType Condition to {} Assertion(s) in Response", getLogPrefix(), Integer.valueOf(this.assertions.size()));
        SAMLPresenterEntityContext apply2 = this.presenterContextLookupStrategy.apply(profileRequestContext);
        if (apply2 == null || apply2.getEntityId() == null) {
            this.log.debug("{} No SAML presenter entityID", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.presenterEntityID = apply2.getEntityId();
        LibertySSOSContext apply3 = this.libertyContextLookupStrategy.apply(profileRequestContext);
        if (apply3 == null) {
            this.log.debug("{} No LibertySSOSContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.attestedAssertion = apply3.getAttestedToken();
        if (this.attestedAssertion == null) {
            this.log.debug("{} No attested SAML 2 Assertion", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.attestedSubjectConfirmationMethod = apply3.getAttestedSubjectConfirmationMethod();
        if (this.attestedSubjectConfirmationMethod != null) {
            this.delegationInstant = new DateTime();
            return super.doPreExecute(profileRequestContext);
        }
        this.log.debug("{} No attested SAML 2 SubjectConfirmation method", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
        return false;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        for (Assertion assertion : this.assertions) {
            addDelegationRestriction(profileRequestContext, SAML2ActionSupport.addConditionsToAssertion(this, assertion));
            this.log.debug("{} Added DelegationRestrictionType Condition to Assertion {}", getLogPrefix(), assertion.getID());
        }
    }

    protected void addDelegationRestriction(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull Conditions conditions) {
        DelegationRestrictionType buildDelegationRestriction = buildDelegationRestriction(profileRequestContext);
        if (buildDelegationRestriction != null) {
            conditions.getConditions().add(buildDelegationRestriction);
        } else {
            this.log.error("{} Unable to build DelegationRestriction Condition", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.MESSAGE_PROC_ERROR);
        }
    }

    @Nullable
    protected DelegationRestrictionType buildDelegationRestriction(@Nonnull ProfileRequestContext profileRequestContext) {
        DelegationRestrictionType delegationRestrictionType;
        Delegate buildDelegate = buildDelegate(profileRequestContext);
        DelegationRestrictionType delegationRestrictionCondition = getDelegationRestrictionCondition(this.attestedAssertion.getConditions());
        if (delegationRestrictionCondition != null) {
            try {
                delegationRestrictionType = (DelegationRestrictionType) XMLObjectSupport.cloneXMLObject(delegationRestrictionCondition);
            } catch (MarshallingException | UnmarshallingException e) {
                this.log.error("{} Error cloning DelegationRestriction Condition", getLogPrefix(), e);
                return null;
            }
        } else {
            delegationRestrictionType = (DelegationRestrictionType) XMLObjectSupport.getBuilder(DelegationRestrictionType.TYPE_NAME).buildObject(Condition.DEFAULT_ELEMENT_NAME, DelegationRestrictionType.TYPE_NAME);
        }
        delegationRestrictionType.getDelegates().add(buildDelegate);
        return delegationRestrictionType;
    }

    @Nullable
    protected DelegationRestrictionType getDelegationRestrictionCondition(@Nullable Conditions conditions) {
        if (conditions == null) {
            return null;
        }
        for (Condition condition : conditions.getConditions()) {
            if (DelegationRestrictionType.TYPE_NAME.equals(condition.getSchemaType())) {
                if (condition instanceof DelegationRestrictionType) {
                    return (DelegationRestrictionType) condition;
                }
                this.log.warn("Saw Condition of xsi:type DelegationRestrictionType, but incorrect class instance: {}", condition.getClass().getName());
            }
        }
        return null;
    }

    @Nonnull
    protected Delegate buildDelegate(@Nonnull ProfileRequestContext profileRequestContext) {
        NameID nameID = (NameID) XMLObjectSupport.buildXMLObject(NameID.DEFAULT_ELEMENT_NAME);
        nameID.setValue(this.presenterEntityID);
        nameID.setFormat("urn:oasis:names:tc:SAML:2.0:nameid-format:entity");
        Delegate delegate = (Delegate) XMLObjectSupport.buildXMLObject(Delegate.DEFAULT_ELEMENT_NAME);
        delegate.setNameID(nameID);
        delegate.setConfirmationMethod(this.attestedSubjectConfirmationMethod);
        delegate.setDelegationInstant(this.delegationInstant);
        return delegate;
    }
}
