package net.shibboleth.idp.authn;

import com.google.common.base.Function;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Iterables;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.AuthenticationErrorContext;
import net.shibboleth.idp.authn.context.AuthenticationWarningContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.idp.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.idp.profile.context.navigate.ResponderIdLookupFunction;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.NotLive;
import net.shibboleth.utilities.java.support.annotation.constraint.Unmodifiable;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/AbstractValidationAction.class */
public abstract class AbstractValidationAction<InboundMessageType, OutboundMessageType> extends AbstractAuthenticationAction<InboundMessageType, OutboundMessageType> implements PrincipalSupportingComponent {

    @Nullable
    private Predicate<ProfileRequestContext> resultCachingPredicate;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AbstractValidationAction.class);
    private boolean addDefaultPrincipals = true;

    @Nonnull
    private final Subject authenticatedSubject = new Subject();
    private boolean clearErrorContext = true;

    @NonnullElements
    @Nonnull
    private Map<String, Collection<String>> classifiedMessages = Collections.emptyMap();

    @Nullable
    private Function<ProfileRequestContext, String> requesterLookupStrategy = new RelyingPartyIdLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, String> responderLookupStrategy = new ResponderIdLookupFunction();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/shibboleth/idp/authn/AbstractValidationAction$MessageChecker.class */
    public class MessageChecker implements Predicate<String> {

        @NotEmpty
        @Nonnull
        private final String s;

        public MessageChecker(@NotEmpty @Nonnull String str) {
            Constraint.isFalse(Strings.isNullOrEmpty(str), "Message cannot be null or empty");
            this.s = str;
        }

        public boolean apply(String str) {
            return this.s.contains(str);
        }
    }

    public boolean addDefaultPrincipals() {
        return this.addDefaultPrincipals;
    }

    public void setAddDefaultPrincipals(boolean z) {
        this.addDefaultPrincipals = z;
    }

    @NonnullElements
    @Nonnull
    @NotLive
    @Unmodifiable
    public Map<String, Collection<String>> getClassifiedErrors() {
        return ImmutableMap.copyOf(this.classifiedMessages);
    }

    public void setClassifiedMessages(@NonnullElements @Nonnull Map<String, Collection<String>> map) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(map, "Map of classified messages cannot be null");
        this.classifiedMessages = new HashMap();
        for (Map.Entry<String, Collection<String>> entry : map.entrySet()) {
            if (entry.getKey() != null && !entry.getKey().isEmpty() && entry.getValue() != null && !entry.getValue().isEmpty()) {
                this.classifiedMessages.put(entry.getKey(), ImmutableList.copyOf(Collections2.filter(entry.getValue(), Predicates.notNull())));
            }
        }
    }

    @Nullable
    public Predicate<ProfileRequestContext> getResultCachingPredicate() {
        return this.resultCachingPredicate;
    }

    public void setResultCachingPredicate(@Nullable Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.resultCachingPredicate = predicate;
    }

    public void setRequesterLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requesterLookupStrategy = function;
    }

    public void setResponderLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responderLookupStrategy = function;
    }

    @Override // net.shibboleth.idp.authn.principal.PrincipalSupportingComponent
    @NonnullElements
    @Nonnull
    @NotLive
    @Unmodifiable
    public <T extends Principal> Set<T> getSupportedPrincipals(@Nonnull Class<T> cls) {
        return this.authenticatedSubject.getPrincipals(cls);
    }

    public <T extends Principal> void setSupportedPrincipals(@NonnullElements @Nullable Collection<T> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.authenticatedSubject.getPrincipals().clear();
        if (collection == null || collection.isEmpty()) {
            this.addDefaultPrincipals = true;
        } else {
            this.addDefaultPrincipals = false;
            this.authenticatedSubject.getPrincipals().addAll(Collections2.filter(collection, Predicates.notNull()));
        }
    }

    @Nonnull
    protected Subject getSubject() {
        return this.authenticatedSubject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.info("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.clearErrorContext) {
            authenticationContext.removeSubcontext(AuthenticationErrorContext.class);
        }
        RequestedPrincipalContext requestedPrincipalContext = (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        if (requestedPrincipalContext == null || requestedPrincipalContext.getOperator() == null || this.authenticatedSubject.getPrincipals().isEmpty()) {
            return true;
        }
        this.log.debug("{} Request contains principal requirements, evaluating for compatibility", getLogPrefix());
        for (Principal principal : requestedPrincipalContext.getRequestedPrincipals()) {
            PrincipalEvalPredicateFactory lookup = authenticationContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), requestedPrincipalContext.getOperator());
            if (lookup != null) {
                PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                if (predicate.apply(this)) {
                    this.log.debug("{} Compatible with principal type '{}' and operator '{}'", new Object[]{getLogPrefix(), principal.getClass(), requestedPrincipalContext.getOperator()});
                    requestedPrincipalContext.setMatchingPrincipal(predicate.getMatchingPrincipal());
                    return true;
                }
                this.log.debug("{} Not compatible with principal type '{}' and operator '{}'", new Object[]{getLogPrefix(), principal.getClass(), requestedPrincipalContext.getOperator()});
            } else {
                this.log.debug("{} No comparison logic registered for principal type '{}' and operator '{}'", new Object[]{getLogPrefix(), principal.getClass(), requestedPrincipalContext.getOperator()});
            }
        }
        this.log.info("{} Skipping validator, not compatible with request's principal requirements", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.REQUEST_UNSUPPORTED);
        return false;
    }

    protected void buildAuthenticationResult(@Nonnull ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (this.addDefaultPrincipals && authenticationContext.getAttemptedFlow() != null) {
            this.log.debug("{} Adding custom Principal(s) defined on underlying flow descriptor", getLogPrefix());
            this.authenticatedSubject.getPrincipals().addAll(authenticationContext.getAttemptedFlow().getSupportedPrincipals());
        }
        AuthenticationResult authenticationResult = new AuthenticationResult(authenticationContext.getAttemptedFlow().getId(), populateSubject(this.authenticatedSubject));
        authenticationContext.setAuthenticationResult(authenticationResult);
        if (authenticationContext.isResultCacheable() && this.resultCachingPredicate != null) {
            authenticationContext.setResultCacheable(this.resultCachingPredicate.apply(profileRequestContext));
            this.log.info("{} Predicate indicates authentication result {} be cacheable in a session", getLogPrefix(), authenticationContext.isResultCacheable() ? "will" : "will not");
        }
        SubjectCanonicalizationContext subjectCanonicalizationContext = new SubjectCanonicalizationContext();
        subjectCanonicalizationContext.setSubject(authenticationResult.getSubject());
        if (this.requesterLookupStrategy != null) {
            subjectCanonicalizationContext.setRequesterId((String) this.requesterLookupStrategy.apply(profileRequestContext));
        }
        if (this.responderLookupStrategy != null) {
            subjectCanonicalizationContext.setResponderId((String) this.responderLookupStrategy.apply(profileRequestContext));
        }
        profileRequestContext.addSubcontext(subjectCanonicalizationContext, true);
    }

    @Nonnull
    protected abstract Subject populateSubject(@Nonnull Subject subject);

    protected void handleError(@Nonnull ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull Exception exc, @NotEmpty @Nonnull String str) {
        ((AuthenticationErrorContext) authenticationContext.getSubcontext(AuthenticationErrorContext.class, true)).addException(exc);
        handleError(profileRequestContext, authenticationContext, exc.getMessage(), str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleError(@Nonnull ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String str, @NotEmpty @Nonnull String str2) {
        boolean z = false;
        if (!Strings.isNullOrEmpty(str)) {
            MessageChecker messageChecker = new MessageChecker(str);
            for (Map.Entry<String, Collection<String>> entry : this.classifiedMessages.entrySet()) {
                if (Iterables.any(entry.getValue(), messageChecker)) {
                    ((AuthenticationErrorContext) authenticationContext.getSubcontext(AuthenticationErrorContext.class, true)).getClassifiedErrors().add(entry.getKey());
                    if (!z) {
                        z = true;
                        ActionSupport.buildEvent(profileRequestContext, entry.getKey());
                    }
                }
            }
        }
        if (z) {
            return;
        }
        ActionSupport.buildEvent(profileRequestContext, str2);
    }

    protected void handleWarning(@Nonnull ProfileRequestContext<InboundMessageType, OutboundMessageType> profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nullable String str, @NotEmpty @Nonnull String str2) {
        boolean z = false;
        if (!Strings.isNullOrEmpty(str)) {
            MessageChecker messageChecker = new MessageChecker(str);
            for (Map.Entry<String, Collection<String>> entry : this.classifiedMessages.entrySet()) {
                if (Iterables.any(entry.getValue(), messageChecker)) {
                    ((AuthenticationWarningContext) authenticationContext.getSubcontext(AuthenticationWarningContext.class, true)).getClassifiedWarnings().add(entry.getKey());
                    if (!z) {
                        z = true;
                        ActionSupport.buildEvent(profileRequestContext, entry.getKey());
                    }
                }
            }
        }
        if (z) {
            return;
        }
        ActionSupport.buildEvent(profileRequestContext, str2);
    }
}
