package net.shibboleth.idp.authn.impl;

import java.security.Principal;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationFlowDescriptor;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/SelectAuthenticationFlow.class */
public class SelectAuthenticationFlow extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(SelectAuthenticationFlow.class);
    private boolean favorSSO;

    @Nullable
    private RequestedPrincipalContext requestedPrincipalCtx;

    public boolean getFavorSSO() {
        return this.favorSSO;
    }

    public void setFavorSSO(boolean z) {
        this.favorSSO = z;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.requestedPrincipalCtx = authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        if (this.requestedPrincipalCtx != null && (this.requestedPrincipalCtx.getOperator() == null || this.requestedPrincipalCtx.getRequestedPrincipals().isEmpty())) {
            this.requestedPrincipalCtx = null;
        }
        if (authenticationContext.getAttemptedFlow() != null) {
            this.log.info("{} Moving incomplete flow {} to intermediate set", getLogPrefix(), authenticationContext.getAttemptedFlow().getId());
            authenticationContext.getIntermediateFlows().put(authenticationContext.getAttemptedFlow().getId(), authenticationContext.getAttemptedFlow());
        }
        return super.doPreExecute(profileRequestContext, authenticationContext);
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (authenticationContext.getSignaledFlowId() != null) {
            doSelectSignaledFlow(profileRequestContext, authenticationContext);
        } else if (this.requestedPrincipalCtx == null) {
            doSelectNoRequestedPrincipals(profileRequestContext, authenticationContext);
        } else {
            doSelectRequestedPrincipals(profileRequestContext, authenticationContext);
        }
    }

    private void doSelectSignaledFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        AuthenticationResult authenticationResult;
        AuthenticationFlowDescriptor authenticationFlowDescriptor = (AuthenticationFlowDescriptor) authenticationContext.getPotentialFlows().get(authenticationContext.getSignaledFlowId());
        if (authenticationFlowDescriptor == null) {
            this.log.error("{} Signaled flow {} is not available", getLogPrefix(), authenticationContext.getSignaledFlowId());
            ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? "NoPassive" : "NoPotentialFlow");
            authenticationContext.setSignaledFlowId((String) null);
            return;
        }
        authenticationContext.setSignaledFlowId((String) null);
        this.log.debug("{} Attempting to honor signaled flow {}", getLogPrefix(), authenticationFlowDescriptor.getId());
        if (!authenticationContext.isForceAuthn() && (authenticationResult = (AuthenticationResult) authenticationContext.getActiveResults().get(authenticationFlowDescriptor.getId())) != null) {
            if (this.requestedPrincipalCtx == null) {
                selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                return;
            }
            for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
                PrincipalEvalPredicateFactory lookup = authenticationContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), this.requestedPrincipalCtx.getOperator());
                if (lookup != null) {
                    PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                    if (predicate.apply(authenticationResult)) {
                        this.requestedPrincipalCtx.setMatchingPrincipal(predicate.getMatchingPrincipal());
                        selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                        return;
                    }
                } else {
                    this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getClass()});
                }
            }
        }
        if (this.requestedPrincipalCtx == null) {
            selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
            return;
        }
        for (Principal principal2 : this.requestedPrincipalCtx.getRequestedPrincipals()) {
            PrincipalEvalPredicateFactory lookup2 = authenticationContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal2.getClass(), this.requestedPrincipalCtx.getOperator());
            if (lookup2 != null) {
                PrincipalEvalPredicate predicate2 = lookup2.getPredicate(principal2);
                if (predicate2.apply(authenticationFlowDescriptor)) {
                    this.requestedPrincipalCtx.setMatchingPrincipal(predicate2.getMatchingPrincipal());
                    selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
                    return;
                }
            } else {
                this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal2.getClass()});
            }
        }
        this.log.error("{} Signaled flow {} was unusable based on requester's requirements", getLogPrefix(), authenticationFlowDescriptor.getId());
        ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? "NoPassive" : "NoPotentialFlow");
    }

    private void doSelectNoRequestedPrincipals(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} No specific Principals requested", getLogPrefix());
        if (authenticationContext.isForceAuthn()) {
            this.log.debug("{} forced authentication requested, selecting an inactive flow", getLogPrefix());
            AuthenticationFlowDescriptor unattemptedInactiveFlow = getUnattemptedInactiveFlow(profileRequestContext, authenticationContext);
            if (unattemptedInactiveFlow != null) {
                selectInactiveFlow(profileRequestContext, authenticationContext, unattemptedInactiveFlow);
                return;
            } else {
                this.log.error("{} No potential flows left to choose from, authentication will fail", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? "NoPassive" : "NoPotentialFlow");
                return;
            }
        }
        for (AuthenticationResult authenticationResult : authenticationContext.getActiveResults().values()) {
            if (((AuthenticationFlowDescriptor) authenticationContext.getPotentialFlows().get(authenticationResult.getAuthenticationFlowId())) != null) {
                selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                return;
            }
        }
        this.log.debug("{} No usable active results available, selecting an inactive flow", getLogPrefix());
        AuthenticationFlowDescriptor unattemptedInactiveFlow2 = getUnattemptedInactiveFlow(profileRequestContext, authenticationContext);
        if (unattemptedInactiveFlow2 != null) {
            selectInactiveFlow(profileRequestContext, authenticationContext, unattemptedInactiveFlow2);
        } else {
            this.log.error("{} No potential flows left to choose from, authentication will fail", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, authenticationContext.isPassive() ? "NoPassive" : "NoPotentialFlow");
        }
    }

    @Nullable
    private AuthenticationFlowDescriptor getUnattemptedInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        for (AuthenticationFlowDescriptor authenticationFlowDescriptor : authenticationContext.getPotentialFlows().values()) {
            if (!authenticationContext.getIntermediateFlows().containsKey(authenticationFlowDescriptor.getId())) {
                return authenticationFlowDescriptor;
            }
        }
        return null;
    }

    private void selectInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull AuthenticationFlowDescriptor authenticationFlowDescriptor) {
        this.log.debug("{} Selecting inactive authentication flow {}", getLogPrefix(), authenticationFlowDescriptor.getId());
        authenticationContext.setAttemptedFlow(authenticationFlowDescriptor);
        ActionSupport.buildEvent(profileRequestContext, authenticationFlowDescriptor.getId());
    }

    private void selectActiveResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull AuthenticationResult authenticationResult) {
        this.log.debug("{} Reusing active result {}", getLogPrefix(), authenticationResult.getAuthenticationFlowId());
        authenticationResult.setLastActivityInstantToNow();
        authenticationContext.setAuthenticationResult(authenticationResult);
        ActionSupport.buildProceedEvent(profileRequestContext);
    }

    private void doSelectRequestedPrincipals(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} Specific principals requested with '{}' operator: {}", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), this.requestedPrincipalCtx.getRequestedPrincipals()});
        if (authenticationContext.isForceAuthn()) {
            this.log.debug("{} Forced authentication requested, selecting an inactive flow", getLogPrefix());
            selectRequestedInactiveFlow(profileRequestContext, authenticationContext);
        } else if (!authenticationContext.getActiveResults().isEmpty()) {
            selectRequestedFlow(profileRequestContext, authenticationContext);
        } else {
            this.log.debug("{} No active results available, selecting an inactive flow", getLogPrefix());
            selectRequestedInactiveFlow(profileRequestContext, authenticationContext);
        }
    }

    private void selectRequestedInactiveFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Map potentialFlows = authenticationContext.getPotentialFlows();
        for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
            this.log.debug("{} Checking for an inactive flow compatible with operator '{}' and principal '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal});
            PrincipalEvalPredicateFactory lookup = authenticationContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), this.requestedPrincipalCtx.getOperator());
            if (lookup != null) {
                PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                for (AuthenticationFlowDescriptor authenticationFlowDescriptor : potentialFlows.values()) {
                    if (!authenticationContext.getIntermediateFlows().containsKey(authenticationFlowDescriptor.getId()) && predicate.apply(authenticationFlowDescriptor)) {
                        this.requestedPrincipalCtx.setMatchingPrincipal(predicate.getMatchingPrincipal());
                        selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
                        return;
                    }
                }
            } else {
                this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getClass()});
            }
        }
        this.log.info("{} None of the potential authentication flows can satisfy the request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "RequestUnsupported");
    }

    private void selectRequestedFlow(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Map activeResults = authenticationContext.getActiveResults();
        if (this.favorSSO) {
            this.log.debug("{} Giving priority to active results that meet request requirements");
            for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
                this.log.debug("{} Checking for an active result compatible with operator '{}' and principal '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal});
                PrincipalEvalPredicateFactory lookup = authenticationContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), this.requestedPrincipalCtx.getOperator());
                if (lookup != null) {
                    PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                    for (AuthenticationResult authenticationResult : activeResults.values()) {
                        if (predicate.apply(authenticationResult)) {
                            this.requestedPrincipalCtx.setMatchingPrincipal(predicate.getMatchingPrincipal());
                            selectActiveResult(profileRequestContext, authenticationContext, authenticationResult);
                            return;
                        }
                    }
                } else {
                    this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal.getClass()});
                }
            }
            selectRequestedInactiveFlow(profileRequestContext, authenticationContext);
            return;
        }
        Map potentialFlows = authenticationContext.getPotentialFlows();
        for (Principal principal2 : this.requestedPrincipalCtx.getRequestedPrincipals()) {
            this.log.debug("{} Checking for an inactive flow or active result compatible with operator '{}' and principal '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal2});
            PrincipalEvalPredicateFactory lookup2 = authenticationContext.getPrincipalEvalPredicateFactoryRegistry().lookup(principal2.getClass(), this.requestedPrincipalCtx.getOperator());
            if (lookup2 != null) {
                PrincipalEvalPredicate predicate2 = lookup2.getPredicate(principal2);
                for (AuthenticationFlowDescriptor authenticationFlowDescriptor : potentialFlows.values()) {
                    if (!authenticationContext.getIntermediateFlows().containsKey(authenticationFlowDescriptor.getId()) && predicate2.apply(authenticationFlowDescriptor)) {
                        AuthenticationResult authenticationResult2 = (AuthenticationResult) activeResults.get(authenticationFlowDescriptor.getId());
                        if (authenticationResult2 == null || !predicate2.apply(authenticationResult2)) {
                            selectInactiveFlow(profileRequestContext, authenticationContext, authenticationFlowDescriptor);
                        } else {
                            selectActiveResult(profileRequestContext, authenticationContext, authenticationResult2);
                        }
                        this.requestedPrincipalCtx.setMatchingPrincipal(predicate2.getMatchingPrincipal());
                        return;
                    }
                }
            } else {
                this.log.warn("{} Configuration does not support requested principal evaluation with operator '{}' and type '{}'", new Object[]{getLogPrefix(), this.requestedPrincipalCtx.getOperator(), principal2.getClass()});
            }
        }
        this.log.info("{} None of the potential authentication flows can satisfy the request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "RequestUnsupported");
    }
}
