package net.shibboleth.idp.plugin.authn.duo.impl;

import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.DuoException;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCClientRegistry;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.DynamicDuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/PopulateDuoAuthenticationContext.class */
public class PopulateDuoAuthenticationContext extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(PopulateDuoAuthenticationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, DuoOIDCAuthenticationContext> duoAuthContextCreationStrategy = new ChildContextLookup(DuoOIDCAuthenticationContext.class, true).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nonnull
    private Function<ProfileRequestContext, String> usernameLookupStrategy = new CanonicalUsernameLookupStrategy();

    @Nonnull
    private Function<ProfileRequestContext, DuoOIDCIntegration> duoIntegrationLookupStrategy = FunctionSupport.constant((Object) null);

    @Nullable
    private BiFunction<HttpServletRequest, DynamicDuoOIDCIntegration, String> redirectURICreationStrategy;

    @NonnullAfterInit
    private DuoOIDCClientRegistry clientRegistry;

    public void setClientRegistry(@Nonnull DuoOIDCClientRegistry duoOIDCClientRegistry) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.clientRegistry = (DuoOIDCClientRegistry) Constraint.isNotNull(duoOIDCClientRegistry, "DuoClient registry can not be null");
    }

    public void setUsernameLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.usernameLookupStrategy = (Function) Constraint.isNotNull(function, "Username lookup strategy cannot be null");
    }

    public void setRedirectURICreationStrategy(@Nonnull BiFunction<HttpServletRequest, DynamicDuoOIDCIntegration, String> biFunction) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.redirectURICreationStrategy = (BiFunction) Constraint.isNotNull(biFunction, "RedirectURI creation strategy cannot be null");
    }

    public void setDuoContextCreationStrategy(@Nonnull Function<ProfileRequestContext, DuoOIDCAuthenticationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.duoAuthContextCreationStrategy = (Function) Constraint.isNotNull(function, "DuoAuthenticationContext creation strategy cannot be null");
    }

    public void setDuoIntegrationLookupStrategy(@Nonnull Function<ProfileRequestContext, DuoOIDCIntegration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.duoIntegrationLookupStrategy = (Function) Constraint.isNotNull(function, "DuoIntegration lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.clientRegistry == null) {
            throw new ComponentInitializationException("Duo Client Registry cannot be null");
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        DuoOIDCAuthenticationContext apply = this.duoAuthContextCreationStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("{} Error creating DuoAuthenticationContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        DuoOIDCIntegration apply2 = this.duoIntegrationLookupStrategy.apply(profileRequestContext);
        if (apply2 == null) {
            this.log.warn("{} No DuoIntegration returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        apply.setIntegration(apply2);
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if (httpServletRequest == null) {
            this.log.warn("{} Profile action does not contain an HttpServletRequest", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        String apply3 = this.usernameLookupStrategy.apply(profileRequestContext);
        if (apply3 == null) {
            this.log.warn("{} No principal name available to initiate a Duo 2FA request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            return;
        }
        apply.setUsername(apply3);
        apply.setRequestState(DuoSupport.generateNonce(32));
        try {
            computeAndStoreRedirectURIIfSupported(apply2, httpServletRequest, apply);
            apply.setClient(this.clientRegistry.getClientOrCreate(apply2));
            this.log.debug("Created Duo authentication context for '{}'", apply3);
        } catch (DuoException e) {
            this.log.warn("{} Unable to establish a Duo Client for the given integration", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, "AuthenticationException");
        }
    }

    private void computeAndStoreRedirectURIIfSupported(@Nonnull DuoOIDCIntegration duoOIDCIntegration, @Nonnull HttpServletRequest httpServletRequest, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) throws DuoException {
        if (duoOIDCIntegration instanceof DynamicDuoOIDCIntegration) {
            if (this.redirectURICreationStrategy == null) {
                throw new DuoException("A dynamic DuoOIDC integration was supplied, but the redirect URI creation strategy was null. Please set a redirect URI creation strategy.");
            }
            String apply = this.redirectURICreationStrategy.apply(httpServletRequest, (DynamicDuoOIDCIntegration) duoOIDCIntegration);
            if (apply == null) {
                throw new DuoException("A redirect_uri was not registered or could not be computed");
            }
            ((DynamicDuoOIDCIntegration) duoOIDCIntegration).setRedirectURIIfAbsent(apply);
            this.log.trace("{} Adding a dynamic redirect_uri '{}' to the context for the DuoClient to use if supported", getLogPrefix(), apply);
            duoOIDCAuthenticationContext.setRedirectURIOverride(apply);
        }
    }
}
