package net.shibboleth.idp.plugin.authn.duo.impl;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import java.security.Principal;
import java.text.ParseException;
import java.util.Collection;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.duo.DuoPrincipal;
import net.shibboleth.idp.authn.impl.AbstractAuditingValidationAction;
import net.shibboleth.idp.plugin.authn.duo.DuoException;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/ValidateDuoTokenAuthenticationResult.class */
public class ValidateDuoTokenAuthenticationResult extends AbstractAuditingValidationAction {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.plugin.authn.duo";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateDuoTokenAuthenticationResult.class);

    @NonnullBeforeExec
    private DuoOIDCAuthenticationContext duoContext;

    @NonnullBeforeExec
    private DuoOIDCIntegration duoIntegration;

    @Nullable
    private ProfileRequestContext prc;

    @NonnullBeforeExec
    private JWTClaimsSet claimsSet;

    @NonnullBeforeExec
    @NotEmpty
    private String username;

    @Nullable
    private Function<ProfileRequestContext, Collection<Principal>> contextToPrincipalMappingStrategy;

    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/ValidateDuoTokenAuthenticationResult$DuoOIDCCleanupHook.class */
    public static class DuoOIDCCleanupHook implements Consumer<ProfileRequestContext> {
        @Override // java.util.function.Consumer
        public void accept(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext subcontext;
            DuoOIDCAuthenticationContext subcontext2;
            if (profileRequestContext == null || (subcontext = profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || (subcontext2 = subcontext.getSubcontext(DuoOIDCAuthenticationContext.class)) == null) {
                return;
            }
            subcontext.removeSubcontext(subcontext2);
        }
    }

    public ValidateDuoTokenAuthenticationResult() {
        setMetricName(DEFAULT_METRIC_NAME);
    }

    @Nullable
    public Function<ProfileRequestContext, Collection<Principal>> getContextToPrincipalMappingStrategy() {
        return this.contextToPrincipalMappingStrategy;
    }

    public void setContextToPrincipalMappingStrategy(@Nullable Function<ProfileRequestContext, Collection<Principal>> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.contextToPrincipalMappingStrategy = function;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.prc = profileRequestContext;
        this.duoContext = authenticationContext.getSubcontext(DuoOIDCAuthenticationContext.class);
        if (this.duoContext == null) {
            this.log.error("{} No DuoAuthenticationContext available", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "No DuoAuthenticationContext context available", "InvalidAuthenticationContext");
            recordFailure(profileRequestContext);
            return false;
        }
        this.duoIntegration = this.duoContext.getIntegration();
        if (this.duoIntegration == null) {
            this.log.error("{} No Duo Integration available", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "No Duo integration available", "InvalidAuthenticationContext");
            recordFailure(profileRequestContext);
            return false;
        }
        this.username = this.duoContext.getUsername();
        if (this.username == null) {
            this.log.error("{} Duo username is not available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            recordFailure(profileRequestContext);
            return false;
        }
        JWT authToken = this.duoContext.getAuthToken();
        if (authToken == null) {
            this.log.error("{} Duo 2FA token is not available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            recordFailure(profileRequestContext);
            return false;
        }
        try {
            this.claimsSet = authToken.getJWTClaimsSet();
            if (this.claimsSet == null) {
                throw new DuoException("Duo JWT ClaimsSet is null");
            }
            return true;
        } catch (ParseException | DuoException e) {
            this.log.error("{} Claimset of Duo 2FA token is not available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            recordFailure(profileRequestContext);
            return false;
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        try {
            Map jSONObjectClaim = this.claimsSet.getJSONObjectClaim("auth_result");
            if (jSONObjectClaim == null) {
                throw new DuoException("Authentication result object is null");
            }
            Object obj = jSONObjectClaim.get("status");
            Object obj2 = jSONObjectClaim.get("status_msg");
            if (!(obj instanceof String) || !(obj2 instanceof String)) {
                this.log.error("{} Duo 2FA authentication failed for '{}', auth_results missing", getLogPrefix(), this.username);
                handleError(profileRequestContext, authenticationContext, "AuthenticationException", "AuthenticationException");
                recordFailure(profileRequestContext);
                return;
            }
            String str = (String) obj;
            String str2 = (String) obj2;
            if ("allow".equalsIgnoreCase(str)) {
                this.log.info("{} Duo 2FA authentication succeeded for '{}', using second-factor '{}'", new Object[]{getLogPrefix(), this.duoContext.getUsername(), extractFactor()});
                buildAuthenticationResult(profileRequestContext, authenticationContext);
                recordSuccess(profileRequestContext);
            } else if ("deny".equalsIgnoreCase(str)) {
                this.log.error("{} Duo 2FA authentication failed for '{}', 2FA status '{}'", new Object[]{getLogPrefix(), this.username, str2});
                handleError(profileRequestContext, authenticationContext, str, "InvalidCredentials");
                recordFailure(profileRequestContext);
            } else {
                this.log.error("{} Duo 2FA authentication failed for '{}', unknown response", getLogPrefix(), this.username);
                handleError(profileRequestContext, authenticationContext, "AuthenticationException", "AuthenticationException");
                recordFailure(profileRequestContext);
            }
        } catch (ParseException | DuoException e) {
            this.log.error("{} Duo 2FA authentication failed for '{}', auth_result missing", getLogPrefix(), this.username);
            handleError(profileRequestContext, authenticationContext, "AuthenticationException", "AuthenticationException");
            recordFailure(profileRequestContext);
        }
    }

    @Nonnull
    private String extractFactor() {
        String str = "unspecified";
        try {
            Map jSONObjectClaim = this.claimsSet.getJSONObjectClaim("auth_context");
            if (jSONObjectClaim != null) {
                Object obj = jSONObjectClaim.get("factor");
                if (obj instanceof String) {
                    str = (String) obj;
                }
            }
        } catch (ParseException e) {
        }
        return str;
    }

    protected Subject populateSubject(@Nonnull Subject subject) {
        Collection<Principal> apply;
        subject.getPrincipals().add(new DuoPrincipal(this.username));
        subject.getPrincipals().addAll(this.duoIntegration.getSupportedPrincipals(Principal.class));
        Function<ProfileRequestContext, Collection<Principal>> contextToPrincipalMappingStrategy = getContextToPrincipalMappingStrategy();
        if (contextToPrincipalMappingStrategy != null && (apply = contextToPrincipalMappingStrategy.apply(this.prc)) != null) {
            subject.getPrincipals().addAll(apply);
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} Added mapped Principals: {}", getLogPrefix(), apply.stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toUnmodifiableList()));
            }
        }
        return subject;
    }

    protected void buildAuthenticationResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        super.buildAuthenticationResult(profileRequestContext, authenticationContext);
        profileRequestContext.ensureSubcontext(SubjectCanonicalizationContext.class).setPrincipalName(this.username);
    }
}
