package net.shibboleth.idp.plugin.authn.duo.impl;

import jakarta.servlet.http.HttpServletRequest;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.DuoException;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCClientRegistry;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.DynamicDuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.context.DuoPasswordlessContext;
import net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.FunctionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/PopulateDuoAuthenticationContext.class */
public class PopulateDuoAuthenticationContext extends AbstractAuthenticationAction {

    @Nullable
    private BiFunction<HttpServletRequest, DynamicDuoOIDCIntegration, String> redirectURICreationStrategy;

    @NonnullAfterInit
    private DuoOIDCClientRegistry clientRegistry;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(PopulateDuoAuthenticationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, DuoPasswordlessContext> passwordlessContextLookupStrategy = new ChildContextLookup(DuoPasswordlessContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nonnull
    private Function<ProfileRequestContext, String> usernameLookupStrategy = new CanonicalUsernameLookupStrategy();

    @Nonnull
    private Function<ProfileRequestContext, DuoOIDCIntegration> standardDuoIntegrationLookupStrategy = FunctionSupport.constant((Object) null);

    @Nonnull
    private Function<ProfileRequestContext, DuoOIDCIntegration> passwordlessDuoIntegrationLookupStrategy = FunctionSupport.constant((Object) null);

    @Nonnull
    @NotEmpty
    private String ssoBypassFieldName = "donotcache";

    public void setClientRegistry(@Nonnull DuoOIDCClientRegistry duoOIDCClientRegistry) {
        checkSetterPreconditions();
        this.clientRegistry = (DuoOIDCClientRegistry) Constraint.isNotNull(duoOIDCClientRegistry, "DuoClient registry can not be null");
    }

    public void setUsernameLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.usernameLookupStrategy = (Function) Constraint.isNotNull(function, "Username lookup strategy cannot be null");
    }

    public void setRedirectURICreationStrategy(@Nonnull BiFunction<HttpServletRequest, DynamicDuoOIDCIntegration, String> biFunction) {
        checkSetterPreconditions();
        this.redirectURICreationStrategy = (BiFunction) Constraint.isNotNull(biFunction, "RedirectURI creation strategy cannot be null");
    }

    public void setPasswordlessContextLookupStrategy(@Nonnull Function<ProfileRequestContext, DuoPasswordlessContext> function) {
        checkSetterPreconditions();
        this.passwordlessContextLookupStrategy = (Function) Constraint.isNotNull(function, "DuoPasswordlessContext lookup strategy cannot be null");
    }

    public void setStandardDuoIntegrationLookupStrategy(@Nonnull Function<ProfileRequestContext, DuoOIDCIntegration> function) {
        checkSetterPreconditions();
        this.standardDuoIntegrationLookupStrategy = (Function) Constraint.isNotNull(function, "Standard DuoIntegration lookup strategy cannot be null");
    }

    public void setPasswordlessDuoIntegrationLookupStrategy(@Nonnull Function<ProfileRequestContext, DuoOIDCIntegration> function) {
        checkSetterPreconditions();
        this.passwordlessDuoIntegrationLookupStrategy = (Function) Constraint.isNotNull(function, "Passwordless DuoIntegration lookup strategy cannot be null");
    }

    public void setSSOBypassFieldName(@Nonnull @NotEmpty String str) {
        checkSetterPreconditions();
        this.ssoBypassFieldName = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "SSO Bypass field name cannot be null or empty.");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.clientRegistry == null) {
            throw new ComponentInitializationException("Duo Client Registry cannot be null");
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if (httpServletRequest == null) {
            this.log.warn("{} Profile action does not contain an HttpServletRequest", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        DuoOIDCAuthenticationContext duoOIDCAuthenticationContext = new DuoOIDCAuthenticationContext();
        authenticationContext.addSubcontext(duoOIDCAuthenticationContext, true);
        DuoPasswordlessContext apply = this.passwordlessContextLookupStrategy.apply(profileRequestContext);
        if (apply != null) {
            if (!doPasswordless(profileRequestContext, authenticationContext, duoOIDCAuthenticationContext, apply)) {
                duoOIDCAuthenticationContext.removeFromParent();
                return;
            }
        } else if (!doStandard(profileRequestContext, duoOIDCAuthenticationContext)) {
            duoOIDCAuthenticationContext.removeFromParent();
            return;
        }
        DuoOIDCIntegration integration = duoOIDCAuthenticationContext.getIntegration();
        if (!$assertionsDisabled && integration == null) {
            throw new AssertionError();
        }
        duoOIDCAuthenticationContext.setRequestState(DuoSupport.generateNonce(32));
        try {
            computeAndStoreRedirectURIIfSupported(integration, httpServletRequest, duoOIDCAuthenticationContext);
            duoOIDCAuthenticationContext.setClient(this.clientRegistry.getClientOrCreate(integration));
            this.log.debug("Created Duo authentication context for '{}'", duoOIDCAuthenticationContext.getUsername());
        } catch (DuoException e) {
            this.log.warn("{} Unable to establish a Duo Client for the given integration", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, "AuthenticationException");
            duoOIDCAuthenticationContext.removeFromParent();
        }
    }

    private boolean doPasswordless(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext, @Nonnull DuoPasswordlessContext duoPasswordlessContext) {
        String parameter;
        if (duoPasswordlessContext.getUsername() == null) {
            this.log.warn("{} No principal name available to initiate a Duo 2FA request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            return false;
        }
        duoOIDCAuthenticationContext.setUsername(duoPasswordlessContext.getUsername());
        DuoOIDCIntegration apply = this.passwordlessDuoIntegrationLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("{} No DuoIntegration returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (!apply.isPasswordless()) {
            this.log.warn("{} DuoIntegration returned by lookup strategy was not passwordless", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        duoOIDCAuthenticationContext.setIntegration(apply);
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if (httpServletRequest == null || (parameter = httpServletRequest.getParameter(this.ssoBypassFieldName)) == null || !"1".equals(parameter)) {
            return true;
        }
        this.log.debug("{} Recording do-not-cache instruction in authentication context", getLogPrefix());
        authenticationContext.setResultCacheable(false);
        return true;
    }

    private boolean doStandard(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) {
        DuoOIDCIntegration apply = this.standardDuoIntegrationLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("{} No DuoIntegration returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        duoOIDCAuthenticationContext.setIntegration(apply);
        String apply2 = this.usernameLookupStrategy.apply(profileRequestContext);
        if (apply2 != null) {
            duoOIDCAuthenticationContext.setUsername(apply2);
            return true;
        }
        this.log.warn("{} No principal name available to initiate a Duo 2FA request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
        return false;
    }

    private void computeAndStoreRedirectURIIfSupported(@Nonnull DuoOIDCIntegration duoOIDCIntegration, @Nonnull HttpServletRequest httpServletRequest, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) throws DuoException {
        if (duoOIDCIntegration instanceof DynamicDuoOIDCIntegration) {
            DynamicDuoOIDCIntegration dynamicDuoOIDCIntegration = (DynamicDuoOIDCIntegration) duoOIDCIntegration;
            if (this.redirectURICreationStrategy == null) {
                throw new DuoException("A dynamic DuoOIDC integration was supplied, but the redirect URI creation strategy was null. Please set a redirect URI creation strategy.");
            }
            if (!$assertionsDisabled && this.redirectURICreationStrategy == null) {
                throw new AssertionError();
            }
            String apply = this.redirectURICreationStrategy.apply(httpServletRequest, dynamicDuoOIDCIntegration);
            if (apply == null) {
                throw new DuoException("A redirect_uri was not registered or could not be computed");
            }
            dynamicDuoOIDCIntegration.setRedirectURIIfAbsent(apply);
            this.log.trace("{} Adding a dynamic redirect_uri '{}' to the context for the DuoClient to use if supported", getLogPrefix(), apply);
            duoOIDCAuthenticationContext.setRedirectURIOverride(apply);
        }
    }

    static {
        $assertionsDisabled = !PopulateDuoAuthenticationContext.class.desiredAssertionStatus();
    }
}
