package net.shibboleth.idp.plugin.authn.duo.admin.impl;

import jakarta.servlet.http.HttpServletRequest;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.plugin.authn.duo.PasswordlessCookieManager;
import net.shibboleth.idp.plugin.authn.duo.impl.CreatePasswordlessCookie;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.security.AccessControlService;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/admin/impl/ManagePasswordlessCookie.class */
public class ManagePasswordlessCookie extends AbstractProfileAction {

    @Nonnull
    @NotEmpty
    public static final String USERNAME_FIELD_NAME = "j_username";

    @Nonnull
    @NotEmpty
    public static final String OPERATION_FIELD_NAME = "operation";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ManagePasswordlessCookie.class);

    @NonnullAfterInit
    private AccessControlService accessControlService;

    @NonnullAfterInit
    private PasswordlessCookieManager cookieManager;

    @NonnullBeforeExec
    private String currentUsername;

    public void setAccessControlService(@Nonnull AccessControlService accessControlService) {
        checkSetterPreconditions();
        this.accessControlService = (AccessControlService) Constraint.isNotNull(accessControlService, "AccessControlService cannot be null");
    }

    public void setPasswordlessCookieManager(@Nullable PasswordlessCookieManager passwordlessCookieManager) {
        checkSetterPreconditions();
        this.cookieManager = (PasswordlessCookieManager) Constraint.isNotNull(passwordlessCookieManager, "PasswordlessCookieManager cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.accessControlService == null) {
            throw new ComponentInitializationException("AccessControlService cannot be null");
        }
        if (this.cookieManager == null) {
            throw new ComponentInitializationException("PasswordlessCookieManager cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        if (getHttpServletRequest() == null) {
            this.log.warn("{} No HttpServletRequest available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        SubjectContext subcontext = profileRequestContext.getSubcontext(SubjectContext.class);
        this.currentUsername = subcontext != null ? subcontext.getPrincipalName() : null;
        if (this.currentUsername != null) {
            return true;
        }
        this.log.warn("{} No current username available", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "AccessDenied");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        HttpServletRequest ensureHttpServletRequest = ensureHttpServletRequest();
        String parameter = ensureHttpServletRequest.getParameter(OPERATION_FIELD_NAME);
        if ("clear".equals(parameter)) {
            this.cookieManager.clearCookie();
            return;
        }
        if ("optout".equals(parameter)) {
            if (this.cookieManager.writeCookie((String) null)) {
                this.log.debug("{} Created passwordless cookie for opt-out", getLogPrefix());
                return;
            } else {
                this.log.warn("{} Failed to create passwordless cookie for opt-out", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InputOutputError");
                return;
            }
        }
        if (CreatePasswordlessCookie.OPTIN_FIELD_NAME.equals(parameter)) {
            String parameter2 = ensureHttpServletRequest.getParameter(USERNAME_FIELD_NAME);
            if (parameter2 == null) {
                parameter2 = this.currentUsername;
            } else if (!parameter2.equals(this.currentUsername) && !isAdminAllowed(profileRequestContext, parameter2)) {
                ActionSupport.buildEvent(profileRequestContext, "AccessDenied");
                return;
            }
            this.log.debug("{} Creating passwordless cookie for username '{}'", getLogPrefix(), parameter2);
            if (this.cookieManager.writeCookie(parameter2)) {
                return;
            }
            this.log.warn("{} Failed to create passwordless cookie for username '{}'", getLogPrefix(), parameter2);
            ActionSupport.buildEvent(profileRequestContext, "InputOutputError");
        }
    }

    private boolean isAdminAllowed(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull @NotEmpty String str) {
        String adminPolicyName;
        RelyingPartyContext subcontext = profileRequestContext.getSubcontext(RelyingPartyContext.class);
        if (subcontext != null) {
            AdminFlowDescriptor profileConfig = subcontext.getProfileConfig();
            if ((profileConfig instanceof AdminFlowDescriptor) && (adminPolicyName = profileConfig.getAdminPolicyName(profileRequestContext)) != null) {
                this.log.debug("{} Checking for admin access to Duo passwordless cookie with policy {}", getLogPrefix(), adminPolicyName);
                boolean checkAccess = this.accessControlService.getInstance(adminPolicyName).checkAccess(ensureHttpServletRequest(), "write", str);
                if (!checkAccess) {
                    this.log.warn("{} Access to passwordless cookie for username '{}' denied", getLogPrefix(), str);
                }
                return checkAccess;
            }
        }
        this.log.warn("{} Unable to obtain admin access policy to use", getLogPrefix());
        return false;
    }
}
