package net.shibboleth.idp.plugin.authn.duo.impl;

import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.AbstractDuoAuthenticationAction;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/ValidateDuoResponseState.class */
public class ValidateDuoResponseState extends AbstractDuoAuthenticationAction {

    @Nonnull
    @NotEmpty
    private final Logger log = LoggerFactory.getLogger(ValidateDuoResponseState.class);

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) {
        this.log.trace("{} Duo 2FA request state '{}' was returned in the response as '{}'", new Object[]{getLogPrefix(), duoOIDCAuthenticationContext.getRequestState(), duoOIDCAuthenticationContext.getResponseState()});
        String requestState = duoOIDCAuthenticationContext.getRequestState();
        String responseState = duoOIDCAuthenticationContext.getResponseState();
        if (requestState == null || responseState == null) {
            this.log.error("{} The state parameter was not present in either the request or response, state is mandatory for Duo 2FA requests", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
        } else if (requestState.equals(responseState)) {
            blankState(duoOIDCAuthenticationContext);
            this.log.debug("{} Duo 2FA request and response state match, continuing", getLogPrefix());
        } else {
            this.log.error("{} Duo request state did not match response state, has it been tampered with!", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            blankState(duoOIDCAuthenticationContext);
        }
    }

    private void blankState(@Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) {
        duoOIDCAuthenticationContext.setRequestState((String) null);
        duoOIDCAuthenticationContext.setResponseState((String) null);
    }
}
