package net.shibboleth.idp.plugin.authn.duo.impl;

import java.util.function.Consumer;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.PasswordlessCookieManager;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/PostValidatePasswordlessEvaluation.class */
public class PostValidatePasswordlessEvaluation extends AbstractAuthenticationAction {

    @Nonnull
    @NotEmpty
    public static final String PROMPT_USER_EVENT = "PasswordlessPrompt";

    @Nullable
    private Consumer<ProfileRequestContext> cleanupHook;

    @NonnullAfterInit
    private PasswordlessCookieManager cookieManager;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(PostValidatePasswordlessEvaluation.class);

    @Nonnull
    private Predicate<ProfileRequestContext> passwordlessCondition = PredicateSupport.alwaysFalse();
    private boolean requireResultCacheable = true;
    private boolean detectUsernameMismatch = true;

    public void setCleanupHook(@Nullable Consumer<ProfileRequestContext> consumer) {
        checkSetterPreconditions();
        this.cleanupHook = consumer;
    }

    public void setPasswordlessCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.passwordlessCondition = (Predicate) Constraint.isNotNull(predicate, "Passwordless eligibility condition cannot be null");
    }

    public void setCookieManager(@Nullable PasswordlessCookieManager passwordlessCookieManager) {
        checkSetterPreconditions();
        this.cookieManager = (PasswordlessCookieManager) Constraint.isNotNull(passwordlessCookieManager, "PasswordlessCookieManager cannot be null");
    }

    public void setRequireResultCacheable(boolean z) {
        checkSetterPreconditions();
        this.requireResultCacheable = z;
    }

    public void setDetectUsernameMismatch(boolean z) {
        checkSetterPreconditions();
        this.detectUsernameMismatch = z;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.cookieManager == null) {
            throw new ComponentInitializationException("PasswordlessCookieManager cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        String username = getUsername(profileRequestContext, authenticationContext);
        if (username == null) {
            return;
        }
        if (!authenticationContext.isResultCacheable() && this.requireResultCacheable) {
            this.log.debug("{} Non-cacheable authentication, clearing guard cookie if set", getLogPrefix());
            this.cookieManager.clearCookie();
            return;
        }
        if (this.cookieManager.isOptOut()) {
            this.log.debug("{} Opt-out cookie found, skipping prompt for '{}'", getLogPrefix(), username);
            return;
        }
        String readCookie = this.cookieManager.readCookie();
        if (readCookie != null) {
            if (username.equals(readCookie)) {
                this.log.debug("{} Refreshing passwordless cookie for '{}' if set", getLogPrefix(), username);
                if (this.cookieManager.refreshCookie()) {
                    return;
                }
                this.log.warn("{} Unable to refresh passwordless cookie for '{}'", getLogPrefix(), username);
                return;
            }
            if (!this.detectUsernameMismatch) {
                this.log.info("{} Ignoring username mismatch, left guard cookie for original username '{}'", getLogPrefix(), readCookie);
                return;
            } else {
                this.log.info("{} Clearing existing guard cookie for original username '{}'", getLogPrefix(), readCookie);
                this.cookieManager.clearCookie();
            }
        }
        if (!this.passwordlessCondition.test(profileRequestContext)) {
            this.log.debug("{} User '{}' not eligible for passwordless", getLogPrefix(), username);
        } else {
            this.log.info("{} User '{}' eligible for passwordless, advancing to opt-in view", getLogPrefix(), username);
            ActionSupport.buildEvent(profileRequestContext, PROMPT_USER_EVENT);
        }
    }

    protected void doPostExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        super.doPostExecute(profileRequestContext);
        if (this.cleanupHook != null) {
            this.cleanupHook.accept(profileRequestContext);
        }
    }

    @Nullable
    private String getUsername(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        DuoOIDCAuthenticationContext subcontext = authenticationContext.getSubcontext(DuoOIDCAuthenticationContext.class);
        if (subcontext == null) {
            this.log.error("{} No DuoOIDCAuthenticationContext available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return null;
        }
        String username = subcontext.getUsername();
        if (username != null) {
            return username;
        }
        this.log.error("{} No username available", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
        return null;
    }
}
