package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.google.common.collect.HashMultimap;
import com.google.common.collect.Multimap;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import java.security.Principal;
import java.text.ParseException;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.minidev.json.JSONObject;
import net.shibboleth.idp.attribute.AttributeDecodingException;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.attribute.filter.AttributeFilter;
import net.shibboleth.idp.attribute.filter.AttributeFilterException;
import net.shibboleth.idp.attribute.filter.context.AttributeFilterContext;
import net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry;
import net.shibboleth.idp.attribute.transcoding.TranscoderSupport;
import net.shibboleth.idp.attribute.transcoding.TranscodingRule;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.IdPAttributePrincipal;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.EndUserClaimsContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.principal.OIDCSubjectIdentifierPrincipal;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.profile.context.navigate.SAMLMetadataContextLookupFunction;
import net.shibboleth.oidc.profile.config.OIDCAuthorizationConfiguration;
import net.shibboleth.utilities.java.support.annotation.constraint.Live;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.service.ReloadableService;
import net.shibboleth.utilities.java.support.service.ServiceableComponent;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.RecursiveTypedParentContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/ValidateOIDCAuthentication.class */
public class ValidateOIDCAuthentication extends AbstractValidationAction {

    @NotEmpty
    @Nonnull
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.oidc.rp";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateOIDCAuthentication.class);

    @NonnullAfterInit
    private ReloadableService<AttributeTranscoderRegistry> transcoderRegistry;

    @Nullable
    private ReloadableService<AttributeFilter> attributeFilterService;

    @Nullable
    private MetadataResolver metadataResolver;

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy;

    @Nullable
    private OIDCAuthorizationConfiguration profileConfiguration;

    @Nullable
    private EndUserClaimsContext endUserContext;

    @Nonnull
    private final Function<ProfileRequestContext, EndUserClaimsContext> endUserClaimsContextLookupStrategy;

    @Nullable
    private AttributeContext attributeContext;

    @Nullable
    private Function<Collection<String>, Collection<Principal>> acrTranslator;

    @Nullable
    private Function<Collection<String>, Collection<Principal>> amrTranslator;

    public ValidateOIDCAuthentication() {
        setMetricName(DEFAULT_METRIC_NAME);
        this.relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);
        this.endUserClaimsContextLookupStrategy = new ChildContextLookup(EndUserClaimsContext.class, true).compose(new InboundMessageContextLookup());
    }

    public void setAttributeFilter(@Nullable ReloadableService<AttributeFilter> reloadableService) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.attributeFilterService = reloadableService;
    }

    public void setTranscoderRegistry(@Nonnull ReloadableService<AttributeTranscoderRegistry> reloadableService) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.transcoderRegistry = (ReloadableService) Constraint.isNotNull(reloadableService, "AttributeTranscoderRegistry cannot be null");
    }

    public void setMetadataResolver(@Nullable MetadataResolver metadataResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.metadataResolver = metadataResolver;
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.debug("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        MessageContext inboundMessageContext = profileRequestContext.getInboundMessageContext();
        if (inboundMessageContext == null) {
            this.log.error("{} No inbound message context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        if (inboundMessageContext.getMessage() == null) {
            this.log.error("{} No inbound message", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        if (!(inboundMessageContext.getMessage() instanceof AuthenticationSuccessResponse)) {
            this.log.error("{} No inbound authentication success response", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("{} Unable to locate RelyingPartyContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyContext");
            return false;
        }
        if (apply.getProfileConfig() == null) {
            this.log.error("{} Unable to locate profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        if (!(apply.getProfileConfig() instanceof OIDCAuthorizationConfiguration)) {
            this.log.error("{} No OIDC SSO profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        this.profileConfiguration = apply.getProfileConfig();
        this.endUserContext = this.endUserClaimsContextLookupStrategy.apply(profileRequestContext);
        if (this.endUserContext == null) {
            this.log.error("{} Unable to locate end-user claims context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.endUserContext.getEndUserClaims() == null) {
            this.log.error("{} End-user claims are null", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.endUserContext.getUnprocessedIdTokenClaims() == null) {
            this.log.error("{} id_token not found in response", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.endUserContext.getUnprocessedIdTokenClaims().getSubject() != null) {
            return true;
        }
        this.log.error("{} id_token did not contain a subject (sub)", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        recordSuccess(profileRequestContext);
        this.log.trace("{} Validating OIDC proxy authentication", getLogPrefix());
        if (this.transcoderRegistry != null) {
            processAttributes(profileRequestContext);
        }
        this.log.info("{} OIDC authentication succeeded for '{}'", getLogPrefix(), this.endUserContext.getUnprocessedIdTokenClaims().getSubject());
        this.acrTranslator = this.profileConfiguration.getAuthenticationContextClassReferenceTranslationStrategy(profileRequestContext);
        this.amrTranslator = this.profileConfiguration.getAuthenticationMethodsReferencesTranslationStrategy(profileRequestContext);
        buildAuthenticationResult(profileRequestContext, authenticationContext);
        if (authenticationContext.getAuthenticationResult() == null || !this.profileConfiguration.isProxiedAuthnInstant(profileRequestContext)) {
            return;
        }
        try {
            if (this.endUserContext.getUnprocessedIdTokenClaims().getDateClaim("auth_time") != null) {
                Date dateClaim = this.endUserContext.getUnprocessedIdTokenClaims().getDateClaim("auth_time");
                this.log.debug("{} Resetting authentication time to proxied value: {}", getLogPrefix(), dateClaim);
                authenticationContext.getAuthenticationResult().setAuthenticationInstant(dateClaim.toInstant());
            } else {
                this.log.debug("{} Unable to reset authentication time, auth_time not present in id_token", getLogPrefix());
            }
        } catch (ParseException e) {
            this.log.debug("{} Unable to reset authentication time, auth_time could not be parsed from id_token: {}", getLogPrefix(), e.getMessage());
        }
    }

    protected Subject populateSubject(@Nonnull Subject subject) {
        if (this.acrTranslator != null && this.endUserContext.getUnprocessedIdTokenClaims().getClaim("acr") != null && (this.endUserContext.getUnprocessedIdTokenClaims().getClaim("acr") instanceof String)) {
            Collection<Principal> apply = this.acrTranslator.apply(List.of((String) this.endUserContext.getUnprocessedIdTokenClaims().getClaim("acr")));
            if (apply != null && !apply.isEmpty()) {
                subject.getPrincipals().addAll(apply);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("{} Added translated ACR Principals: {}", getLogPrefix(), apply.stream().map((v0) -> {
                        return v0.getName();
                    }).collect(Collectors.toUnmodifiableList()));
                }
            }
        }
        if (this.amrTranslator != null && this.endUserContext.getUnprocessedIdTokenClaims().getClaim("amr") != null && (this.endUserContext.getUnprocessedIdTokenClaims().getClaim("amr") instanceof Collection)) {
            try {
                Collection<Principal> apply2 = this.amrTranslator.apply(this.endUserContext.getUnprocessedIdTokenClaims().getStringListClaim("amr"));
                if (apply2 != null && !apply2.isEmpty()) {
                    subject.getPrincipals().addAll(apply2);
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("{} Added translated AMR Principals: {}", getLogPrefix(), apply2.stream().map((v0) -> {
                            return v0.getName();
                        }).collect(Collectors.toUnmodifiableList()));
                    }
                }
            } catch (ParseException e) {
                this.log.warn("Unable to parse AMR claims", e);
            }
        }
        subject.getPrincipals().add(new OIDCSubjectIdentifierPrincipal(this.endUserContext.getUnprocessedIdTokenClaims().getSubject()));
        subject.getPrincipals().add(buildProxyPrincipal());
        if (this.attributeContext != null && !this.attributeContext.getIdPAttributes().isEmpty()) {
            this.log.debug("{} Adding filtered inbound attributes to Subject", getLogPrefix());
            subject.getPrincipals().addAll((Collection) this.attributeContext.getIdPAttributes().values().stream().map(IdPAttributePrincipal::new).collect(Collectors.toUnmodifiableList()));
        }
        return subject;
    }

    @Nonnull
    private ProxyAuthenticationPrincipal buildProxyPrincipal() {
        ProxyAuthenticationPrincipal proxyAuthenticationPrincipal = new ProxyAuthenticationPrincipal();
        proxyAuthenticationPrincipal.getAuthorities().add(this.endUserContext.getUnprocessedIdTokenClaims().getIssuer());
        return proxyAuthenticationPrincipal;
    }

    private void processAttributes(@Nonnull ProfileRequestContext profileRequestContext) {
        this.log.debug("{} Decoding incoming OIDC claims", getLogPrefix());
        HashMultimap create = HashMultimap.create();
        ServiceableComponent serviceableComponent = null;
        try {
            serviceableComponent = this.transcoderRegistry.getServiceableComponent();
            if (serviceableComponent == null) {
                this.log.error("Attribute transcoder service unavailable");
                if (serviceableComponent != null) {
                    serviceableComponent.unpinComponent();
                    return;
                }
                return;
            }
            for (Map.Entry entry : this.endUserContext.getEndUserClaims().toJSONObject().entrySet()) {
                try {
                    JSONObject jSONObject = new JSONObject();
                    jSONObject.put((String) entry.getKey(), entry.getValue());
                    decodeAttribute((AttributeTranscoderRegistry) serviceableComponent.getComponent(), profileRequestContext, jSONObject, create);
                } catch (AttributeDecodingException e) {
                    this.log.error("{} Error decoding inbound claim", getLogPrefix(), e);
                }
            }
            if (serviceableComponent != null) {
                serviceableComponent.unpinComponent();
            }
            this.log.debug("{} Incoming OIDC Attributes mapped to attribute IDs: {}", getLogPrefix(), create.keySet());
            if (create.isEmpty()) {
                return;
            }
            this.attributeContext = profileRequestContext.getSubcontext(RelyingPartyContext.class).getSubcontext(AttributeContext.class, true);
            this.attributeContext.setUnfilteredIdPAttributes(create.values());
            this.attributeContext.setIdPAttributes((Collection) null);
            filterAttributes(profileRequestContext);
        } catch (Throwable th) {
            if (serviceableComponent != null) {
                serviceableComponent.unpinComponent();
            }
            throw th;
        }
    }

    private void filterAttributes(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.attributeFilterService == null) {
            this.log.warn("{} No AttributeFilter service provided", getLogPrefix());
            return;
        }
        AttributeFilterContext attributeFilterContext = (AttributeFilterContext) profileRequestContext.getSubcontext(AttributeFilterContext.class, true);
        populateFilterContext(profileRequestContext, attributeFilterContext);
        ServiceableComponent serviceableComponent = null;
        try {
            try {
                ServiceableComponent serviceableComponent2 = this.attributeFilterService.getServiceableComponent();
                if (null == serviceableComponent2) {
                    this.log.error("{} Error while filtering inbound attributes: Invalid Attribute Filter configuration", getLogPrefix());
                } else {
                    ((AttributeFilter) serviceableComponent2.getComponent()).filterAttributes(attributeFilterContext);
                    attributeFilterContext.getParent().removeSubcontext(attributeFilterContext);
                    this.attributeContext.setIdPAttributes(attributeFilterContext.getFilteredIdPAttributes().values());
                }
                if (null != serviceableComponent2) {
                    serviceableComponent2.unpinComponent();
                }
            } catch (AttributeFilterException e) {
                this.log.error("{} Error while filtering inbound attributes", getLogPrefix(), e);
                if (0 != 0) {
                    serviceableComponent.unpinComponent();
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                serviceableComponent.unpinComponent();
            }
            throw th;
        }
    }

    private void populateFilterContext(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AttributeFilterContext attributeFilterContext) {
        attributeFilterContext.setDirection(AttributeFilterContext.Direction.INBOUND).setPrefilteredIdPAttributes(this.attributeContext.getUnfilteredIdPAttributes().values()).setMetadataResolver(this.metadataResolver).setRequesterMetadataContextLookupStrategy((Function) null).setIssuerMetadataContextLookupStrategy(new SAMLMetadataContextLookupFunction().compose(new RecursiveTypedParentContextLookup(ProfileRequestContext.class))).setProxiedRequesterContextLookupStrategy((Function) null).setAttributeIssuerID((String) getResponderLookupStrategy().apply(profileRequestContext)).setAttributeRecipientID((String) getRequesterLookupStrategy().apply(profileRequestContext));
    }

    private void decodeAttribute(@Nonnull AttributeTranscoderRegistry attributeTranscoderRegistry, @Nonnull ProfileRequestContext profileRequestContext, @Nonnull JSONObject jSONObject, @NonnullElements @Live @Nonnull Multimap<String, IdPAttribute> multimap) throws AttributeDecodingException {
        Collection<TranscodingRule> transcodingRules = attributeTranscoderRegistry.getTranscodingRules(jSONObject);
        if (transcodingRules.isEmpty()) {
            this.log.info("{} No transcoding rule for Attribute '{}'", getLogPrefix(), jSONObject);
            return;
        }
        for (TranscodingRule transcodingRule : transcodingRules) {
            IdPAttribute decode = TranscoderSupport.getTranscoder(transcodingRule).decode(profileRequestContext, jSONObject, transcodingRule);
            if (decode != null) {
                multimap.put(decode.getId(), decode);
            }
        }
    }
}
