package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.google.common.collect.HashMultimap;
import com.google.common.collect.Multimap;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.openid.connect.sdk.AuthenticationSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.security.Principal;
import java.text.ParseException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.minidev.json.JSONObject;
import net.shibboleth.idp.attribute.AttributeDecodingException;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.attribute.filter.AttributeFilter;
import net.shibboleth.idp.attribute.filter.AttributeFilterException;
import net.shibboleth.idp.attribute.filter.context.AttributeFilterContext;
import net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry;
import net.shibboleth.idp.attribute.transcoding.TranscoderSupport;
import net.shibboleth.idp.attribute.transcoding.TranscodingRule;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.IdPAttributePrincipal;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.EndUserClaimsContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.principal.OIDCSubjectIdentifierPrincipal;
import net.shibboleth.oidc.profile.config.OIDCAuthenticationRelyingPartyProfileConfiguration;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.saml.profile.context.navigate.SAMLMetadataContextLookupFunction;
import net.shibboleth.shared.annotation.constraint.Live;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.service.ReloadableService;
import net.shibboleth.shared.service.ServiceException;
import net.shibboleth.shared.service.ServiceableComponent;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.RecursiveTypedParentContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/ValidateOIDCAuthentication.class */
public class ValidateOIDCAuthentication extends AbstractValidationAction {

    @Nonnull
    @NotEmpty
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.oidc.rp";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateOIDCAuthentication.class);

    @NonnullAfterInit
    private ReloadableService<AttributeTranscoderRegistry> transcoderRegistry;

    @Nullable
    private ReloadableService<AttributeFilter> attributeFilterService;

    @Nullable
    private MetadataResolver metadataResolver;

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy;

    @Nullable
    private Function<ProfileRequestContext, Collection<Principal>> contextToPrivateCredentialsMappingStrategy;

    @NonnullBeforeExec
    private OIDCAuthenticationRelyingPartyProfileConfiguration profileConfiguration;

    @NonnullBeforeExec
    private EndUserClaimsContext endUserContext;

    @NonnullBeforeExec
    private JWTClaimsSet unprocessedIdTokenClaims;

    @Nonnull
    private final Function<ProfileRequestContext, EndUserClaimsContext> endUserClaimsContextLookupStrategy;

    @Nullable
    private AttributeContext attributeContext;

    @Nullable
    private Function<Collection<String>, Collection<Principal>> acrTranslator;

    @Nullable
    private Function<Collection<String>, Collection<Principal>> amrTranslator;

    @Nullable
    private Function<ProfileRequestContext, Collection<IdPAttribute>> attributeExtractionStrategy;

    @Nullable
    private ProfileRequestContext prc;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ValidateOIDCAuthentication() {
        setMetricName(DEFAULT_METRIC_NAME);
        this.relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);
        this.endUserClaimsContextLookupStrategy = new ChildContextLookup(EndUserClaimsContext.class, true).compose(new InboundMessageContextLookup());
    }

    public void setContextToPrivateCredentialsMappingStrategy(@Nullable Function<ProfileRequestContext, Collection<Principal>> function) {
        checkSetterPreconditions();
        this.contextToPrivateCredentialsMappingStrategy = function;
    }

    public void setAttributeFilter(@Nullable ReloadableService<AttributeFilter> reloadableService) {
        checkSetterPreconditions();
        this.attributeFilterService = reloadableService;
    }

    public void setTranscoderRegistry(@Nonnull ReloadableService<AttributeTranscoderRegistry> reloadableService) {
        checkSetterPreconditions();
        this.transcoderRegistry = (ReloadableService) Constraint.isNotNull(reloadableService, "AttributeTranscoderRegistry cannot be null");
    }

    public void setMetadataResolver(@Nullable MetadataResolver metadataResolver) {
        checkSetterPreconditions();
        this.metadataResolver = metadataResolver;
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        checkSetterPreconditions();
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setAttributeExtractionStrategy(@Nullable Function<ProfileRequestContext, Collection<IdPAttribute>> function) {
        checkSetterPreconditions();
        this.attributeExtractionStrategy = function;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.prc = profileRequestContext;
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.debug("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        MessageContext inboundMessageContext = profileRequestContext.getInboundMessageContext();
        if (inboundMessageContext == null) {
            this.log.error("{} No inbound message context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        if (inboundMessageContext.getMessage() == null) {
            this.log.error("{} No inbound message", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        if (!(inboundMessageContext.getMessage() instanceof AuthenticationSuccessResponse)) {
            this.log.error("{} No inbound authentication success response", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("{} Unable to locate RelyingPartyContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyContext");
            return false;
        }
        if (apply.getProfileConfig() == null) {
            this.log.error("{} Unable to locate profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        if (!(apply.getProfileConfig() instanceof OIDCAuthenticationRelyingPartyProfileConfiguration)) {
            this.log.error("{} No OIDC RP SSO profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        this.profileConfiguration = apply.getProfileConfig();
        this.endUserContext = this.endUserClaimsContextLookupStrategy.apply(profileRequestContext);
        if (this.endUserContext == null) {
            this.log.error("{} Unable to locate end-user claims context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.endUserContext.getEndUserClaims() == null) {
            this.log.error("{} End-user claims are null", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.unprocessedIdTokenClaims = this.endUserContext.getUnprocessedIdTokenClaims();
        if (this.unprocessedIdTokenClaims == null) {
            this.log.error("{} id_token not found in response", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (this.unprocessedIdTokenClaims.getSubject() != null) {
            return true;
        }
        this.log.error("{} id_token did not contain a subject (sub)", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        recordSuccess(profileRequestContext);
        this.log.debug("{} Validating OIDC proxy authentication", getLogPrefix());
        if (this.transcoderRegistry != null) {
            processAttributes(profileRequestContext);
        }
        Function<ProfileRequestContext, Collection<IdPAttribute>> function = this.attributeExtractionStrategy;
        if (function != null) {
            this.log.debug("{} Applying custom extraction strategy function", getLogPrefix());
            if (this.attributeContext == null) {
                RelyingPartyContext subcontext = profileRequestContext.getSubcontext(RelyingPartyContext.class);
                if (!$assertionsDisabled && subcontext == null) {
                    throw new AssertionError();
                }
                this.attributeContext = subcontext.ensureSubcontext(AttributeContext.class);
            }
            AttributeContext attributeContext = this.attributeContext;
            if (!$assertionsDisabled && attributeContext == null) {
                throw new AssertionError();
            }
            ArrayList arrayList = new ArrayList(attributeContext.getIdPAttributes().values());
            Collection<IdPAttribute> apply = function.apply(profileRequestContext);
            if (apply != null) {
                if (this.log.isDebugEnabled()) {
                    this.log.debug("{} Extracted attributes with custom strategy: {}", getLogPrefix(), apply.stream().map((v0) -> {
                        return v0.getId();
                    }).toList());
                }
                arrayList.addAll(apply);
                attributeContext.setIdPAttributes(arrayList);
            }
        }
        this.log.info("{} OIDC authentication succeeded for '{}'", getLogPrefix(), this.unprocessedIdTokenClaims.getSubject());
        this.acrTranslator = this.profileConfiguration.getAuthenticationContextClassReferenceTranslationStrategy(profileRequestContext);
        this.amrTranslator = this.profileConfiguration.getAuthenticationMethodsReferencesTranslationStrategy(profileRequestContext);
        buildAuthenticationResult(profileRequestContext, authenticationContext);
        AuthenticationResult authenticationResult = authenticationContext.getAuthenticationResult();
        if (authenticationResult == null || !this.profileConfiguration.isProxiedAuthnInstant(profileRequestContext)) {
            return;
        }
        try {
            Date dateClaim = this.unprocessedIdTokenClaims.getDateClaim("auth_time");
            if (dateClaim != null) {
                this.log.debug("{} Resetting authentication time to proxied value: {}", getLogPrefix(), dateClaim);
                Instant instant = dateClaim.toInstant();
                if (!$assertionsDisabled && instant == null) {
                    throw new AssertionError();
                }
                authenticationResult.setAuthenticationInstant(instant);
            } else {
                this.log.debug("{} Unable to reset authentication time, auth_time not present in id_token", getLogPrefix());
            }
        } catch (ParseException e) {
            this.log.debug("{} Unable to reset authentication time, auth_time could not be parsed from id_token: {}", getLogPrefix(), e.getMessage());
        }
    }

    protected Subject populateSubject(@Nonnull Subject subject) {
        Collection<Principal> apply;
        Function<Collection<String>, Collection<Principal>> function = this.acrTranslator;
        if (function != null) {
            Object claim = this.unprocessedIdTokenClaims.getClaim("acr");
            Collection<Principal> apply2 = function.apply(claim instanceof String ? List.of((String) claim) : CollectionSupport.emptyList());
            if (apply2 != null && !apply2.isEmpty()) {
                subject.getPrincipals().addAll(apply2);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("{} Added translated ACR Principals: {}", getLogPrefix(), apply2.stream().map((v0) -> {
                        return v0.getName();
                    }).toList());
                }
            }
        }
        Function<Collection<String>, Collection<Principal>> function2 = this.amrTranslator;
        if (function2 != null) {
            Object claim2 = this.unprocessedIdTokenClaims.getClaim("amr");
            List emptyList = Collections.emptyList();
            try {
                if (claim2 instanceof Collection) {
                    emptyList = this.unprocessedIdTokenClaims.getStringListClaim("amr");
                }
            } catch (ParseException e) {
                this.log.debug("Unable to parse AMR claims", e);
            }
            Collection<Principal> apply3 = function2.apply(emptyList);
            if (apply3 != null && !apply3.isEmpty()) {
                subject.getPrincipals().addAll(apply3);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("{} Added translated AMR Principals: {}", getLogPrefix(), apply3.stream().map((v0) -> {
                        return v0.getName();
                    }).toList());
                }
            }
        }
        String subject2 = this.unprocessedIdTokenClaims.getSubject();
        if (!$assertionsDisabled && subject2 == null) {
            throw new AssertionError();
        }
        subject.getPrincipals().add(new OIDCSubjectIdentifierPrincipal(subject2));
        subject.getPrincipals().add(buildProxyPrincipal());
        Map idPAttributes = this.attributeContext != null ? this.attributeContext.getIdPAttributes() : null;
        if (this.attributeContext != null && idPAttributes != null && !idPAttributes.isEmpty()) {
            if (!$assertionsDisabled && this.attributeContext == null) {
                throw new AssertionError();
            }
            this.log.debug("{} Adding filtered inbound attributes to Subject", getLogPrefix());
            subject.getPrincipals().addAll(idPAttributes.values().stream().map(IdPAttributePrincipal::new).toList());
        }
        if (this.contextToPrivateCredentialsMappingStrategy != null && (apply = this.contextToPrivateCredentialsMappingStrategy.apply(this.prc)) != null) {
            subject.getPrivateCredentials().addAll(apply);
            this.log.trace("{} Added '{}' private credential(s) from mapping strategy", getLogPrefix(), Integer.valueOf(apply.size()));
        }
        return subject;
    }

    @Nonnull
    private ProxyAuthenticationPrincipal buildProxyPrincipal() {
        ProxyAuthenticationPrincipal proxyAuthenticationPrincipal = new ProxyAuthenticationPrincipal();
        proxyAuthenticationPrincipal.getAuthorities().add(this.unprocessedIdTokenClaims.getIssuer());
        return proxyAuthenticationPrincipal;
    }

    private void processAttributes(@Nonnull ProfileRequestContext profileRequestContext) {
        this.log.debug("{} Decoding incoming OIDC claims", getLogPrefix());
        HashMultimap create = HashMultimap.create();
        if (!$assertionsDisabled && create == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.transcoderRegistry == null) {
            throw new AssertionError();
        }
        try {
            ServiceableComponent serviceableComponent = this.transcoderRegistry.getServiceableComponent();
            try {
                ClaimsSet endUserClaims = this.endUserContext.getEndUserClaims();
                if (!$assertionsDisabled && endUserClaims == null) {
                    throw new AssertionError();
                }
                for (Map.Entry entry : endUserClaims.toJSONObject().entrySet()) {
                    try {
                        JSONObject jSONObject = new JSONObject();
                        jSONObject.put((String) entry.getKey(), entry.getValue());
                        decodeAttribute((AttributeTranscoderRegistry) serviceableComponent.getComponent(), profileRequestContext, jSONObject, create);
                    } catch (AttributeDecodingException e) {
                        this.log.error("{} Error decoding inbound claim", getLogPrefix(), e);
                    }
                }
                if (serviceableComponent != null) {
                    serviceableComponent.close();
                }
                this.log.debug("{} Incoming OIDC Attributes mapped to attribute IDs: {}", getLogPrefix(), create.keySet());
                if (create.isEmpty()) {
                    return;
                }
                RelyingPartyContext subcontext = profileRequestContext.getSubcontext(RelyingPartyContext.class);
                if (!$assertionsDisabled && subcontext == null) {
                    throw new AssertionError();
                }
                AttributeContext ensureSubcontext = subcontext.ensureSubcontext(AttributeContext.class);
                this.attributeContext = ensureSubcontext;
                if (!$assertionsDisabled && ensureSubcontext == null) {
                    throw new AssertionError();
                }
                ensureSubcontext.setUnfilteredIdPAttributes(create.values());
                ensureSubcontext.setIdPAttributes((Collection) null);
                filterAttributes(profileRequestContext);
            } finally {
            }
        } catch (ServiceException e2) {
            this.log.error("Attribute transcoder service unavailable", e2);
        }
    }

    private void filterAttributes(@Nonnull ProfileRequestContext profileRequestContext) {
        ReloadableService<AttributeFilter> reloadableService = this.attributeFilterService;
        if (reloadableService == null) {
            this.log.warn("{} No AttributeFilter service provided", getLogPrefix());
            return;
        }
        AttributeFilterContext attributeFilterContext = (AttributeFilterContext) profileRequestContext.ensureSubcontext(AttributeFilterContext.class);
        populateFilterContext(profileRequestContext, attributeFilterContext);
        try {
            ServiceableComponent serviceableComponent = reloadableService.getServiceableComponent();
            try {
                ((AttributeFilter) serviceableComponent.getComponent()).filterAttributes(attributeFilterContext);
                attributeFilterContext.removeFromParent();
                if (!$assertionsDisabled && this.attributeContext == null) {
                    throw new AssertionError();
                }
                this.attributeContext.setIdPAttributes(attributeFilterContext.getFilteredIdPAttributes().values());
                if (serviceableComponent != null) {
                    serviceableComponent.close();
                }
            } catch (Throwable th) {
                if (serviceableComponent != null) {
                    try {
                        serviceableComponent.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (ServiceException e) {
            this.log.error("{} Invalid AttributeFilter configuration", getLogPrefix(), e);
        } catch (AttributeFilterException e2) {
            this.log.error("{} Error while filtering inbound attributes", getLogPrefix(), e2);
        }
    }

    private void populateFilterContext(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AttributeFilterContext attributeFilterContext) {
        AttributeContext attributeContext = this.attributeContext;
        if (!$assertionsDisabled && attributeContext == null) {
            throw new AssertionError();
        }
        attributeFilterContext.setDirection(AttributeFilterContext.Direction.INBOUND).setPrefilteredIdPAttributes(attributeContext.getUnfilteredIdPAttributes().values()).setMetadataResolver(this.metadataResolver).setRequesterMetadataContextLookupStrategy((Function) null).setIssuerMetadataContextLookupStrategy(new SAMLMetadataContextLookupFunction().compose(new RecursiveTypedParentContextLookup(ProfileRequestContext.class))).setProxiedRequesterContextLookupStrategy((Function) null).setAttributeIssuerID((String) ((Function) Constraint.isNotNull(getResponderLookupStrategy(), "No responder Strategy")).apply(profileRequestContext)).setAttributeRecipientID((String) ((Function) Constraint.isNotNull(getRequesterLookupStrategy(), "No requester strategy")).apply(profileRequestContext));
    }

    private void decodeAttribute(@Nonnull AttributeTranscoderRegistry attributeTranscoderRegistry, @Nonnull ProfileRequestContext profileRequestContext, @Nonnull JSONObject jSONObject, @Nonnull @Live @NonnullElements Multimap<String, IdPAttribute> multimap) throws AttributeDecodingException {
        Collection<TranscodingRule> transcodingRules = attributeTranscoderRegistry.getTranscodingRules(jSONObject);
        if (transcodingRules.isEmpty()) {
            this.log.debug("{} No transcoding rule for Attribute '{}'", getLogPrefix(), jSONObject);
            return;
        }
        for (TranscodingRule transcodingRule : transcodingRules) {
            if (!$assertionsDisabled && transcodingRule == null) {
                throw new AssertionError();
            }
            IdPAttribute decode = TranscoderSupport.getTranscoder(transcodingRule).decode(profileRequestContext, jSONObject, transcodingRule);
            if (decode != null) {
                multimap.put(decode.getId(), decode);
            }
        }
    }

    static {
        $assertionsDisabled = !ValidateOIDCAuthentication.class.desiredAssertionStatus();
    }
}
