package net.shibboleth.idp.plugin.authn.webauthn.context.logic;

import java.util.Collection;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.MultiFactorAuthenticationContext;
import net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.AbstractInitializableComponent;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/context/logic/IsSecondFactor.class */
public class IsSecondFactor extends AbstractInitializableComponent implements Predicate<ProfileRequestContext> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(IsSecondFactor.class);

    @Nonnull
    private Predicate<ProfileRequestContext> secondFactorOverride = PredicateSupport.alwaysFalse();

    @Nonnull
    private Predicate<ProfileRequestContext> enabled = PredicateSupport.alwaysFalse();

    @Nonnull
    private Function<ProfileRequestContext, String> usernameLookupStrategy = new CanonicalUsernameLookupStrategy();

    @Nonnull
    @NonnullElements
    private Set<String> allowedPreviousFactors = CollectionSupport.emptySet();

    public void setUsernameLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        checkSetterPreconditions();
        this.usernameLookupStrategy = (Function) Constraint.isNotNull(function, "Username lookup strategy cannot be null");
    }

    public void setEnabled(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.enabled = (Predicate) Constraint.isNotNull(predicate, "Enabled predicate can not be null");
    }

    public void setEnabled(boolean z) {
        checkSetterPreconditions();
        this.enabled = z ? PredicateSupport.alwaysTrue() : PredicateSupport.alwaysFalse();
    }

    public void setSecondFactorOverride(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.secondFactorOverride = (Predicate) Constraint.isNotNull(predicate, "SecondFactorOverride predicate can not be null");
    }

    public void setSecondFactorOverride(boolean z) {
        checkSetterPreconditions();
        this.secondFactorOverride = z ? PredicateSupport.alwaysTrue() : PredicateSupport.alwaysFalse();
    }

    public synchronized void setAllowedPreviousFactors(@Nullable @NonnullElements Collection<String> collection) {
        checkSetterPreconditions();
        if (collection != null) {
            this.allowedPreviousFactors = CollectionSupport.copyToSet(StringSupport.normalizeStringCollection(collection));
        }
    }

    @Override // java.util.function.Predicate
    public boolean test(@Nullable ProfileRequestContext profileRequestContext) {
        checkComponentActive();
        if (profileRequestContext == null) {
            this.log.trace("Profile context was null, assuming first factor usage");
            return false;
        }
        if (!this.enabled.test(profileRequestContext)) {
            this.log.debug("Use as a second factor authentication flow disabled, assuming first factor usage");
            return false;
        }
        if (this.secondFactorOverride.test(profileRequestContext)) {
            this.log.debug("Second factor authentication flow forced by configuration");
            return true;
        }
        AuthenticationContext subcontext = profileRequestContext.getSubcontext(AuthenticationContext.class);
        if (subcontext == null) {
            this.log.debug("Authentication context was null, assuming first factor usage");
            return false;
        }
        MultiFactorAuthenticationContext subcontext2 = subcontext.getSubcontext(MultiFactorAuthenticationContext.class);
        if (subcontext2 == null) {
            this.log.debug("No MFA context available, assuming first factor usage");
            return false;
        }
        String trimOrNull = StringSupport.trimOrNull(this.usernameLookupStrategy.apply(profileRequestContext));
        this.log.trace("{}", trimOrNull != null ? "Found principal name '" + trimOrNull + "'" : "No previous principal name found");
        Stream stream = subcontext2.getActiveResults().keySet().stream();
        Set<String> set = this.allowedPreviousFactors;
        Objects.requireNonNull(set);
        Optional findFirst = stream.filter((v1) -> {
            return r1.contains(v1);
        }).findFirst();
        findFirst.ifPresent(str -> {
            this.log.trace("Found acceptable previous factor '{}'", str);
        });
        if (trimOrNull == null || !findFirst.isPresent()) {
            this.log.debug("Request did not contain an previous factor, assuming first factor usage");
            return false;
        }
        this.log.debug("Principal name '{}' found, and previous factor '{}' accepted, assuming second factor usage", trimOrNull, findFirst.get());
        return true;
    }
}
