package net.shibboleth.idp.plugin.authn.webauthn.admin.impl;

import java.util.function.BiPredicate;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.plugin.authn.webauthn.context.WebAuthnAuthenticationContext;
import net.shibboleth.idp.plugin.authn.webauthn.context.WebAuthnRegistrationContext;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.collection.Pair;
import net.shibboleth.shared.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/admin/impl/AllowCurrentUserAccessPredicate.class */
public class AllowCurrentUserAccessPredicate extends AbstractIdentifiableInitializableComponent implements Predicate<ProfileRequestContext> {

    @Nonnull
    @NotEmpty
    private final Logger log = LoggerFactory.getLogger(AllowCurrentUserAccessPredicate.class);

    @Nonnull
    private Function<ProfileRequestContext, WebAuthnRegistrationContext> webauthnRegistrationContextLookupStrategy = new ChildContextLookup(WebAuthnRegistrationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, WebAuthnAuthenticationContext> webauthnContextLookupStrategy = new ChildContextLookup(WebAuthnAuthenticationContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @Nonnull
    private Function<ProfileRequestContext, SubjectContext> subjectContextLookupStrategy = new ChildContextLookup(SubjectContext.class);

    @Nonnull
    private BiPredicate<ProfileRequestContext, Pair<String, String>> comparisonPredicate = new DefaultCurrentUserComparisonPredicate();

    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/admin/impl/AllowCurrentUserAccessPredicate$DefaultCurrentUserComparisonPredicate.class */
    public static class DefaultCurrentUserComparisonPredicate implements BiPredicate<ProfileRequestContext, Pair<String, String>> {

        @Nonnull
        @NotEmpty
        private final Logger log = LoggerFactory.getLogger(DefaultCurrentUserComparisonPredicate.class);

        @Override // java.util.function.BiPredicate
        public boolean test(@Nullable ProfileRequestContext profileRequestContext, @Nullable Pair<String, String> pair) {
            if (profileRequestContext == null || pair == null) {
                this.log.debug("Required context and username information not found, denying access");
                return false;
            }
            String str = (String) pair.getFirst();
            String str2 = (String) pair.getSecond();
            if (str2 == null) {
                this.log.debug("No username in WebAuthn context, granting access");
                return true;
            }
            if (str == null) {
                this.log.debug("No username in subject context, access requires authentication");
                return false;
            }
            boolean equals = str.equals(str2);
            Logger logger = this.log;
            Object[] objArr = new Object[3];
            objArr[0] = str2;
            objArr[1] = equals ? "matched" : "did not match";
            objArr[2] = str;
            logger.debug("Username in WebAuthn context '{}' {} with the authenticated principal '{}'", objArr);
            return equals;
        }
    }

    public void setWebauthnContextLookupStrategy(@Nonnull Function<ProfileRequestContext, WebAuthnAuthenticationContext> function) {
        checkSetterPreconditions();
        this.webauthnContextLookupStrategy = (Function) Constraint.isNotNull(function, "WebAuthnContextLookuplookup strategy cannot be null");
    }

    public void setSubjectContextLookupStrategy(@Nonnull Function<ProfileRequestContext, SubjectContext> function) {
        checkSetterPreconditions();
        this.subjectContextLookupStrategy = (Function) Constraint.isNotNull(function, "SubjectContext lookup strategy cannot be null");
    }

    public void setComparisonPredicate(@Nonnull BiPredicate<ProfileRequestContext, Pair<String, String>> biPredicate) {
        checkSetterPreconditions();
        this.comparisonPredicate = (BiPredicate) Constraint.isNotNull(biPredicate, "ComparisonPredicate can not be null");
    }

    public void setWebauthnRegistrationContextLookupStrategy(@Nonnull Function<ProfileRequestContext, WebAuthnRegistrationContext> function) {
        checkSetterPreconditions();
        this.webauthnRegistrationContextLookupStrategy = (Function) Constraint.isNotNull(function, "WebauthnContextLookuplookup strategy cannot be null");
    }

    @Override // java.util.function.Predicate
    public boolean test(ProfileRequestContext profileRequestContext) {
        WebAuthnRegistrationContext apply = this.webauthnRegistrationContextLookupStrategy.apply(profileRequestContext);
        WebAuthnAuthenticationContext apply2 = this.webauthnContextLookupStrategy.apply(profileRequestContext);
        if (apply == null && apply2 == null) {
            this.log.debug("{}: Registration or authentication context not found, access requires either a registration or authentication context", getId());
            return false;
        }
        String username = apply != null ? apply.getUsername() : apply2.getUsername();
        SubjectContext apply3 = this.subjectContextLookupStrategy.apply(profileRequestContext);
        if (apply3 != null) {
            return this.comparisonPredicate.test(profileRequestContext, new Pair<>(apply3.getPrincipalName(), username));
        }
        this.log.debug("{}: No subject context found, access requires authentication.", getId());
        return false;
    }
}
