package net.shibboleth.idp.plugin.authn.webauthn.impl;

import com.yubico.webauthn.data.AuthenticatorAssertionResponse;
import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.ClientAssertionExtensionOutputs;
import com.yubico.webauthn.data.PublicKeyCredential;
import com.yubico.webauthn.data.PublicKeyCredentialRequestOptions;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.idp.plugin.authn.webauthn.authn.AssertionResult;
import net.shibboleth.idp.plugin.authn.webauthn.client.WebAuthnAuthenticationClient;
import net.shibboleth.idp.plugin.authn.webauthn.context.WebAuthnAuthenticationContext;
import net.shibboleth.idp.plugin.authn.webauthn.exception.AssertionFailureException;
import net.shibboleth.idp.plugin.authn.webauthn.principal.WebAuthnUserIdPrinicpal;
import net.shibboleth.idp.plugin.authn.webauthn.storage.StorageServiceCredentialRepository;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/impl/ValidateWebAuthnAssertion.class */
public class ValidateWebAuthnAssertion extends AbstractValidationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateWebAuthnAssertion.class);

    @Nonnull
    private final Function<ProfileRequestContext, WebAuthnAuthenticationContext> webauthnContextLookupStrategy = new ChildContextLookup(WebAuthnAuthenticationContext.class).compose(new ChildContextLookup(AuthenticationContext.class));

    @NonnullBeforeExec
    private WebAuthnAuthenticationContext context;

    @NonnullAfterInit
    private WebAuthnAuthenticationClient webAuthnClient;

    @NonnullAfterInit
    private StorageServiceCredentialRepository credentialRepository;

    @NonnullBeforeExec
    private PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions;
    static final /* synthetic */ boolean $assertionsDisabled;

    protected void doInitialize() throws ComponentInitializationException {
        if (this.webAuthnClient == null) {
            throw new ComponentInitializationException("WebAuthn client can not be null. Configuration error.");
        }
        if (this.credentialRepository == null) {
            throw new ComponentInitializationException("CredentialRepository can not be null");
        }
        super.doInitialize();
    }

    public void setCredentialRepository(@Nonnull StorageServiceCredentialRepository storageServiceCredentialRepository) {
        checkSetterPreconditions();
        this.credentialRepository = (StorageServiceCredentialRepository) Constraint.isNotNull(storageServiceCredentialRepository, "Credential respository can not be null");
    }

    public void setWebAuthnClient(@Nonnull WebAuthnAuthenticationClient webAuthnAuthenticationClient) {
        checkSetterPreconditions();
        this.webAuthnClient = (WebAuthnAuthenticationClient) Constraint.isNotNull(webAuthnAuthenticationClient, "WebAuthn client can not be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.context = this.webauthnContextLookupStrategy.apply(profileRequestContext);
        if (this.context == null) {
            this.log.warn("{} No WebAuthn context returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            return false;
        }
        this.publicKeyCredentialRequestOptions = this.context.getPublicKeyCredentialRequestOptions();
        if (this.publicKeyCredentialRequestOptions != null) {
            return true;
        }
        this.log.warn("{} No public key credential request options in context", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> authenticatorAssertionResponse = this.context.getAuthenticatorAssertionResponse();
        if (authenticatorAssertionResponse == null) {
            this.log.warn("{} No authenticator assertion found, {} can not authenticate", getLogPrefix(), this.context.getUsername());
            handleError(profileRequestContext, authenticationContext, "InvalidResponseType", "InvalidCredentials");
            recordFailure(profileRequestContext);
            return;
        }
        try {
            AssertionResult validateAuthenticatorAssertionResponse = this.webAuthnClient.validateAuthenticatorAssertionResponse(this.context.getUsername(), this.context.getUserId(), this.publicKeyCredentialRequestOptions, authenticatorAssertionResponse);
            if (!validateAuthenticatorAssertionResponse.isSuccess()) {
                throw new AssertionFailureException("Assestion was not valid");
            }
            if (!validateAuthenticatorAssertionResponse.isSignatureCounterValid()) {
                throw new AssertionFailureException("Assestion was not valid, signature count is invalid");
            }
            updateSignatureCount(validateAuthenticatorAssertionResponse.getUsername(), authenticatorAssertionResponse);
            this.log.info("{} WebAuthn authentication succeeded for '{}'", getLogPrefix(), validateAuthenticatorAssertionResponse.getUsername());
            this.context.setUsername(validateAuthenticatorAssertionResponse.getUsername());
            this.context.setUserId(validateAuthenticatorAssertionResponse.getUserId());
            buildAuthenticationResult(profileRequestContext, authenticationContext);
        } catch (AssertionFailureException e) {
            Logger logger = this.log;
            Object[] objArr = new Object[3];
            objArr[0] = getLogPrefix();
            objArr[1] = this.context.getUsername() != null ? this.context.getUsername() : "unknown username";
            objArr[2] = e;
            logger.warn("{} Error validating authenticator assertion for '{}'", objArr);
            handleError(profileRequestContext, authenticationContext, e, "InvalidCredentials");
            recordFailure(profileRequestContext);
        }
    }

    private void updateSignatureCount(@Nonnull String str, @Nonnull PublicKeyCredential<AuthenticatorAssertionResponse, ClientAssertionExtensionOutputs> publicKeyCredential) throws AssertionFailureException {
        ByteArray id = publicKeyCredential.getId();
        if (id == null) {
            throw new AssertionFailureException("Can not update signature count for user '" + str + "' and credential '" + publicKeyCredential.getId() + "'. Assertion goes not contain the credential Id.");
        }
        if (!this.credentialRepository.updateSignatureCounter(str, id, publicKeyCredential.getResponse().getParsedAuthenticatorData().getSignatureCounter())) {
            throw new AssertionFailureException("Failed to update signature counter");
        }
    }

    protected void buildAuthenticationResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        super.buildAuthenticationResult(profileRequestContext, authenticationContext);
    }

    protected Subject populateSubject(@Nonnull Subject subject) {
        byte[] userId = this.context.getUserId();
        if (userId != null) {
            subject.getPrincipals().add(new WebAuthnUserIdPrinicpal(userId));
        }
        if (this.context.isSecondFactor()) {
            this.log.trace("{} second factor usage, username principal already set", getLogPrefix());
            return subject;
        }
        String username = this.context.getUsername();
        if (!$assertionsDisabled && username == null) {
            throw new AssertionError();
        }
        subject.getPrincipals().add(new UsernamePrincipal(username));
        return subject;
    }

    static {
        $assertionsDisabled = !ValidateWebAuthnAssertion.class.desiredAssertionStatus();
    }
}
