package net.shibboleth.idp.plugin.authn.webauthn.impl;

import com.yubico.webauthn.data.ByteArray;
import com.yubico.webauthn.data.PublicKeyCredential;
import java.util.Optional;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.webauthn.context.WebAuthnAuthenticationContext;
import net.shibboleth.idp.plugin.authn.webauthn.storage.StorageServiceCredentialRepository;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/webauthn/impl/LookupRegisteredCredentialsFromUserHandle.class */
public class LookupRegisteredCredentialsFromUserHandle extends AbstractWebAuthnAuthenticationAction {
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(LookupRegisteredCredentialsFromUserHandle.class);

    @Nonnull
    @NotEmpty
    private String noCredentialsEventId = "NoRegisteredWebAuthnCredentials";
    private Predicate<ProfileRequestContext> triggerEventOnNoCredentialsPredicate = PredicateSupport.alwaysFalse();

    public void setTriggerEventOnNoCredentials(boolean z) {
        checkSetterPreconditions();
        this.triggerEventOnNoCredentialsPredicate = z ? PredicateSupport.alwaysTrue() : PredicateSupport.alwaysFalse();
    }

    public void setTriggerEventOnNoCredentialsPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        checkSetterPreconditions();
        this.triggerEventOnNoCredentialsPredicate = (Predicate) Constraint.isNotNull(predicate, "TriggerEventOnNoCredentialsPredicate can not be null");
    }

    public void setNoCredentialsEventId(@Nonnull @NotEmpty String str) {
        checkSetterPreconditions();
        this.noCredentialsEventId = Constraint.isNotEmpty(str, "NoCredentialsEventId can not be null or empty");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.authn.webauthn.impl.AbstractWebAuthnAuthenticationAction
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (getCredentialRepository() == null) {
            throw new ComponentInitializationException("The credential repository can not be null");
        }
    }

    @Override // net.shibboleth.idp.plugin.authn.webauthn.impl.AbstractWebAuthnAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull WebAuthnAuthenticationContext webAuthnAuthenticationContext) {
        PublicKeyCredential authenticatorAssertionResponse = webAuthnAuthenticationContext.getAuthenticatorAssertionResponse();
        if (authenticatorAssertionResponse == null) {
            this.log.error("{} Unable to find Assertion in WebAuthn authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        String username = webAuthnAuthenticationContext.getUsername();
        StorageServiceCredentialRepository credentialRepository = getCredentialRepository();
        if (!$assertionsDisabled && credentialRepository == null) {
            throw new AssertionError();
        }
        Optional userHandle = authenticatorAssertionResponse.getResponse().getUserHandle();
        boolean z = false;
        if (userHandle.isEmpty()) {
            this.log.debug("{} User could not be found, the authenticator did not supply a userHandle, no registered credentials", getLogPrefix());
        } else {
            Optional usernameForUserHandle = credentialRepository.getUsernameForUserHandle((ByteArray) userHandle.get());
            if (usernameForUserHandle.isEmpty()) {
                this.log.debug("{} User could not be found from the supplied userHandle, no registered credentials", getLogPrefix());
            } else if (username != null && !((String) usernameForUserHandle.get()).equals(username)) {
                this.log.debug("{} Username '{}' found from the userHandle was not the same as in the authentication context '{}'", new Object[]{getLogPrefix(), usernameForUserHandle.get(), username});
                ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
                return;
            } else if (credentialRepository.getRegistrationsByUsername((String) usernameForUserHandle.get()).isEmpty()) {
                this.log.debug("{} Could not find any registered credentials for userHandle '{}'", getLogPrefix(), ((ByteArray) userHandle.get()).getBase64());
            } else {
                z = true;
            }
        }
        if (!this.triggerEventOnNoCredentialsPredicate.test(profileRequestContext) || z) {
            return;
        }
        this.log.debug("{} Triggering event '{}' ", getLogPrefix(), this.noCredentialsEventId);
        ActionSupport.buildEvent(profileRequestContext, this.noCredentialsEventId);
    }

    static {
        $assertionsDisabled = !LookupRegisteredCredentialsFromUserHandle.class.desiredAssertionStatus();
    }
}
