package net.shibboleth.idp.saml.saml2.profile.impl;

import java.security.Principal;
import java.time.Instant;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.profile.IdPEventIds;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ParentContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.common.SAMLVersion;
import org.opensaml.saml.saml2.core.AuthnContextComparisonTypeEnumeration;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.IDPEntry;
import org.opensaml.saml.saml2.core.IDPList;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.opensaml.saml.saml2.core.Scoping;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.0.0.jar:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnRequest.class */
public class AddAuthnRequest extends AbstractAuthenticationAction {
    private boolean overwriteExisting;

    @Nullable
    private Function<ProfileRequestContext, String> issuerLookupStrategy;

    @Nullable
    private IdentifierGenerationStrategy idGenerator;

    @Nullable
    private BrowserSSOProfileConfiguration profileConfiguration;

    @Nullable
    private String issuerId;

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) AddAuthnRequest.class);

    @Nonnull
    private Function<ProfileRequestContext, IdentifierGenerationStrategy> idGeneratorLookupStrategy = profileRequestContext -> {
        return new SecureRandomIdentifierGenerationStrategy();
    };

    public AddAuthnRequest() {
        setAuthenticationContextLookupStrategy(new ParentContextLookup(AuthenticationContext.class));
    }

    public void setOverwriteExisting(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.overwriteExisting = z;
    }

    public void setIdentifierGeneratorLookupStrategy(@Nonnull Function<ProfileRequestContext, IdentifierGenerationStrategy> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.idGeneratorLookupStrategy = (Function) Constraint.isNotNull(function, "IdentifierGenerationStrategy lookup strategy cannot be null");
    }

    public void setIssuerLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.issuerLookupStrategy = function;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        RelyingPartyContext relyingPartyContext = (RelyingPartyContext) profileRequestContext.getSubcontext(RelyingPartyContext.class);
        if (relyingPartyContext != null && relyingPartyContext.getConfiguration() != null && (relyingPartyContext.getProfileConfig() instanceof BrowserSSOProfileConfiguration)) {
            this.profileConfiguration = (BrowserSSOProfileConfiguration) relyingPartyContext.getProfileConfig();
        }
        if (this.profileConfiguration == null) {
            this.log.error("{} BrowserSSOProfileConfiguration not found", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, IdPEventIds.INVALID_PROFILE_CONFIG);
            return false;
        }
        MessageContext outboundMessageContext = profileRequestContext.getOutboundMessageContext();
        if (outboundMessageContext == null) {
            this.log.debug("{} No outbound message context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
            return false;
        }
        if (!this.overwriteExisting && outboundMessageContext.getMessage() != null) {
            this.log.debug("{} Outbound message context already contains a message", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
            return false;
        }
        this.idGenerator = this.idGeneratorLookupStrategy.apply(profileRequestContext);
        if (this.idGenerator == null) {
            this.log.debug("{} No identifier generation strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        if (this.issuerLookupStrategy != null) {
            this.issuerId = this.issuerLookupStrategy.apply(profileRequestContext);
        }
        outboundMessageContext.setMessage(null);
        return true;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.debug("{} Building AuthnRequest for upstream IdP ({})", getLogPrefix(), authenticationContext.getAuthenticatingAuthority());
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(AuthnRequest.DEFAULT_ELEMENT_NAME);
        SAMLObjectBuilder sAMLObjectBuilder2 = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(NameIDPolicy.DEFAULT_ELEMENT_NAME);
        AuthnRequest authnRequest = (AuthnRequest) sAMLObjectBuilder.buildObject();
        authnRequest.setID(this.idGenerator.generateIdentifier());
        authnRequest.setIssueInstant(Instant.now());
        authnRequest.setVersion(SAMLVersion.VERSION_20);
        if (this.issuerId != null) {
            this.log.debug("{} Setting Issuer to {}", getLogPrefix(), this.issuerId);
            Issuer issuer = (Issuer) ((SAMLObjectBuilder) builderFactory.getBuilderOrThrow(Issuer.DEFAULT_ELEMENT_NAME)).buildObject();
            issuer.setValue(this.issuerId);
            authnRequest.setIssuer(issuer);
        } else {
            this.log.debug("{} No issuer value available, leaving Issuer unset", getLogPrefix());
        }
        if (this.profileConfiguration.isForceAuthn(profileRequestContext)) {
            this.log.debug("{} Setting ForceAuthn for SAML AuthnRequest", getLogPrefix());
            authnRequest.setForceAuthn((Boolean) true);
        }
        if (authenticationContext.isPassive()) {
            this.log.debug("{} Setting IsPassive for SAML AuthnRequest", getLogPrefix());
            authnRequest.setIsPassive((Boolean) true);
        }
        NameIDPolicy nameIDPolicy = (NameIDPolicy) sAMLObjectBuilder2.buildObject();
        nameIDPolicy.setAllowCreate((Boolean) true);
        List<String> nameIDFormatPrecedence = this.profileConfiguration.getNameIDFormatPrecedence(profileRequestContext);
        if (!nameIDFormatPrecedence.isEmpty()) {
            this.log.debug("{} Setting NameIDPolicy Format to '{}' for SAML AuthnRequest", getLogPrefix(), nameIDFormatPrecedence.get(0));
            nameIDPolicy.setFormat(nameIDFormatPrecedence.get(0));
        }
        authnRequest.setNameIDPolicy(nameIDPolicy);
        RequestedAuthnContext requestedAuthnContext = getRequestedAuthnContext(profileRequestContext);
        if (requestedAuthnContext != null) {
            AuthnContextComparisonTypeEnumeration authnContextComparison = this.profileConfiguration.getAuthnContextComparison(profileRequestContext);
            if (authnContextComparison != null) {
                this.log.debug("{} Setting RequestedAuthnContext comparison to {}", getLogPrefix(), authnContextComparison);
                requestedAuthnContext.setComparison(authnContextComparison);
            }
            authnRequest.setRequestedAuthnContext(requestedAuthnContext);
        }
        authnRequest.setScoping(buildScoping(profileRequestContext, authenticationContext.getProxyCount(), authenticationContext.getProxiableAuthorities()));
        profileRequestContext.getOutboundMessageContext().setMessage(authnRequest);
    }

    @Nullable
    private RequestedAuthnContext getRequestedAuthnContext(@Nullable ProfileRequestContext profileRequestContext) {
        List<Principal> defaultAuthenticationMethods = this.profileConfiguration.getDefaultAuthenticationMethods(profileRequestContext);
        if (defaultAuthenticationMethods.isEmpty()) {
            return null;
        }
        SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilderOrThrow(RequestedAuthnContext.DEFAULT_ELEMENT_NAME);
        Stream<Principal> stream = defaultAuthenticationMethods.stream();
        Class<AuthnContextClassRefPrincipal> cls = AuthnContextClassRefPrincipal.class;
        Objects.requireNonNull(AuthnContextClassRefPrincipal.class);
        Stream<Principal> filter = stream.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<AuthnContextClassRefPrincipal> cls2 = AuthnContextClassRefPrincipal.class;
        Objects.requireNonNull(AuthnContextClassRefPrincipal.class);
        List list = (List) filter.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toUnmodifiableList());
        if (!list.isEmpty()) {
            RequestedAuthnContext requestedAuthnContext = (RequestedAuthnContext) sAMLObjectBuilder.buildObject();
            requestedAuthnContext.getAuthnContextClassRefs().addAll((Collection) list.stream().map((v0) -> {
                return v0.getAuthnContextClassRef();
            }).collect(Collectors.toUnmodifiableList()));
            if (this.log.isDebugEnabled()) {
                this.log.debug("{} Setting RequestedAuthnContext class refs to {}", getLogPrefix(), list.stream().map((v0) -> {
                    return v0.getName();
                }).collect(Collectors.toUnmodifiableList()));
            }
            return requestedAuthnContext;
        }
        Stream<Principal> stream2 = defaultAuthenticationMethods.stream();
        Class<AuthnContextDeclRefPrincipal> cls3 = AuthnContextDeclRefPrincipal.class;
        Objects.requireNonNull(AuthnContextDeclRefPrincipal.class);
        Stream<Principal> filter2 = stream2.filter((v1) -> {
            return r1.isInstance(v1);
        });
        Class<AuthnContextDeclRefPrincipal> cls4 = AuthnContextDeclRefPrincipal.class;
        Objects.requireNonNull(AuthnContextDeclRefPrincipal.class);
        List list2 = (List) filter2.map((v1) -> {
            return r1.cast(v1);
        }).collect(Collectors.toUnmodifiableList());
        if (list2.isEmpty()) {
            return null;
        }
        RequestedAuthnContext requestedAuthnContext2 = (RequestedAuthnContext) sAMLObjectBuilder.buildObject();
        requestedAuthnContext2.getAuthnContextDeclRefs().addAll((Collection) list2.stream().map((v0) -> {
            return v0.getAuthnContextDeclRef();
        }).collect(Collectors.toUnmodifiableList()));
        if (this.log.isDebugEnabled()) {
            this.log.debug("{} Setting RequestedAuthnContext decl refs to {}", getLogPrefix(), list2.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toUnmodifiableList()));
        }
        return requestedAuthnContext2;
    }

    @Nullable
    public Scoping buildScoping(@Nonnull ProfileRequestContext profileRequestContext, @Nullable Integer num, @NonnullElements @Nonnull Set<String> set) {
        if (num == null && set.isEmpty()) {
            return null;
        }
        if (this.profileConfiguration.isIgnoreScoping(profileRequestContext)) {
            this.log.warn("{} Skipping generation of Scoping element in violation of standard", getLogPrefix());
            return null;
        }
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        Scoping scoping = (Scoping) ((SAMLObjectBuilder) builderFactory.getBuilderOrThrow(Scoping.DEFAULT_ELEMENT_NAME)).buildObject();
        scoping.setProxyCount(Integer.valueOf(Integer.min(0, num.intValue() - 1)));
        if (!set.isEmpty()) {
            SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(IDPList.DEFAULT_ELEMENT_NAME);
            SAMLObjectBuilder sAMLObjectBuilder2 = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(IDPEntry.DEFAULT_ELEMENT_NAME);
            IDPList iDPList = (IDPList) sAMLObjectBuilder.buildObject();
            for (String str : set) {
                IDPEntry iDPEntry = (IDPEntry) sAMLObjectBuilder2.buildObject();
                iDPEntry.setProviderID(str);
                iDPList.getIDPEntrys().add(iDPEntry);
            }
            scoping.setIDPList(iDPList);
        }
        return scoping;
    }
}
