package net.shibboleth.idp.saml.nameid.impl;

import java.util.Set;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractSubjectCanonicalizationAction;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.SubjectCanonicalizationException;
import net.shibboleth.idp.authn.SubjectCanonicalizationFlowDescriptor;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.saml.authn.principal.NameIDPrincipal;
import net.shibboleth.idp.saml.nameid.NameDecoderException;
import net.shibboleth.idp.saml.nameid.NameIDCanonicalizationFlowDescriptor;
import net.shibboleth.idp.saml.nameid.NameIDDecoder;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.profile.SAML2ObjectSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.0.0.jar:net/shibboleth/idp/saml/nameid/impl/NameIDCanonicalization.class */
public class NameIDCanonicalization extends AbstractSubjectCanonicalizationAction {

    @Nonnull
    private final ActivationCondition embeddedPredicate = new ActivationCondition();

    @NonnullAfterInit
    private NameIDDecoder decoder;

    /* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.0.0.jar:net/shibboleth/idp/saml/nameid/impl/NameIDCanonicalization$ActivationCondition.class */
    public static class ActivationCondition implements Predicate<ProfileRequestContext> {

        @Nonnull
        private Logger log = LoggerFactory.getLogger((Class<?>) ActivationCondition.class);

        @Override // java.util.function.Predicate
        public boolean test(@Nullable ProfileRequestContext profileRequestContext) {
            SubjectCanonicalizationContext subjectCanonicalizationContext;
            if (profileRequestContext == null || (subjectCanonicalizationContext = (SubjectCanonicalizationContext) profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class)) == null) {
                return false;
            }
            return apply(profileRequestContext, subjectCanonicalizationContext, false);
        }

        protected boolean formatMatches(@Nonnull String str, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext) {
            SubjectCanonicalizationFlowDescriptor attemptedFlow = subjectCanonicalizationContext.getAttemptedFlow();
            this.log.debug("Attempting to match format '{}'", str);
            if (null == attemptedFlow) {
                this.log.error("Supplied Context has no active FlowDescriptor");
                return false;
            }
            if (!(attemptedFlow instanceof NameIDCanonicalizationFlowDescriptor)) {
                this.log.error("Flow Descriptor named {} is not appropriate for NameID canonicalization.  Use class=\"{}\"", attemptedFlow.getId(), NameIDCanonicalizationFlowDescriptor.class.getCanonicalName());
                return false;
            }
            NameIDCanonicalizationFlowDescriptor nameIDCanonicalizationFlowDescriptor = (NameIDCanonicalizationFlowDescriptor) attemptedFlow;
            for (String str2 : nameIDCanonicalizationFlowDescriptor.getFormats()) {
                if (SAML2ObjectSupport.areNameIDFormatsEquivalent(str2, str)) {
                    this.log.debug("NameIDCanonicalizationFlowDescriptor {}: format matches {}", nameIDCanonicalizationFlowDescriptor.getId(), str2);
                    return true;
                }
            }
            this.log.debug("NameIDCanonicalizationFlowDescriptor {}: no format matches", nameIDCanonicalizationFlowDescriptor.getId());
            return false;
        }

        public boolean apply(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext, boolean z) {
            Set set = null;
            if (subjectCanonicalizationContext.getSubject() != null) {
                set = subjectCanonicalizationContext.getSubject().getPrincipals(NameIDPrincipal.class);
            }
            if (!z) {
                if (set == null || set.size() != 1) {
                    return false;
                }
                return formatMatches(((NameIDPrincipal) set.iterator().next()).getNameID().getFormat(), subjectCanonicalizationContext);
            }
            if (set == null || set.isEmpty()) {
                subjectCanonicalizationContext.setException(new SubjectCanonicalizationException("No NameIDPrincipals were found"));
                ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
                return false;
            }
            if (set.size() > 1) {
                subjectCanonicalizationContext.setException(new SubjectCanonicalizationException("Multiple NameIDPrincipals were found"));
                ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
                return false;
            }
            if (formatMatches(((NameIDPrincipal) set.iterator().next()).getNameID().getFormat(), subjectCanonicalizationContext)) {
                return true;
            }
            subjectCanonicalizationContext.setException(new SubjectCanonicalizationException("Format not supported"));
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
            return false;
        }
    }

    @NonnullAfterInit
    public NameIDDecoder getDecoder() {
        return this.decoder;
    }

    @NonnullAfterInit
    public void setDecoder(@Nonnull NameIDDecoder nameIDDecoder) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.decoder = (NameIDDecoder) Constraint.isNotNull(nameIDDecoder, "Name ID decoder cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        if (null == this.decoder) {
            throw new ComponentInitializationException(getLogPrefix() + " decoder not supplied");
        }
        super.doInitialize();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractSubjectCanonicalizationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext) {
        if (this.embeddedPredicate.apply(profileRequestContext, subjectCanonicalizationContext, true)) {
            return super.doPreExecute(profileRequestContext, subjectCanonicalizationContext);
        }
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractSubjectCanonicalizationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull SubjectCanonicalizationContext subjectCanonicalizationContext) {
        try {
            subjectCanonicalizationContext.setPrincipalName(this.decoder.decode(subjectCanonicalizationContext, ((NameIDPrincipal) subjectCanonicalizationContext.getSubject().getPrincipals(NameIDPrincipal.class).iterator().next()).getNameID()));
            if (subjectCanonicalizationContext.getPrincipalName() == null) {
                ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_SUBJECT);
            }
        } catch (NameDecoderException e) {
            subjectCanonicalizationContext.setException(e);
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.SUBJECT_C14N_ERROR);
        }
    }
}
