package net.shibboleth.idp.authn.impl;

import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernameContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.0.0.jar:net/shibboleth/idp/authn/impl/ValidateRemoteUser.class */
public class ValidateRemoteUser extends AbstractValidationAction {

    @NotEmpty
    @Nonnull
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.remoteuser";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ValidateRemoteUser.class);

    @NonnullElements
    @Nonnull
    private Set<String> whitelistedUsernames = Collections.emptySet();

    @NonnullElements
    @Nonnull
    private Set<String> blacklistedUsernames = Collections.emptySet();

    @Nullable
    private Pattern matchExpression;

    @Nullable
    private UsernameContext usernameContext;

    public ValidateRemoteUser() {
        setMetricName(DEFAULT_METRIC_NAME);
    }

    public void setWhitelistedUsernames(@NonnullElements @Nonnull Collection<String> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.whitelistedUsernames = new HashSet(StringSupport.normalizeStringCollection(collection));
    }

    public void setBlacklistedUsernames(@NonnullElements @Nonnull Collection<String> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.blacklistedUsernames = new HashSet(StringSupport.normalizeStringCollection(collection));
    }

    public void setMatchExpression(@Nullable Pattern pattern) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.matchExpression = pattern;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction, net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.usernameContext = (UsernameContext) authenticationContext.getSubcontext(UsernameContext.class);
        if (this.usernameContext == null) {
            this.log.debug("{} No UsernameContext available within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS);
            return false;
        }
        if (this.usernameContext.getUsername() != null) {
            return true;
        }
        this.log.debug("{} No username available within UsernameContext", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (isAuthenticated(this.usernameContext.getUsername())) {
            this.log.info("{} Validated user '{}'", getLogPrefix(), this.usernameContext.getUsername());
            recordSuccess();
            buildAuthenticationResult(profileRequestContext, authenticationContext);
        } else {
            this.log.info("{} User '{}' was not valid", getLogPrefix(), this.usernameContext.getUsername());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_CREDENTIALS);
            recordFailure();
        }
    }

    private boolean isAuthenticated(@NotEmpty @Nonnull String str) {
        if (this.whitelistedUsernames.isEmpty() || this.whitelistedUsernames.contains(str)) {
            return !this.blacklistedUsernames.contains(str) && (this.matchExpression == null || this.matchExpression.matcher(str).matches());
        }
        if (this.matchExpression == null) {
            return false;
        }
        return this.matchExpression.matcher(str).matches();
    }

    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        subject.getPrincipals().add(new UsernamePrincipal(this.usernameContext.getUsername()));
        return subject;
    }
}
