package net.shibboleth.idp.saml.saml2.profile.impl;

import java.security.Principal;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.DefaultPrincipalDeterminationStrategy;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal;
import net.shibboleth.idp.saml.authn.principal.AuthnContextDeclRefPrincipal;
import net.shibboleth.idp.saml.profile.config.navigate.SessionLifetimeLookupFunction;
import net.shibboleth.idp.saml.profile.impl.BaseAddAuthenticationStatementToAssertion;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.core.xml.XMLObjectBuilderFactory;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthenticatingAuthority;
import org.opensaml.saml.saml2.core.AuthnContext;
import org.opensaml.saml.saml2.core.AuthnStatement;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.SubjectLocality;
import org.opensaml.saml.saml2.profile.SAML2ActionSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.1.2.jar:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnStatementToAssertion.class */
public class AddAuthnStatementToAssertion extends BaseAddAuthenticationStatementToAssertion {

    @NonnullAfterInit
    private Function<ProfileRequestContext, Assertion> assertionLookupStrategy;

    @NonnullAfterInit
    private Function<ProfileRequestContext, AuthnContextClassRefPrincipal> classRefLookupStrategy;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) AddAuthnStatementToAssertion.class);

    @Nullable
    private Function<ProfileRequestContext, Duration> sessionLifetimeLookupStrategy = new SessionLifetimeLookupFunction();

    /* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.1.2.jar:net/shibboleth/idp/saml/saml2/profile/impl/AddAuthnStatementToAssertion$AssertionStrategy.class */
    private class AssertionStrategy implements Function<ProfileRequestContext, Assertion> {
        private AssertionStrategy() {
        }

        @Override // java.util.function.Function
        @Nullable
        public Assertion apply(@Nullable ProfileRequestContext profileRequestContext) {
            if (profileRequestContext == null || profileRequestContext.getOutboundMessageContext() == null) {
                return null;
            }
            Object message = profileRequestContext.getOutboundMessageContext().getMessage();
            if (message == null) {
                Assertion buildAssertion = SAML2ActionSupport.buildAssertion(AddAuthnStatementToAssertion.this, AddAuthnStatementToAssertion.this.getIdGenerator(), AddAuthnStatementToAssertion.this.getIssuerId());
                profileRequestContext.getOutboundMessageContext().setMessage(buildAssertion);
                return buildAssertion;
            }
            if (message instanceof Assertion) {
                return (Assertion) message;
            }
            if (message instanceof Response) {
                return (AddAuthnStatementToAssertion.this.isStatementInOwnAssertion() || ((Response) message).getAssertions().isEmpty()) ? SAML2ActionSupport.addAssertionToResponse(AddAuthnStatementToAssertion.this, (Response) message, AddAuthnStatementToAssertion.this.getIdGenerator(), AddAuthnStatementToAssertion.this.getIssuerId()) : ((Response) message).getAssertions().get(0);
            }
            return null;
        }
    }

    public void setAssertionLookupStrategy(@Nonnull Function<ProfileRequestContext, Assertion> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionLookupStrategy = (Function) Constraint.isNotNull(function, "Assertion lookup strategy cannot be null");
    }

    public void setClassRefLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnContextClassRefPrincipal> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.classRefLookupStrategy = (Function) Constraint.isNotNull(function, "Authentication context class reference strategy cannot be null");
    }

    public void setSessionLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext, Duration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.sessionLifetimeLookupStrategy = function;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.saml.profile.impl.BaseAddAuthenticationStatementToAssertion, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.classRefLookupStrategy == null) {
            this.classRefLookupStrategy = new DefaultPrincipalDeterminationStrategy(AuthnContextClassRefPrincipal.class, new AuthnContextClassRefPrincipal(AuthnContext.UNSPECIFIED_AUTHN_CTX));
        }
        if (this.assertionLookupStrategy == null) {
            this.assertionLookupStrategy = new AssertionStrategy();
        }
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        Assertion apply = this.assertionLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.error("Unable to obtain Assertion to modify");
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_MSG_CTX);
        } else {
            apply.getAuthnStatements().add(buildAuthnStatement(profileRequestContext, (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class)));
            this.log.debug("{} Added AuthenticationStatement to Assertion {}", getLogPrefix(), apply.getID());
        }
    }

    @Nonnull
    private AuthnStatement buildAuthnStatement(@Nonnull ProfileRequestContext profileRequestContext, @Nullable RequestedPrincipalContext requestedPrincipalContext) {
        XMLObjectBuilderFactory builderFactory = XMLObjectProviderRegistrySupport.getBuilderFactory();
        SAMLObjectBuilder sAMLObjectBuilder = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(AuthnStatement.TYPE_NAME);
        SAMLObjectBuilder sAMLObjectBuilder2 = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(AuthnContext.TYPE_NAME);
        SAMLObjectBuilder sAMLObjectBuilder3 = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(SubjectLocality.TYPE_NAME);
        AuthnStatement authnStatement = (AuthnStatement) sAMLObjectBuilder.buildObject();
        authnStatement.setAuthnInstant(getAuthenticationResult().getAuthenticationInstant());
        AuthnContext authnContext = (AuthnContext) sAMLObjectBuilder2.buildObject();
        authnStatement.setAuthnContext(authnContext);
        if (requestedPrincipalContext == null || requestedPrincipalContext.getMatchingPrincipal() == null) {
            authnContext.setAuthnContextClassRef(this.classRefLookupStrategy.apply(profileRequestContext).getAuthnContextClassRef());
        } else {
            Principal matchingPrincipal = requestedPrincipalContext.getMatchingPrincipal();
            if (matchingPrincipal instanceof AuthnContextClassRefPrincipal) {
                authnContext.setAuthnContextClassRef(((AuthnContextClassRefPrincipal) matchingPrincipal).getAuthnContextClassRef());
            } else if (matchingPrincipal instanceof AuthnContextDeclRefPrincipal) {
                authnContext.setAuthnContextDeclRef(((AuthnContextDeclRefPrincipal) matchingPrincipal).getAuthnContextDeclRef());
            } else {
                authnContext.setAuthnContextClassRef(this.classRefLookupStrategy.apply(profileRequestContext).getAuthnContextClassRef());
            }
        }
        Set principals = getAuthenticationResult().getSubject().getPrincipals(ProxyAuthenticationPrincipal.class);
        if (principals != null && !principals.isEmpty()) {
            if (principals.size() == 1) {
                SAMLObjectBuilder sAMLObjectBuilder4 = (SAMLObjectBuilder) builderFactory.getBuilderOrThrow(AuthenticatingAuthority.DEFAULT_ELEMENT_NAME);
                for (String str : ((ProxyAuthenticationPrincipal) principals.iterator().next()).getAuthorities()) {
                    AuthenticatingAuthority authenticatingAuthority = (AuthenticatingAuthority) sAMLObjectBuilder4.buildObject();
                    authenticatingAuthority.setURI(str);
                    authnContext.getAuthenticatingAuthorities().add(authenticatingAuthority);
                }
            } else {
                this.log.warn("{} Multiple ProxyAuthenticationPrincipals, skipping AuthenticatingAuthority population", getLogPrefix());
            }
        }
        Duration apply = this.sessionLifetimeLookupStrategy != null ? this.sessionLifetimeLookupStrategy.apply(profileRequestContext) : null;
        if (apply != null && apply.toMillis() > 0) {
            authnStatement.setSessionNotOnOrAfter(Instant.now().plus((TemporalAmount) apply));
        }
        authnStatement.setSessionIndex(getIdGenerator().generateIdentifier());
        String apply2 = getAddressLookupStrategy().apply(profileRequestContext);
        if (apply2 != null) {
            SubjectLocality subjectLocality = (SubjectLocality) sAMLObjectBuilder3.buildObject();
            subjectLocality.setAddress(apply2);
            authnStatement.setSubjectLocality(subjectLocality);
        } else {
            this.log.debug("{} Address not available, omitting SubjectLocality element", getLogPrefix());
        }
        return authnStatement;
    }
}
