package edu.internet2.middleware.shibboleth.idp.authn.provider;

import edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine;
import edu.internet2.middleware.shibboleth.idp.authn.LoginHandler;
import edu.internet2.middleware.shibboleth.idp.util.IPRange;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.opensaml.xml.util.DatatypeHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/internet2/middleware/shibboleth/idp/authn/provider/IPAddressLoginHandler.class */
public class IPAddressLoginHandler extends AbstractLoginHandler {
    private final Logger log = LoggerFactory.getLogger(IPAddressLoginHandler.class);
    private String authenticatedUser;
    private List<IPRange> ipRanges;
    private boolean ipInRangeIsAuthenticated;

    public IPAddressLoginHandler(String str, List<IPRange> list, boolean z) {
        this.authenticatedUser = DatatypeHelper.safeTrimOrNullString(str);
        if (this.authenticatedUser == null) {
            throw new IllegalArgumentException("The authenticated user ID may not be null or empty");
        }
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("The list of IP ranges may not be null or empty");
        }
        this.ipRanges = new ArrayList(list);
        this.ipInRangeIsAuthenticated = z;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.authn.provider.AbstractLoginHandler, edu.internet2.middleware.shibboleth.idp.authn.LoginHandler
    public boolean supportsPassive() {
        return true;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.authn.provider.AbstractLoginHandler, edu.internet2.middleware.shibboleth.idp.authn.LoginHandler
    public boolean supportsForceAuthentication() {
        return true;
    }

    @Override // edu.internet2.middleware.shibboleth.idp.authn.LoginHandler
    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        this.log.debug("Attempting to authenticated client '{}'", httpServletRequest.getRemoteAddr());
        try {
            if (authenticate(InetAddress.getByName(httpServletRequest.getRemoteAddr()))) {
                this.log.debug("Authenticated user by IP address");
                httpServletRequest.setAttribute(LoginHandler.PRINCIPAL_NAME_KEY, this.authenticatedUser);
                httpServletRequest.setAttribute("authnMethod", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol");
            } else {
                this.log.debug("Client IP address {} failed authentication.", httpServletRequest.getRemoteAddr());
                httpServletRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, "Client failed IP address authentication");
            }
        } catch (UnknownHostException e) {
            String str = "Unable to resolve " + httpServletRequest.getRemoteAddr() + " in to an IP address";
            this.log.warn(str);
            httpServletRequest.setAttribute(LoginHandler.AUTHENTICATION_ERROR_KEY, str);
        }
        AuthenticationEngine.returnToAuthenticationEngine(httpServletRequest, httpServletResponse);
    }

    protected boolean authenticate(InetAddress inetAddress) {
        if (this.ipInRangeIsAuthenticated) {
            Iterator<IPRange> it = this.ipRanges.iterator();
            while (it.hasNext()) {
                if (it.next().contains(inetAddress)) {
                    return true;
                }
            }
            return false;
        }
        Iterator<IPRange> it2 = this.ipRanges.iterator();
        while (it2.hasNext()) {
            if (!it2.next().contains(inetAddress)) {
                return true;
            }
        }
        return false;
    }
}
