package net.shibboleth.idp.authn.impl;

import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.attribute.filter.AttributeFilter;
import net.shibboleth.idp.attribute.filter.AttributeFilterException;
import net.shibboleth.idp.attribute.filter.context.AttributeFilterContext;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.ExternalAuthenticationContext;
import net.shibboleth.idp.authn.principal.IdPAttributePrincipal;
import net.shibboleth.idp.authn.principal.ProxyAuthenticationPrincipal;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.service.ReloadableService;
import net.shibboleth.utilities.java.support.service.ServiceableComponent;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.metadata.resolver.MetadataResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.1.6.jar:net/shibboleth/idp/authn/impl/ValidateExternalAuthentication.class */
public class ValidateExternalAuthentication extends AbstractValidationAction {

    @NotEmpty
    @Nonnull
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.external";

    @Nonnull
    private final Logger log;

    @Nullable
    private ReloadableService<AttributeFilter> attributeFilterService;

    @Nullable
    private MetadataResolver metadataResolver;

    @Nullable
    private Pattern matchExpression;

    @Nullable
    private ExternalAuthenticationContext extContext;

    @Nullable
    private AttributeContext attributeContext;

    public ValidateExternalAuthentication() {
        this(null);
    }

    public ValidateExternalAuthentication(@Nullable ReloadableService<AttributeFilter> reloadableService) {
        this.log = LoggerFactory.getLogger((Class<?>) ValidateExternalAuthentication.class);
        setMetricName(DEFAULT_METRIC_NAME);
        this.attributeFilterService = reloadableService;
    }

    public void setMatchExpression(@Nullable Pattern pattern) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (pattern == null || pattern.pattern().isEmpty()) {
            this.matchExpression = null;
        } else {
            this.matchExpression = pattern;
        }
    }

    public void setMetadataResolver(@Nullable MetadataResolver metadataResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.metadataResolver = metadataResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction, net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.extContext = (ExternalAuthenticationContext) authenticationContext.getSubcontext(ExternalAuthenticationContext.class);
        if (this.extContext != null) {
            return true;
        }
        this.log.debug("{} No ExternalAuthenticationContext available within authentication context", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.INVALID_AUTHN_CTX);
        recordFailure(profileRequestContext);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (this.extContext.getAuthnException() != null) {
            this.log.info("{} External authentication produced exception", getLogPrefix(), this.extContext.getAuthnException());
            handleError(profileRequestContext, authenticationContext, this.extContext.getAuthnException(), AuthnEventIds.AUTHN_EXCEPTION);
            recordFailure(profileRequestContext);
            return;
        }
        if (this.extContext.getAuthnError() != null) {
            this.log.info("{} External authentication produced error message: {}", getLogPrefix(), this.extContext.getAuthnError());
            handleError(profileRequestContext, authenticationContext, this.extContext.getAuthnError(), AuthnEventIds.AUTHN_EXCEPTION);
            recordFailure(profileRequestContext);
            return;
        }
        if (this.extContext.getSubject() != null) {
            this.log.info("{} External authentication succeeded for Subject", getLogPrefix());
        } else if (this.extContext.getPrincipal() != null) {
            this.log.info("{} External authentication succeeded for Principal: {}", getLogPrefix(), this.extContext.getPrincipal());
            this.extContext.setSubject(new Subject(false, Collections.singleton(this.extContext.getPrincipal()), Collections.emptySet(), Collections.emptySet()));
        } else if (this.extContext.getPrincipalName() == null) {
            this.log.info("{} External authentication failed, no user identity or error information returned", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, AuthnEventIds.NO_CREDENTIALS, AuthnEventIds.NO_CREDENTIALS);
            return;
        } else {
            this.log.info("{} External authentication succeeded for user: {}", getLogPrefix(), this.extContext.getPrincipalName());
            this.extContext.setSubject(new Subject(false, Collections.singleton(new UsernamePrincipal(this.extContext.getPrincipalName())), Collections.emptySet(), Collections.emptySet()));
        }
        if (!checkUsername(this.extContext.getSubject())) {
            handleError(profileRequestContext, authenticationContext, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS);
            recordFailure(profileRequestContext);
            return;
        }
        recordSuccess(profileRequestContext);
        if (!this.extContext.getAuthenticatingAuthorities().isEmpty()) {
            this.extContext.getSubject().getPrincipals().add(new ProxyAuthenticationPrincipal(this.extContext.getAuthenticatingAuthorities()));
        }
        if (this.extContext.doNotCache()) {
            this.log.debug("{} Disabling caching of authentication result", getLogPrefix());
            authenticationContext.setResultCacheable(false);
        }
        filterAttributes();
        buildAuthenticationResult(profileRequestContext, authenticationContext);
        if (authenticationContext.getAuthenticationResult() != null) {
            if (this.extContext.getAuthnInstant() != null) {
                authenticationContext.getAuthenticationResult().setAuthenticationInstant(this.extContext.getAuthnInstant());
            }
            if (this.extContext.isPreviousResult()) {
                authenticationContext.getAuthenticationResult().setPreviousResult(true);
            }
        }
    }

    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        this.extContext.getSubject().getPrincipals().addAll(subject.getPrincipals());
        if (this.attributeContext != null && !this.attributeContext.getIdPAttributes().isEmpty()) {
            this.log.debug("{} Adding filtered inbound attributes to Subject", getLogPrefix());
            this.extContext.getSubject().getPrincipals().addAll((Collection) this.attributeContext.getIdPAttributes().values().stream().map(idPAttribute -> {
                return new IdPAttributePrincipal(idPAttribute);
            }).collect(Collectors.toList()));
        }
        return this.extContext.getSubject();
    }

    private boolean checkUsername(@Nonnull Subject subject) {
        if (this.matchExpression == null) {
            return true;
        }
        Set principals = subject.getPrincipals(UsernamePrincipal.class);
        if (principals == null || principals.isEmpty()) {
            this.log.info("{} Match expression set, but not UsernamePrincipal found");
            return false;
        }
        if (this.matchExpression.matcher(((UsernamePrincipal) principals.iterator().next()).getName()).matches()) {
            return true;
        }
        this.log.info("{} Username did not match expression", getLogPrefix());
        return false;
    }

    private void filterAttributes() {
        this.attributeContext = (AttributeContext) this.extContext.getSubcontext(AttributeContext.class);
        if (this.attributeContext == null) {
            this.log.debug("{} No attribute context, no attributes to filter", getLogPrefix());
            return;
        }
        if (this.attributeContext.getIdPAttributes().isEmpty()) {
            this.log.debug("{} No attributes to filter", getLogPrefix());
            return;
        }
        if (this.attributeFilterService == null) {
            this.log.warn("{} No AttributeFilter service provided, clearing inbound attributes", getLogPrefix());
            this.attributeContext.setIdPAttributes(null);
            return;
        }
        AttributeFilterContext attributeFilterContext = (AttributeFilterContext) this.extContext.getSubcontext(AttributeFilterContext.class, true);
        populateFilterContext(attributeFilterContext);
        ServiceableComponent serviceableComponent = null;
        try {
            try {
                ServiceableComponent<AttributeFilter> serviceableComponent2 = this.attributeFilterService.getServiceableComponent();
                if (null == serviceableComponent2) {
                    this.log.error("{} Error while filtering inbound attributes: Invalid Attribute Filter configuration", getLogPrefix());
                    this.attributeContext.setIdPAttributes(null);
                } else {
                    serviceableComponent2.getComponent().filterAttributes(attributeFilterContext);
                    attributeFilterContext.getParent().removeSubcontext(attributeFilterContext);
                    this.attributeContext.setIdPAttributes(attributeFilterContext.getFilteredIdPAttributes().values());
                }
                if (null != serviceableComponent2) {
                    serviceableComponent2.unpinComponent();
                }
            } catch (AttributeFilterException e) {
                this.log.error("{} Error while filtering inbound attributes", getLogPrefix(), e);
                this.attributeContext.setIdPAttributes(null);
                if (0 != 0) {
                    serviceableComponent.unpinComponent();
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                serviceableComponent.unpinComponent();
            }
            throw th;
        }
    }

    private void populateFilterContext(@Nonnull AttributeFilterContext attributeFilterContext) {
        attributeFilterContext.setDirection(AttributeFilterContext.Direction.INBOUND).setPrefilteredIdPAttributes(this.attributeContext.getIdPAttributes().values()).setMetadataResolver(this.metadataResolver).setRequesterMetadataContextLookupStrategy(null).setProxiedRequesterContextLookupStrategy(null);
        if (this.extContext.getAuthenticatingAuthorities().isEmpty()) {
            return;
        }
        attributeFilterContext.setAttributeIssuerID(this.extContext.getAuthenticatingAuthorities().iterator().next());
    }
}
