package net.shibboleth.idp.authn.duo.impl;

import com.duosecurity.duoweb.DuoWebException;
import java.security.Principal;
import java.util.Iterator;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectCanonicalizationContext;
import net.shibboleth.idp.authn.duo.DuoAuthAPI;
import net.shibboleth.idp.authn.duo.DuoIntegration;
import net.shibboleth.idp.authn.duo.DuoPrincipal;
import net.shibboleth.idp.authn.duo.context.DuoAuthenticationContext;
import net.shibboleth.idp.session.context.navigate.CanonicalUsernameLookupStrategy;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.1.6.jar:net/shibboleth/idp/authn/duo/impl/ValidateDuoAuthAPI.class */
public class ValidateDuoAuthAPI extends AbstractValidationAction {

    @NotEmpty
    @Nonnull
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn.duo";

    @NotEmpty
    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) ValidateDuoAuthAPI.class);

    @Nonnull
    private Function<ProfileRequestContext, DuoIntegration> duoIntegrationLookupStrategy = FunctionSupport.constant(null);

    @Nonnull
    private Function<ProfileRequestContext, String> usernameLookupStrategy = new CanonicalUsernameLookupStrategy();

    @Nonnull
    private DuoAuthAuthenticator authAuthenticator;

    @Nonnull
    private DuoPreauthAuthenticator preauthAuthenticator;

    @NotEmpty
    @Nonnull
    private DuoAuthenticationContext duoContext;

    @Nullable
    private DuoIntegration duoIntegration;

    @NotEmpty
    @Nullable
    private String username;

    public ValidateDuoAuthAPI() {
        setMetricName(DEFAULT_METRIC_NAME);
    }

    public void setDuoIntegrationLookupStrategy(@Nonnull Function<ProfileRequestContext, DuoIntegration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.duoIntegrationLookupStrategy = (Function) Constraint.isNotNull(function, "DuoIntegration lookup strategy cannot be null");
    }

    public void setDuoIntegration(@Nonnull DuoIntegration duoIntegration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(duoIntegration, "DuoIntegration cannot be null");
        this.duoIntegrationLookupStrategy = FunctionSupport.constant(duoIntegration);
    }

    public void setUsernameLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.usernameLookupStrategy = (Function) Constraint.isNotNull(function, "Username lookup strategy cannot be null");
    }

    public void setAuthAuthenticator(@Nonnull DuoAuthAuthenticator duoAuthAuthenticator) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.authAuthenticator = (DuoAuthAuthenticator) Constraint.isNotNull(duoAuthAuthenticator, "DuoAuthAuthenticator cannot be null");
    }

    public void setPreauthAuthenticator(@Nonnull DuoPreauthAuthenticator duoPreauthAuthenticator) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.preauthAuthenticator = (DuoPreauthAuthenticator) Constraint.isNotNull(duoPreauthAuthenticator, "DuoPreauthAuthenticator cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.authAuthenticator == null) {
            throw new ComponentInitializationException("DuoAuthAuthenticator cannot be null");
        }
        if (this.preauthAuthenticator == null) {
            throw new ComponentInitializationException("DuoPreauthAuthenticator cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction, net.shibboleth.idp.authn.AbstractAuthenticationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.duoIntegration = this.duoIntegrationLookupStrategy.apply(profileRequestContext);
        if (this.duoIntegration == null) {
            this.log.warn("{} No DuoIntegration returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        this.username = this.usernameLookupStrategy.apply(profileRequestContext);
        if (this.username == null) {
            this.log.warn("{} No principal name available to cross-check Duo result", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, AuthnEventIds.NO_CREDENTIALS);
            return false;
        }
        this.duoContext = (DuoAuthenticationContext) authenticationContext.getSubcontext(DuoAuthenticationContext.class);
        if (this.duoContext == null) {
            this.log.info("{} No DuoAuthenticationContext available", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "No DuoAuthenticationContext context available", AuthnEventIds.INVALID_AUTHN_CTX);
            recordFailure(profileRequestContext);
            return false;
        }
        if (this.duoContext.getFactor() != null) {
            this.duoContext.setUsername(this.username);
            return true;
        }
        this.log.info("{} No factor set in DuoAuthenticationContext", getLogPrefix());
        handleError(profileRequestContext, authenticationContext, "No Duo factor set in DuoAuthenticationContext", AuthnEventIds.REQUEST_UNSUPPORTED);
        recordFailure(profileRequestContext);
        return false;
    }

    @Override // net.shibboleth.idp.authn.AbstractAuthenticationAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        this.log.trace("{} Attempting Duo AuthAPI authentication", getLogPrefix());
        try {
            DuoPreauthResponse authenticate = this.preauthAuthenticator.authenticate(this.duoContext, this.duoIntegration);
            if (authenticate == null) {
                this.log.info("{} No Duo AuthAPI preauthentication response", getLogPrefix());
                throw new DuoWebException("No preauthentication response");
            }
            String result = authenticate.getResult();
            if ("allow".equals(result)) {
                this.log.info("{} Duo pre-authentication (bypass) succeeded for '{}'", getLogPrefix(), this.username);
                recordSuccess(profileRequestContext);
                buildAuthenticationResult(profileRequestContext, authenticationContext);
                return;
            }
            if (!DuoAuthAPI.DUO_PREAUTH_RESULT_AUTH.equals(result)) {
                this.log.info("{} Duo pre-authentication failed for '{}': {}", getLogPrefix(), this.username, authenticate.getStatusMessage());
                handleError(profileRequestContext, authenticationContext, String.format("%s:%s:%s", result, this.username, authenticate.getStatusMessage()), AuthnEventIds.ACCOUNT_ERROR);
                recordFailure(profileRequestContext);
                return;
            }
            if (this.duoContext.getDeviceID() != null && !"auto".equals(this.duoContext.getDeviceID())) {
                boolean z = false;
                Iterator<DuoDevice> it = authenticate.getDevices().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    DuoDevice next = it.next();
                    if (this.duoContext.getDeviceID().equals(next.getDevice())) {
                        z = true;
                        break;
                    } else if (this.duoContext.getDeviceID().equals(next.getName())) {
                        this.log.debug("{} Remapped device ID based on device name ({}) for '{}'", getLogPrefix(), next.getName(), this.username);
                        this.duoContext.setDeviceID(next.getDevice());
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    this.log.info("{} Duo authentication failed for '{}': non-existent device ID ({})", getLogPrefix(), this.username, this.duoContext.getDeviceID());
                    handleError(profileRequestContext, authenticationContext, AuthnEventIds.INVALID_CREDENTIALS, AuthnEventIds.INVALID_CREDENTIALS);
                    recordFailure(profileRequestContext);
                    return;
                }
            }
            DuoAuthResponse authenticate2 = this.authAuthenticator.authenticate(this.duoContext, this.duoIntegration);
            if (authenticate2 == null) {
                this.log.info("{} No Duo AuthAPI authentication response", getLogPrefix());
                throw new DuoWebException("No authentication response");
            }
            String result2 = authenticate2.getResult();
            if ("allow".equals(result2)) {
                this.log.info("{} Duo authentication succeeded for '{}' (Factor: {}, Device: {})", getLogPrefix(), this.username, this.duoContext.getFactor(), this.duoContext.getDeviceID());
                recordSuccess(profileRequestContext);
                buildAuthenticationResult(profileRequestContext, authenticationContext);
            } else {
                if (!"deny".equals(result2)) {
                    throw new DuoWebException("Unexpected authentication response");
                }
                this.log.info("{} Duo authentication failed for '{}'", getLogPrefix(), this.username);
                handleError(profileRequestContext, authenticationContext, authenticate2.getStatus(), AuthnEventIds.INVALID_CREDENTIALS);
                recordFailure(profileRequestContext);
            }
        } catch (DuoWebException e) {
            this.log.error("{} Duo AuthAPI access failed for '{}'", getLogPrefix(), this.username, e);
            handleError(profileRequestContext, authenticationContext, e, AuthnEventIds.AUTHN_EXCEPTION);
            recordFailure(profileRequestContext);
        }
    }

    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    protected Subject populateSubject(@Nonnull Subject subject) {
        subject.getPrincipals().add(new DuoPrincipal(this.username));
        subject.getPrincipals().addAll(this.duoIntegration.getSupportedPrincipals(Principal.class));
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractValidationAction
    public void buildAuthenticationResult(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        super.buildAuthenticationResult(profileRequestContext, authenticationContext);
        ((SubjectCanonicalizationContext) profileRequestContext.getSubcontext(SubjectCanonicalizationContext.class, true)).setPrincipalName(this.username);
    }
}
