package net.shibboleth.idp.saml.saml2.profile.delegation.impl;

import java.util.List;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.saml.saml2.profile.config.BrowserSSOProfileConfiguration;
import net.shibboleth.idp.saml.xmlobject.DelegationPolicy;
import net.shibboleth.utilities.java.support.annotation.Prototype;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.core.xml.util.XMLObjectSupport;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.core.Advice;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Prototype
/* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.1.6.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/AddDelegationPolicyToAssertion.class */
public class AddDelegationPolicyToAssertion extends AbstractProfileAction {

    @Nonnull
    public static final Long DEFAULT_POLICY_MAX_CHAIN_LENGTH = 1L;

    @Nullable
    private Assertion assertion;

    @Nullable
    private Assertion attestedAssertion;

    @Nullable
    private Long maxChainLength;

    @Nonnull
    private Logger log = LoggerFactory.getLogger((Class<?>) AddDelegationPolicyToAssertion.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<ProfileRequestContext, Assertion> assertionLookupStrategy = new AssertionStrategy();

    @Nonnull
    private Function<ProfileRequestContext, Assertion> assertionTokenStrategy = new DelegatedAssertionLookupStrategy();

    /* loaded from: input_file:WEB-INF/lib/idp-saml-impl-4.1.6.jar:net/shibboleth/idp/saml/saml2/profile/delegation/impl/AddDelegationPolicyToAssertion$AssertionStrategy.class */
    private class AssertionStrategy implements Function<ProfileRequestContext, Assertion> {
        private AssertionStrategy() {
        }

        @Override // java.util.function.Function
        @Nullable
        public Assertion apply(@Nullable ProfileRequestContext profileRequestContext) {
            if (profileRequestContext == null || profileRequestContext.getOutboundMessageContext() == null) {
                return null;
            }
            Object message = profileRequestContext.getOutboundMessageContext().getMessage();
            if (message instanceof Assertion) {
                return (Assertion) message;
            }
            if (!(message instanceof Response)) {
                return null;
            }
            Response response = (Response) message;
            if (response.getAssertions().isEmpty()) {
                return null;
            }
            for (Assertion assertion : response.getAssertions()) {
                if (!assertion.getAuthnStatements().isEmpty()) {
                    AddDelegationPolicyToAssertion.this.log.debug("Found Assertion with AuthnStatement to decorate in outbound Response");
                    return assertion;
                }
            }
            AddDelegationPolicyToAssertion.this.log.debug("Found no Assertion with AuthnStatement in outbound Response, returning first");
            return response.getAssertions().get(0);
        }
    }

    public void setAssertionTokenStrategy(@Nonnull Function<ProfileRequestContext, Assertion> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionTokenStrategy = (Function) Constraint.isNotNull(function, "Assertion token strategy may not be null");
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy may not be null");
    }

    public void setAssertionLookupStrategy(@Nonnull Function<ProfileRequestContext, Assertion> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionLookupStrategy = (Function) Constraint.isNotNull(function, "Assertion lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractConditionalProfileAction, org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.assertion = this.assertionLookupStrategy.apply(profileRequestContext);
        if (this.assertion == null) {
            this.log.debug("No assertion found, nothing to do");
            return false;
        }
        this.attestedAssertion = this.assertionTokenStrategy.apply(profileRequestContext);
        this.maxChainLength = resolveMaxChainLength(profileRequestContext);
        this.log.debug("Resolved token max delegation chain length: {}", this.maxChainLength);
        return true;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        DelegationPolicy delegationPolicy = (DelegationPolicy) XMLObjectSupport.buildXMLObject(DelegationPolicy.DEFAULT_ELEMENT_NAME);
        delegationPolicy.setMaximumTokenDelegationChainLength(this.maxChainLength);
        if (this.assertion.getAdvice() == null) {
            this.assertion.setAdvice((Advice) XMLObjectSupport.buildXMLObject(Advice.DEFAULT_ELEMENT_NAME));
        }
        this.assertion.getAdvice().getChildren().add(delegationPolicy);
    }

    @Nonnull
    protected Long resolveMaxChainLength(@Nonnull ProfileRequestContext profileRequestContext) {
        List<XMLObject> children;
        if (this.attestedAssertion != null) {
            this.log.debug("Saw inbound assertion token, attempting to extract max delegation chain length from token's DelegationPolicy");
            if (this.attestedAssertion.getAdvice() != null && (children = this.attestedAssertion.getAdvice().getChildren(DelegationPolicy.DEFAULT_ELEMENT_NAME)) != null && !children.isEmpty()) {
                return ((DelegationPolicy) children.get(0)).getMaximumTokenDelegationChainLength();
            }
        } else {
            this.log.debug("Attempting to resolve max delegation chain length from RP profile config");
            RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
            if (apply != null) {
                if (apply.getProfileConfig() instanceof BrowserSSOProfileConfiguration) {
                    return Long.valueOf(((BrowserSSOProfileConfiguration) apply.getProfileConfig()).getMaximumTokenDelegationChainLength(profileRequestContext));
                }
                this.log.debug("Profile config was not BrowserSSOProfileConfiguration, can't evaluate: {}", apply.getProfileConfig() != null ? apply.getProfileConfig().getClass().getName() : "null");
            }
        }
        this.log.debug("Unable to resolve max delegation chain length from inbound token or profile config, returning default: {}", DEFAULT_POLICY_MAX_CHAIN_LENGTH);
        return DEFAULT_POLICY_MAX_CHAIN_LENGTH;
    }
}
