package org.opensaml.saml.saml2.profile.impl;

import com.google.common.base.Function;
import com.google.common.base.Functions;
import com.google.common.base.Predicate;
import com.google.common.base.Strings;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import net.shibboleth.utilities.java.support.security.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.opensaml.messaging.context.navigate.MessageLookup;
import org.opensaml.profile.action.AbstractProfileAction;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.action.EventIds;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.saml.common.SAMLException;
import org.opensaml.saml.common.SAMLObject;
import org.opensaml.saml.common.SAMLObjectBuilder;
import org.opensaml.saml.common.profile.SAMLEventIds;
import org.opensaml.saml.common.profile.logic.DefaultNameIDPolicyPredicate;
import org.opensaml.saml.common.profile.logic.MetadataNameIdentifierFormatStrategy;
import org.opensaml.saml.saml2.core.Assertion;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.Issuer;
import org.opensaml.saml.saml2.core.NameID;
import org.opensaml.saml.saml2.core.NameIDPolicy;
import org.opensaml.saml.saml2.core.NameIDType;
import org.opensaml.saml.saml2.core.RequestAbstractType;
import org.opensaml.saml.saml2.core.Response;
import org.opensaml.saml.saml2.core.Subject;
import org.opensaml.saml.saml2.profile.SAML2ActionSupport;
import org.opensaml.saml.saml2.profile.SAML2NameIDGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-3.3.0.jar:org/opensaml/saml/saml2/profile/impl/AddNameIDToSubjects.class */
public class AddNameIDToSubjects extends AbstractProfileAction {

    @Nullable
    private Function<ProfileRequestContext, String> issuerLookupStrategy;

    @Nonnull
    private Function<ProfileRequestContext, List<String>> formatLookupStrategy;

    @NonnullAfterInit
    private SAML2NameIDGenerator generator;

    @NonnullElements
    @Nonnull
    private List<String> formats;

    @Nullable
    private String requiredFormat;

    @Nullable
    private AuthnRequest request;

    @Nullable
    private List<Assertion> assertions;

    @Nullable
    private IdentifierGenerationStrategy idGenerator;

    @Nullable
    private String issuerId;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) AddNameIDToSubjects.class);

    @Nonnull
    private SAMLObjectBuilder<Subject> subjectBuilder = (SAMLObjectBuilder) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilderOrThrow(Subject.DEFAULT_ELEMENT_NAME);

    @Nonnull
    private SAMLObjectBuilder<NameID> nameIdBuilder = (SAMLObjectBuilder) XMLObjectProviderRegistrySupport.getBuilderFactory().getBuilderOrThrow(NameID.DEFAULT_ELEMENT_NAME);
    private boolean overwriteExisting = true;

    @Nonnull
    private Function<ProfileRequestContext, AuthnRequest> requestLookupStrategy = Functions.compose(new MessageLookup(AuthnRequest.class), new InboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, List<Assertion>> assertionsLookupStrategy = new AssertionStrategy();

    @Nonnull
    private Function<ProfileRequestContext, IdentifierGenerationStrategy> idGeneratorLookupStrategy = new Function<ProfileRequestContext, IdentifierGenerationStrategy>() { // from class: org.opensaml.saml.saml2.profile.impl.AddNameIDToSubjects.1
        @Override // com.google.common.base.Function, java.util.function.Function
        public IdentifierGenerationStrategy apply(ProfileRequestContext profileRequestContext) {
            return new SecureRandomIdentifierGenerationStrategy();
        }
    };

    @Nonnull
    private Predicate<ProfileRequestContext> nameIDPolicyPredicate = new DefaultNameIDPolicyPredicate();

    /* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-3.3.0.jar:org/opensaml/saml/saml2/profile/impl/AddNameIDToSubjects$AssertionStrategy.class */
    private class AssertionStrategy implements Function<ProfileRequestContext, List<Assertion>> {
        private AssertionStrategy() {
        }

        @Override // com.google.common.base.Function, java.util.function.Function
        @Nullable
        public List<Assertion> apply(@Nullable ProfileRequestContext profileRequestContext) {
            if (profileRequestContext == null || profileRequestContext.getOutboundMessageContext() == null) {
                return null;
            }
            Object message = profileRequestContext.getOutboundMessageContext().getMessage();
            if (message == null) {
                Assertion buildAssertion = SAML2ActionSupport.buildAssertion(AddNameIDToSubjects.this, AddNameIDToSubjects.this.idGenerator, AddNameIDToSubjects.this.issuerId);
                profileRequestContext.getOutboundMessageContext().setMessage(buildAssertion);
                return Collections.singletonList(buildAssertion);
            }
            if (message instanceof Assertion) {
                return Collections.singletonList((Assertion) message);
            }
            if (message instanceof Response) {
                return ((Response) message).getAssertions();
            }
            return null;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-3.3.0.jar:org/opensaml/saml/saml2/profile/impl/AddNameIDToSubjects$NameIDPolicyLookupFunction.class */
    public static class NameIDPolicyLookupFunction implements Function<ProfileRequestContext, SAMLObject> {

        @Nonnull
        private Function<ProfileRequestContext, AuthnRequest> requestLookupStrategy = Functions.compose(new MessageLookup(AuthnRequest.class), new InboundMessageContextLookup());

        public void setRequestLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnRequest> function) {
            this.requestLookupStrategy = (Function) Constraint.isNotNull(function, "AuthnRequest lookup strategy cannot be null");
        }

        @Override // com.google.common.base.Function, java.util.function.Function
        @Nullable
        public SAMLObject apply(@Nullable ProfileRequestContext profileRequestContext) {
            AuthnRequest apply = this.requestLookupStrategy.apply(profileRequestContext);
            if (apply != null) {
                return apply.getNameIDPolicy();
            }
            return null;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/opensaml-saml-impl-3.3.0.jar:org/opensaml/saml/saml2/profile/impl/AddNameIDToSubjects$RequesterIdFromIssuerFunction.class */
    public static class RequesterIdFromIssuerFunction implements Function<ProfileRequestContext, String> {

        @Nonnull
        private Function<ProfileRequestContext, RequestAbstractType> requestLookupStrategy = Functions.compose(new MessageLookup(RequestAbstractType.class), new InboundMessageContextLookup());

        public void setRequestLookupStrategy(@Nonnull Function<ProfileRequestContext, RequestAbstractType> function) {
            this.requestLookupStrategy = (Function) Constraint.isNotNull(function, "Request lookup strategy cannot be null");
        }

        @Override // com.google.common.base.Function, java.util.function.Function
        @Nullable
        public String apply(@Nullable ProfileRequestContext profileRequestContext) {
            RequestAbstractType apply = this.requestLookupStrategy.apply(profileRequestContext);
            if (apply == null || apply.getIssuer() == null) {
                return null;
            }
            Issuer issuer = apply.getIssuer();
            if (issuer.getFormat() == null || "urn:oasis:names:tc:SAML:2.0:nameid-format:entity".equals(issuer.getFormat())) {
                return issuer.getValue();
            }
            return null;
        }
    }

    public AddNameIDToSubjects() throws ComponentInitializationException {
        ((DefaultNameIDPolicyPredicate) this.nameIDPolicyPredicate).setRequesterIdLookupStrategy(new RequesterIdFromIssuerFunction());
        ((DefaultNameIDPolicyPredicate) this.nameIDPolicyPredicate).setObjectLookupStrategy(new NameIDPolicyLookupFunction());
        ((DefaultNameIDPolicyPredicate) this.nameIDPolicyPredicate).initialize();
        this.formatLookupStrategy = new MetadataNameIdentifierFormatStrategy();
        this.formats = Collections.emptyList();
    }

    public void setOverwriteExisting(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.overwriteExisting = z;
    }

    public void setRequestLookupStrategy(@Nonnull Function<ProfileRequestContext, AuthnRequest> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requestLookupStrategy = (Function) Constraint.isNotNull(function, "AuthnRequest lookup strategy cannot be null");
    }

    public void setAssertionsLookupStrategy(@Nonnull Function<ProfileRequestContext, List<Assertion>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.assertionsLookupStrategy = (Function) Constraint.isNotNull(function, "Assertions lookup strategy cannot be null");
    }

    public void setIdentifierGeneratorLookupStrategy(@Nonnull Function<ProfileRequestContext, IdentifierGenerationStrategy> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.idGeneratorLookupStrategy = (Function) Constraint.isNotNull(function, "IdentifierGenerationStrategy lookup strategy cannot be null");
    }

    public void setIssuerLookupStrategy(@Nullable Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.issuerLookupStrategy = function;
    }

    public void setNameIDPolicyPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.nameIDPolicyPredicate = (Predicate) Constraint.isNotNull(predicate, "NameIDPolicy predicate cannot be null");
    }

    public void setFormatLookupStrategy(@Nonnull Function<ProfileRequestContext, List<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.formatLookupStrategy = (Function) Constraint.isNotNull(function, "Format lookup strategy cannot be null");
    }

    public void setNameIDGenerator(@Nullable SAML2NameIDGenerator sAML2NameIDGenerator) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.generator = (SAML2NameIDGenerator) Constraint.isNotNull(sAML2NameIDGenerator, "SAML2NameIDGenerator cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.generator == null) {
            throw new ComponentInitializationException("SAML2NameIDGenerator cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.opensaml.profile.action.AbstractProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.log.debug("{} Attempting to add NameID to outgoing Assertion Subjects", getLogPrefix());
        this.idGenerator = this.idGeneratorLookupStrategy.apply(profileRequestContext);
        if (this.idGenerator == null) {
            this.log.debug("{} No identifier generation strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, EventIds.INVALID_PROFILE_CTX);
            return false;
        }
        if (this.issuerLookupStrategy != null) {
            this.issuerId = this.issuerLookupStrategy.apply(profileRequestContext);
        }
        this.assertions = this.assertionsLookupStrategy.apply(profileRequestContext);
        if (this.assertions == null || this.assertions.isEmpty()) {
            this.log.debug("{} No assertions returned, nothing to do", getLogPrefix());
            return false;
        }
        if (!this.nameIDPolicyPredicate.apply(profileRequestContext)) {
            this.log.debug("{} NameIDPolicy was unacceptable", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, SAMLEventIds.INVALID_NAMEID_POLICY);
            return false;
        }
        this.request = this.requestLookupStrategy.apply(profileRequestContext);
        this.requiredFormat = getRequiredFormat(profileRequestContext);
        if (this.requiredFormat != null) {
            this.formats = Collections.singletonList(this.requiredFormat);
            this.log.debug("{} Request specified NameID format: {}", getLogPrefix(), this.requiredFormat);
            return true;
        }
        this.formats = this.formatLookupStrategy.apply(profileRequestContext);
        if (this.formats == null || this.formats.isEmpty()) {
            this.log.debug("{} No candidate NameID formats, nothing to do", getLogPrefix());
            return false;
        }
        this.log.debug("{} Candidate NameID formats: {}", getLogPrefix(), this.formats);
        return true;
    }

    @Override // org.opensaml.profile.action.AbstractProfileAction
    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        NameID generateNameID = generateNameID(profileRequestContext);
        if (generateNameID == null) {
            if (this.requiredFormat == null) {
                this.log.debug("{} Unable to generate a NameID, leaving empty", getLogPrefix());
                return;
            } else {
                this.log.warn("{} Request specified use of an unsupportable identifier format: {}", getLogPrefix(), this.requiredFormat);
                ActionSupport.buildEvent(profileRequestContext, SAMLEventIds.INVALID_NAMEID_POLICY);
                return;
            }
        }
        int i = 0;
        Iterator<Assertion> it = this.assertions.iterator();
        while (it.hasNext()) {
            Subject assertionSubject = getAssertionSubject(it.next());
            if (assertionSubject.getNameID() == null || this.overwriteExisting) {
                assertionSubject.setNameID(i > 0 ? cloneNameID(generateNameID) : generateNameID);
            }
            i++;
        }
        if (i > 0) {
            this.log.debug("{} Added NameID to {} assertion subject(s)", getLogPrefix(), Integer.valueOf(i));
        }
    }

    @Nullable
    private String getRequiredFormat(@Nonnull ProfileRequestContext profileRequestContext) {
        NameIDPolicy nameIDPolicy;
        if (this.request == null || (nameIDPolicy = this.request.getNameIDPolicy()) == null) {
            return null;
        }
        String format = nameIDPolicy.getFormat();
        if (Strings.isNullOrEmpty(format) || "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".equals(format) || NameIDType.ENCRYPTED.equals(format)) {
            return null;
        }
        return format;
    }

    @Nullable
    private NameID generateNameID(@Nonnull ProfileRequestContext profileRequestContext) {
        NameID generate;
        for (String str : this.formats) {
            this.log.debug("{} Trying to generate NameID with Format {}", getLogPrefix(), str);
            try {
                generate = this.generator.generate(profileRequestContext, str);
            } catch (SAMLException e) {
                this.log.error("{} Error while generating NameID", getLogPrefix(), e);
            }
            if (generate != null) {
                this.log.debug("{} Successfully generated NameID with Format {}", getLogPrefix(), str);
                return generate;
            }
            continue;
        }
        return null;
    }

    @Nonnull
    private Subject getAssertionSubject(@Nonnull Assertion assertion) {
        if (assertion.getSubject() != null) {
            return assertion.getSubject();
        }
        Subject mo11865buildObject = this.subjectBuilder.mo11865buildObject();
        assertion.setSubject(mo11865buildObject);
        return mo11865buildObject;
    }

    @Nonnull
    private NameID cloneNameID(@Nonnull NameID nameID) {
        NameID mo11865buildObject = this.nameIdBuilder.mo11865buildObject();
        mo11865buildObject.setFormat(nameID.getFormat());
        mo11865buildObject.setNameQualifier(nameID.getNameQualifier());
        mo11865buildObject.setSPNameQualifier(nameID.getSPNameQualifier());
        mo11865buildObject.setSPProvidedID(nameID.getSPProvidedID());
        mo11865buildObject.setValue(nameID.getValue());
        return mo11865buildObject;
    }
}
