package pl.edu.icm.unity.engine.authn;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.attribute.Attribute;
import pl.edu.icm.unity.base.attribute.AttributeExt;
import pl.edu.icm.unity.base.attribute.IllegalAttributeValueException;
import pl.edu.icm.unity.base.authn.AuthenticationOptionKey;
import pl.edu.icm.unity.base.authn.CredentialPublicInformation;
import pl.edu.icm.unity.base.authn.LocalCredentialState;
import pl.edu.icm.unity.base.entity.Entity;
import pl.edu.icm.unity.base.entity.EntityParam;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.identity.Identity;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AttributeValueConverter;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.authn.AuthenticationFlow;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.AuthenticatorInstance;
import pl.edu.icm.unity.engine.api.authn.DynamicPolicyConfigurationMVELContextKey;
import pl.edu.icm.unity.engine.api.authn.RemoteAuthnMetadata;
import pl.edu.icm.unity.engine.api.authn.SigInInProgressContext;
import pl.edu.icm.unity.engine.attribute.AttributesHelper;
import pl.edu.icm.unity.store.api.tx.TransactionalRunner;

@Component
/* loaded from: input_file:pl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder.class */
class AuthenticationFlowPolicyConfigMVELContextBuilder {
    private static final Logger log = Log.getLogger("unity.server.authn", AuthenticationFlowPolicyConfigMVELContextBuilder.class);
    private final AttributesHelper attributesHelper;
    private final EntityManagement identitiesMan;
    private final AttributeValueConverter attrConverter;
    private final TransactionalRunner tx;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput.class */
    public static final class AuthenticationFlowPolicyContextInput extends Record {
        private final Entity entity;
        private final RemoteAuthnMetadata context;
        private final Collection<AttributeExt> attributes;
        private final List<String> groups;
        private final boolean userOptIn;
        private final AuthenticationFlow authenticationFlow;
        private final AuthenticationOptionKey firstFactorOptionId;
        private final SigInInProgressContext sigInInProgressContext;

        private AuthenticationFlowPolicyContextInput(Entity entity, RemoteAuthnMetadata remoteAuthnMetadata, Collection<AttributeExt> collection, List<String> list, boolean z, AuthenticationFlow authenticationFlow, AuthenticationOptionKey authenticationOptionKey, SigInInProgressContext sigInInProgressContext) {
            this.entity = entity;
            this.context = remoteAuthnMetadata;
            this.attributes = collection;
            this.groups = list;
            this.userOptIn = z;
            this.authenticationFlow = authenticationFlow;
            this.firstFactorOptionId = authenticationOptionKey;
            this.sigInInProgressContext = sigInInProgressContext;
        }

        String getTextDump() {
            StringBuilder sb = new StringBuilder();
            sb.append("Entity " + this.entity.getId() + ":\n");
            Iterator it = this.entity.getIdentities().iterator();
            while (it.hasNext()) {
                sb.append(" - ").append(((Identity) it.next()).toString()).append("\n");
            }
            if (!this.attributes.isEmpty()) {
                sb.append("Attributes:\n");
                Iterator<AttributeExt> it2 = this.attributes.iterator();
                while (it2.hasNext()) {
                    sb.append(" - ").append(it2.next()).append("\n");
                }
            }
            if (!this.groups.isEmpty()) {
                sb.append("Groups: " + this.groups + "\n");
            }
            sb.append("UserOptIn:").append(this.userOptIn).append("\n");
            if (this.sigInInProgressContext != null && !this.sigInInProgressContext.acr().getAll().isEmpty()) {
                sb.append("Requested voluntary ACRs: " + this.sigInInProgressContext.acr().voluntaryACRs() + "\n");
                sb.append("Requested essential ACRs: " + this.sigInInProgressContext.acr().essentialACRs() + "\n");
            }
            if (this.context != null) {
                sb.append("Upstream protocol: " + this.context.protocol().name() + "\n");
                sb.append("Upstream ACRs: " + this.context.classReferences() + "\n");
                sb.append("Upstream IDP: " + this.context.remoteIdPId() + "\n");
            }
            return sb.toString();
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AuthenticationFlowPolicyContextInput.class), AuthenticationFlowPolicyContextInput.class, "entity;context;attributes;groups;userOptIn;authenticationFlow;firstFactorOptionId;sigInInProgressContext", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->entity:Lpl/edu/icm/unity/base/entity/Entity;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->context:Lpl/edu/icm/unity/engine/api/authn/RemoteAuthnMetadata;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->attributes:Ljava/util/Collection;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->groups:Ljava/util/List;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->userOptIn:Z", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->authenticationFlow:Lpl/edu/icm/unity/engine/api/authn/AuthenticationFlow;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->firstFactorOptionId:Lpl/edu/icm/unity/base/authn/AuthenticationOptionKey;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->sigInInProgressContext:Lpl/edu/icm/unity/engine/api/authn/SigInInProgressContext;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AuthenticationFlowPolicyContextInput.class), AuthenticationFlowPolicyContextInput.class, "entity;context;attributes;groups;userOptIn;authenticationFlow;firstFactorOptionId;sigInInProgressContext", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->entity:Lpl/edu/icm/unity/base/entity/Entity;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->context:Lpl/edu/icm/unity/engine/api/authn/RemoteAuthnMetadata;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->attributes:Ljava/util/Collection;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->groups:Ljava/util/List;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->userOptIn:Z", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->authenticationFlow:Lpl/edu/icm/unity/engine/api/authn/AuthenticationFlow;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->firstFactorOptionId:Lpl/edu/icm/unity/base/authn/AuthenticationOptionKey;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->sigInInProgressContext:Lpl/edu/icm/unity/engine/api/authn/SigInInProgressContext;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AuthenticationFlowPolicyContextInput.class, Object.class), AuthenticationFlowPolicyContextInput.class, "entity;context;attributes;groups;userOptIn;authenticationFlow;firstFactorOptionId;sigInInProgressContext", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->entity:Lpl/edu/icm/unity/base/entity/Entity;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->context:Lpl/edu/icm/unity/engine/api/authn/RemoteAuthnMetadata;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->attributes:Ljava/util/Collection;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->groups:Ljava/util/List;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->userOptIn:Z", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->authenticationFlow:Lpl/edu/icm/unity/engine/api/authn/AuthenticationFlow;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->firstFactorOptionId:Lpl/edu/icm/unity/base/authn/AuthenticationOptionKey;", "FIELD:Lpl/edu/icm/unity/engine/authn/AuthenticationFlowPolicyConfigMVELContextBuilder$AuthenticationFlowPolicyContextInput;->sigInInProgressContext:Lpl/edu/icm/unity/engine/api/authn/SigInInProgressContext;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public Entity entity() {
            return this.entity;
        }

        public RemoteAuthnMetadata context() {
            return this.context;
        }

        public Collection<AttributeExt> attributes() {
            return this.attributes;
        }

        public List<String> groups() {
            return this.groups;
        }

        public boolean userOptIn() {
            return this.userOptIn;
        }

        public AuthenticationFlow authenticationFlow() {
            return this.authenticationFlow;
        }

        public AuthenticationOptionKey firstFactorOptionId() {
            return this.firstFactorOptionId;
        }

        public SigInInProgressContext sigInInProgressContext() {
            return this.sigInInProgressContext;
        }
    }

    AuthenticationFlowPolicyConfigMVELContextBuilder(AttributesHelper attributesHelper, @Qualifier("insecure") EntityManagement entityManagement, AttributeValueConverter attributeValueConverter, TransactionalRunner transactionalRunner) {
        this.attributesHelper = attributesHelper;
        this.identitiesMan = entityManagement;
        this.attrConverter = attributeValueConverter;
        this.tx = transactionalRunner;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, Object> createMvelContext(AuthenticationOptionKey authenticationOptionKey, AuthenticationResult authenticationResult, boolean z, AuthenticationFlow authenticationFlow, SigInInProgressContext sigInInProgressContext) throws EngineException {
        EntityParam entityParam = new EntityParam(authenticationResult.getSuccessResult().authenticatedEntity.getEntityId());
        Entity entity = this.identitiesMan.getEntity(entityParam);
        List list = (List) this.identitiesMan.getGroupsForPresentation(entityParam).stream().map(group -> {
            return group.getName();
        }).collect(Collectors.toList());
        Collection<AttributeExt> filterSecuritySensitive = this.attributesHelper.filterSecuritySensitive((Collection) this.tx.runInTransactionRetThrowing(() -> {
            return this.attributesHelper.getAttributesInternal(entityParam.getEntityId().longValue(), true, "/", (String) null, false);
        }));
        RemoteAuthnMetadata remoteAuthnMetadata = null;
        if (authenticationResult.isRemote()) {
            remoteAuthnMetadata = authenticationResult.asRemote().getSuccessResult().getRemotelyAuthenticatedPrincipal().getAuthnInput().getRemoteAuthnMetadata();
        }
        AuthenticationFlowPolicyContextInput authenticationFlowPolicyContextInput = new AuthenticationFlowPolicyContextInput(entity, remoteAuthnMetadata, filterSecuritySensitive, list, z, authenticationFlow, authenticationOptionKey, sigInInProgressContext);
        log.debug("Authentication flow policy context input:\n" + authenticationFlowPolicyContextInput.getTextDump());
        return setupContext(authenticationFlowPolicyContextInput);
    }

    private Map<String, Object> setupContext(AuthenticationFlowPolicyContextInput authenticationFlowPolicyContextInput) throws EngineException {
        HashMap hashMap = new HashMap();
        addAttributesToContext(DynamicPolicyConfigurationMVELContextKey.attr.name(), DynamicPolicyConfigurationMVELContextKey.attrObj.name(), hashMap, authenticationFlowPolicyContextInput.attributes(), this.attrConverter);
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.idsByType.name(), getIdentitiesByType(authenticationFlowPolicyContextInput.entity()));
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.groups.name(), authenticationFlowPolicyContextInput.groups());
        hashMap.putAll(getAuthnContextMvelVariables(authenticationFlowPolicyContextInput.context()));
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.userOptIn.name(), Boolean.valueOf(authenticationFlowPolicyContextInput.userOptIn()));
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.authentication1F.name(), authenticationFlowPolicyContextInput.firstFactorOptionId().getAuthenticatorKey());
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.hasValid2FCredential.name(), Boolean.valueOf(hasValid2FCredential(authenticationFlowPolicyContextInput.entity(), authenticationFlowPolicyContextInput.authenticationFlow())));
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.requestedACRs.name(), authenticationFlowPolicyContextInput.sigInInProgressContext() != null ? authenticationFlowPolicyContextInput.sigInInProgressContext().acr().getAll() : List.of());
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.requestedEssentialACRs.name(), authenticationFlowPolicyContextInput.sigInInProgressContext() != null ? authenticationFlowPolicyContextInput.sigInInProgressContext().acr().essentialACRs() : List.of());
        log.trace("Created MVEL context for entity {}: {}", authenticationFlowPolicyContextInput.entity().getId(), hashMap);
        return hashMap;
    }

    private Map<String, List<String>> getIdentitiesByType(Entity entity) {
        HashMap hashMap = new HashMap();
        for (Identity identity : entity.getIdentities()) {
            List list = (List) hashMap.get(identity.getTypeId());
            if (list == null) {
                list = new ArrayList();
                hashMap.put(identity.getTypeId(), list);
            }
            list.add(identity.getValue());
        }
        return hashMap;
    }

    private Map<String, Object> getAuthnContextMvelVariables(RemoteAuthnMetadata remoteAuthnMetadata) {
        HashMap hashMap = new HashMap();
        ArrayList arrayList = new ArrayList();
        String str = "local";
        String str2 = null;
        if (remoteAuthnMetadata != null) {
            arrayList.addAll(remoteAuthnMetadata.classReferences());
            str2 = remoteAuthnMetadata.remoteIdPId();
            str = remoteAuthnMetadata.protocol().name();
        }
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.upstreamACRs.name(), arrayList);
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.upstreamProtocol.name(), str);
        hashMap.put(DynamicPolicyConfigurationMVELContextKey.upstreamIdP.name(), str2);
        return hashMap;
    }

    private void addAttributesToContext(String str, String str2, Map<String, Object> map, Collection<AttributeExt> collection, AttributeValueConverter attributeValueConverter) throws IllegalAttributeValueException {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (Attribute attribute : collection) {
            List internalValuesToExternal = attributeValueConverter.internalValuesToExternal(attribute.getName(), attribute.getValues());
            hashMap.put(attribute.getName(), internalValuesToExternal.isEmpty() ? "" : (String) internalValuesToExternal.get(0));
            hashMap2.put(attribute.getName(), internalValuesToExternal.isEmpty() ? "" : attributeValueConverter.internalValuesToObjectValues(attribute.getName(), attribute.getValues()));
        }
        map.put(str, hashMap);
        map.put(str2, hashMap2);
    }

    private boolean hasValid2FCredential(Entity entity, AuthenticationFlow authenticationFlow) throws EngineException {
        Map<String, CredentialPublicInformation> credentialsState = entity.getCredentialInfo().getCredentialsState();
        for (AuthenticatorInstance authenticatorInstance : authenticationFlow.getSecondFactorAuthenticators()) {
            if (authenticatorInstance.getMetadata().getLocalCredentialName() != null && userHasValidCredential(credentialsState, authenticatorInstance.getMetadata().getLocalCredentialName())) {
                return true;
            }
        }
        return false;
    }

    private boolean userHasValidCredential(Map<String, CredentialPublicInformation> map, String str) throws EngineException {
        CredentialPublicInformation credentialPublicInformation = map.get(str);
        return credentialPublicInformation != null && credentialPublicInformation.getState().equals(LocalCredentialState.correct);
    }
}
