package org.gluu.idp.externalauth;

import java.util.List;
import java.util.stream.Collectors;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.AuthenticationResult;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import org.gluu.util.StringHelper;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.saml.saml2.core.AuthnRequest;
import org.opensaml.saml.saml2.core.RequestedAuthnContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gluu/idp/externalauth/FilterFlowsByAcrChangedAuthn.class */
public class FilterFlowsByAcrChangedAuthn extends AbstractAuthenticationAction {
    private static final String OX_AUTH_FLOW_ID = "authn/oxAuth";
    private final Logger LOG = LoggerFactory.getLogger(FilterFlowsByAcrChangedAuthn.class);
    private boolean disabledAcrCheck = false;

    protected boolean doPreExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext) || this.disabledAcrCheck) {
            return false;
        }
        if (!authenticationContext.getActiveResults().containsKey(OX_AUTH_FLOW_ID)) {
            this.LOG.debug("{} Session does not have authn/oxAuth results, nothing to do", getLogPrefix());
            return false;
        }
        AuthenticationResult authenticationResult = (AuthenticationResult) authenticationContext.getActiveResults().get(OX_AUTH_FLOW_ID);
        String str = (String) authenticationResult.getAdditionalData().get(ShibOxAuthAuthServlet.OXAUTH_ACR_USED);
        String str2 = (String) authenticationResult.getAdditionalData().get(ShibOxAuthAuthServlet.OXAUTH_ACR_REQUESTED);
        List<String> determineAcrs = determineAcrs(profileRequestContext);
        this.LOG.debug("{} Used ACR: {}:{}, requested ACRs: {}", new Object[]{getLogPrefix(), str, str2, determineAcrs});
        if (determineAcrs == null || determineAcrs.size() == 0) {
            this.LOG.debug("{} There is no requested ACRs , nothing to do", getLogPrefix());
            return false;
        }
        for (String str3 : determineAcrs) {
            if (StringHelper.equals(str, str3) || StringHelper.equals(str2, str3)) {
                this.LOG.debug("{} Used and requested ACR are the same: {}, nothing to do", getLogPrefix(), str);
                return false;
            }
        }
        this.LOG.debug("{} Force to create new AuthZ request with new ACRs: {}, nothing to do", getLogPrefix(), determineAcrs);
        return true;
    }

    protected List<String> determineAcrs(ProfileRequestContext profileRequestContext) {
        RequestedAuthnContext requestedAuthnContext;
        AuthnRequest authnRequest = (AuthnRequest) profileRequestContext.getInboundMessageContext().getMessage();
        if (authnRequest == null || (requestedAuthnContext = authnRequest.getRequestedAuthnContext()) == null) {
            return null;
        }
        return (List) requestedAuthnContext.getAuthnContextClassRefs().stream().map((v0) -> {
            return v0.getAuthnContextClassRef();
        }).collect(Collectors.toList());
    }

    protected void doExecute(ProfileRequestContext profileRequestContext, AuthenticationContext authenticationContext) {
        if (this.disabledAcrCheck) {
            return;
        }
        authenticationContext.getActiveResults().clear();
        this.LOG.info("{} Removed all active results to force authentication", getLogPrefix());
    }

    public boolean isDisabledAcrCheck() {
        return this.disabledAcrCheck;
    }

    public void setDisabledAcrCheck(boolean z) {
        this.disabledAcrCheck = z;
    }
}
