package net.shibboleth.idp.plugin.authn.duo.impl;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.function.BiFunction;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import javax.annotation.concurrent.ThreadSafe;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.plugin.authn.duo.DuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.URISupport;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
@Immutable
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DefaultRedirectURICreationStrategy.class */
public final class DefaultRedirectURICreationStrategy implements BiFunction<HttpServletRequest, DuoOIDCIntegration, String> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DefaultRedirectURICreationStrategy.class);

    @NotEmpty
    @Nonnull
    private final String callbackServletPath;

    public DefaultRedirectURICreationStrategy(@NotEmpty @Nonnull String str) {
        this.callbackServletPath = (String) Constraint.isNotNull(str, "Duo Call back path can not be null");
    }

    @Override // java.util.function.BiFunction
    @Nullable
    public String apply(@Nonnull HttpServletRequest httpServletRequest, @Nonnull DuoOIDCIntegration duoOIDCIntegration) {
        String registeredRedirectURI = duoOIDCIntegration.getRegisteredRedirectURI();
        if (registeredRedirectURI != null) {
            this.log.trace("Using redirect_uri '{}' from the Duo integration settings", registeredRedirectURI);
            return registeredRedirectURI;
        }
        try {
            URI buildURIIgnoreDefaultPorts = URISupport.buildURIIgnoreDefaultPorts(httpServletRequest.getScheme(), httpServletRequest.getServerName(), httpServletRequest.getServerPort(), httpServletRequest.getContextPath() + httpServletRequest.getServletPath() + this.callbackServletPath);
            String buildOrigin = URISupport.buildOrigin(buildURIIgnoreDefaultPorts);
            if (duoOIDCIntegration.getAllowedOrigins().contains(buildOrigin)) {
                return buildURIIgnoreDefaultPorts.toString();
            }
            this.log.warn("The 'origin' of the computed redirect_uri ('{}') is not allowed", buildOrigin);
            return null;
        } catch (URISyntaxException e) {
            this.log.warn("Unable to generate redirectURI", e);
            return null;
        }
    }
}
