package net.shibboleth.idp.plugin.authn.duo.impl;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.util.function.Consumer;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.duo.AbstractDuoAuthenticationAction;
import net.shibboleth.idp.plugin.authn.duo.DuoException;
import net.shibboleth.idp.plugin.authn.duo.context.DuoOIDCAuthenticationContext;
import net.shibboleth.oidc.jwt.claims.JWTClaimsValidation;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/ValidateTokenClaims.class */
public class ValidateTokenClaims extends AbstractDuoAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateTokenClaims.class);

    @Nullable
    private JWTClaimsSet claimsSet;

    @Nullable
    private Consumer<ProfileRequestContext> cleanupHook;

    @NonnullAfterInit
    private JWTClaimsValidation claimsValidator;

    /* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/ValidateTokenClaims$DuoOIDAuthenticationContextCleanupHook.class */
    public static class DuoOIDAuthenticationContextCleanupHook implements Consumer<ProfileRequestContext> {
        @Override // java.util.function.Consumer
        public void accept(@Nullable ProfileRequestContext profileRequestContext) {
            AuthenticationContext subcontext;
            DuoOIDCAuthenticationContext subcontext2;
            if (profileRequestContext == null || (subcontext = profileRequestContext.getSubcontext(AuthenticationContext.class)) == null || (subcontext2 = subcontext.getSubcontext(DuoOIDCAuthenticationContext.class)) == null) {
                return;
            }
            subcontext2.setNonce((String) null);
        }
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.claimsValidator == null) {
            throw new ComponentInitializationException("Duo ClaimSet Validator cannot be null");
        }
    }

    @Nullable
    public Consumer<ProfileRequestContext> getCleanupHook() {
        return this.cleanupHook;
    }

    public void setCleanupHook(@Nullable Consumer<ProfileRequestContext> consumer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.cleanupHook = consumer;
    }

    public synchronized void setClaimsValidator(@Nonnull JWTClaimsValidation jWTClaimsValidation) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.claimsValidator = (JWTClaimsValidation) Constraint.isNotNull(jWTClaimsValidation, "Claims validator cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) {
        JWT authToken = duoOIDCAuthenticationContext.getAuthToken();
        if (authToken == null) {
            this.log.error("{} Duo 2FA token is not available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            return false;
        }
        try {
            this.claimsSet = authToken.getJWTClaimsSet();
            if (this.claimsSet == null) {
                throw new DuoException("Duo JWT ClaimsSet is null");
            }
            return true;
        } catch (ParseException | DuoException e) {
            this.log.error("{} Claimset of Duo 2FA token is not available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAuthenticationContext");
            return false;
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull DuoOIDCAuthenticationContext duoOIDCAuthenticationContext) {
        this.log.debug("{} Validating token claims for subject '{}'", getLogPrefix(), this.claimsSet.getSubject());
        try {
            this.claimsValidator.validate(this.claimsSet, profileRequestContext);
            if (this.cleanupHook != null) {
                this.cleanupHook.accept(profileRequestContext);
            }
            this.log.debug("{} Token claims are valid for subject '{}'", getLogPrefix(), this.claimsSet.getSubject());
        } catch (JWTValidationException e) {
            this.log.error("{} Token verification failed for subject '{}'", new Object[]{getLogPrefix(), this.claimsSet.getSubject(), e});
            ActionSupport.buildEvent(profileRequestContext, "NoCredentials");
            if (this.cleanupHook != null) {
                this.cleanupHook.accept(profileRequestContext);
            }
        }
    }
}
