package net.shibboleth.idp.plugin.authn.duo.impl;

import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.function.BiFunction;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.concurrent.Immutable;
import javax.annotation.concurrent.ThreadSafe;
import net.shibboleth.idp.plugin.authn.duo.DynamicDuoOIDCIntegration;
import net.shibboleth.idp.plugin.authn.duo.URISupport;
import net.shibboleth.shared.annotation.ParameterName;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.slf4j.Logger;

@ThreadSafe
@Immutable
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/duo/impl/DefaultRedirectURICreationStrategy.class */
public final class DefaultRedirectURICreationStrategy implements BiFunction<HttpServletRequest, DynamicDuoOIDCIntegration, String> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DefaultRedirectURICreationStrategy.class);

    @Nonnull
    @NotEmpty
    private final String callbackServletPath;

    public DefaultRedirectURICreationStrategy(@ParameterName(name = "callbackPath") @Nonnull @NotEmpty String str) {
        this.callbackServletPath = (String) Constraint.isNotNull(str, "Duo Call back path can not be null");
    }

    @Override // java.util.function.BiFunction
    @Nullable
    public String apply(@Nullable HttpServletRequest httpServletRequest, @Nullable DynamicDuoOIDCIntegration dynamicDuoOIDCIntegration) {
        if (dynamicDuoOIDCIntegration == null || httpServletRequest == null) {
            this.log.warn("Duo Integration or http request was null");
            return null;
        }
        String registeredRedirectURI = dynamicDuoOIDCIntegration.getRegisteredRedirectURI();
        if (registeredRedirectURI != null) {
            this.log.trace("Using redirect_uri '{}' from the Duo integration settings", registeredRedirectURI);
            return registeredRedirectURI;
        }
        try {
            URI buildURIIgnoreDefaultPorts = URISupport.buildURIIgnoreDefaultPorts(httpServletRequest.getScheme(), httpServletRequest.getServerName(), httpServletRequest.getServerPort(), httpServletRequest.getContextPath() + httpServletRequest.getServletPath() + this.callbackServletPath);
            String buildOrigin = URISupport.buildOrigin(buildURIIgnoreDefaultPorts);
            if (dynamicDuoOIDCIntegration.getAllowedOrigins().contains(buildOrigin)) {
                return buildURIIgnoreDefaultPorts.toString();
            }
            this.log.warn("The 'origin' of the computed redirect_uri ('{}') is not allowed. If permissible, add it to the allowed origins property.", buildOrigin);
            return null;
        } catch (URISyntaxException e) {
            this.log.warn("Unable to generate redirect_uri, {}", e.getMessage());
            return null;
        }
    }
}
