package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.nio.charset.StandardCharsets;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.crypto.SecretKey;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.OIDCPeerEntityContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext;
import net.shibboleth.oidc.profile.config.OIDCAuthorizationConfiguration;
import net.shibboleth.oidc.security.credential.ClientSecretCredential;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/InitializeOAuth2ClientAuthenticationContext.class */
public class InitializeOAuth2ClientAuthenticationContext extends AbstractProfileAction {

    @Nullable
    private OAuth2ClientAuthenticationContext oauth2ClientAuthenticationContext;

    @Nullable
    private OIDCAuthorizationConfiguration profileConfiguration;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(InitializeOAuth2ClientAuthenticationContext.class);

    @Nonnull
    private Function<ProfileRequestContext, OAuth2ClientAuthenticationContext> oauth2ClientAuthenticationContextLookupStrategy = new ChildContextLookup(OAuth2ClientAuthenticationContext.class, true).compose(new ChildContextLookup(OIDCPeerEntityContext.class).compose(new OutboundMessageContextLookup()));

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setOAuth2ClientAuthenticationContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OAuth2ClientAuthenticationContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.oauth2ClientAuthenticationContextLookupStrategy = (Function) Constraint.isNotNull(function, "OAuth2 client authentication context lookup strategy cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.oauth2ClientAuthenticationContext = this.oauth2ClientAuthenticationContextLookupStrategy.apply(profileRequestContext);
        if (this.oauth2ClientAuthenticationContext == null) {
            this.log.error("{} No OAuth2 client authentication context found or created", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply != null && apply.getConfiguration() != null && (apply.getProfileConfig() instanceof OIDCAuthorizationConfiguration)) {
            this.profileConfiguration = apply.getProfileConfig();
        }
        if (this.profileConfiguration != null) {
            return true;
        }
        this.log.error("{} Profile configuration not found", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        super.doExecute(profileRequestContext);
        String tokenEndpointAuthMethod = this.profileConfiguration.getTokenEndpointAuthMethod(profileRequestContext);
        if (tokenEndpointAuthMethod.isEmpty()) {
            this.log.error("{} No client authentication method found from profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyConfiguration");
            return;
        }
        String clientId = this.profileConfiguration.getClientId(profileRequestContext);
        if (clientId == null) {
            this.log.error("{} No client_id found from profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyConfiguration");
            return;
        }
        ClientSecretCredential clientCredential = this.profileConfiguration.getClientCredential(profileRequestContext);
        if (clientCredential == null) {
            this.log.error("{} No client secret credential found from profile configuration", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyConfiguration");
            return;
        }
        ClientAuthentication constructClientAuthentication = constructClientAuthentication(clientId, tokenEndpointAuthMethod, clientCredential);
        if (constructClientAuthentication == null) {
            this.log.error("{} No client authentication could be constructed", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyConfiguration");
        } else {
            this.oauth2ClientAuthenticationContext.setClientAuthentication(constructClientAuthentication);
            this.log.debug("{} Initialized OAuth2 Client Authentication Context: Found client authentication mode '{}' for client '{}'", new Object[]{getLogPrefix(), constructClientAuthentication.getMethod(), constructClientAuthentication.getClientID()});
        }
    }

    @Nullable
    protected ClientAuthentication constructClientAuthentication(@Nonnull String str, @Nonnull String str2, @Nonnull ClientSecretCredential clientSecretCredential) {
        Secret secret = new Secret(clientSecretCredential.getSecret());
        if (secret.expired()) {
            this.log.warn("{} Client secret has expired for client '{}'", getLogPrefix(), str);
            return null;
        }
        ClientAuthenticationMethod clientAuthenticationMethod = new ClientAuthenticationMethod(str2);
        if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
            return new ClientSecretBasic(new ClientID(str), secret);
        }
        if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
            return new ClientSecretPost(new ClientID(str), secret);
        }
        this.log.warn("{}: Client authentication method '{}' not supported for client '{}'", new Object[]{getLogPrefix(), str2, str});
        return null;
    }

    @Nullable
    private String convertSecretKeyToString(@Nullable SecretKey secretKey) {
        if (secretKey == null || secretKey.getEncoded() == null) {
            return null;
        }
        return new String(secretKey.getEncoded(), StandardCharsets.UTF_8);
    }
}
