package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import java.util.List;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.oidc.profile.config.OIDCAuthorizationConfiguration;
import net.shibboleth.oidc.security.JWTDecryptionConfiguration;
import net.shibboleth.oidc.security.JWTDecryptionParameters;
import net.shibboleth.oidc.security.JWTDecryptionParametersResolver;
import net.shibboleth.oidc.security.context.JWTSecurityParametersContext;
import net.shibboleth.oidc.security.criterion.JWTDecryptionConfigurationCriterion;
import net.shibboleth.oidc.security.criterion.StaticCredentialCriterion;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/PopulateJWTDecryptionParameters.class */
public class PopulateJWTDecryptionParameters extends AbstractProfileAction {

    @NonnullAfterInit
    private Function<ProfileRequestContext, List<JWTDecryptionConfiguration>> configurationLookupStrategy;

    @NonnullAfterInit
    private JWTDecryptionParametersResolver resolver;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(PopulateJWTDecryptionParameters.class);

    @Nonnull
    private Function<ProfileRequestContext, JWTSecurityParametersContext> securityParametersContextLookupStrategy = new ChildContextLookup(JWTSecurityParametersContext.class, true).compose(new InboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setDecryptionParametersResolver(@Nonnull JWTDecryptionParametersResolver jWTDecryptionParametersResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.resolver = (JWTDecryptionParametersResolver) Constraint.isNotNull(jWTDecryptionParametersResolver, "DecryptionParametersResolver cannot be null");
    }

    public void setConfigurationLookupStrategy(@Nonnull Function<ProfileRequestContext, List<JWTDecryptionConfiguration>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.configurationLookupStrategy = (Function) Constraint.isNotNull(function, "DecryptionConfiguration lookup strategy cannot be null");
    }

    public void setSecurityParametersContextLookupStrategy(@Nonnull Function<ProfileRequestContext, JWTSecurityParametersContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.securityParametersContextLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParametersContext lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.resolver == null) {
            throw new ComponentInitializationException("DecryptionParametersResolver cannot be null");
        }
        if (this.configurationLookupStrategy == null) {
            throw new ComponentInitializationException("DecryptionConfiguraitonLookup cannot be null");
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        this.log.debug("{} Resolving JWT DecryptionParameters for request", getLogPrefix());
        List<JWTDecryptionConfiguration> apply = this.configurationLookupStrategy.apply(profileRequestContext);
        if (apply == null || apply.isEmpty()) {
            this.log.error("{} No DecryptionConfigurations returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
            return;
        }
        JWTSecurityParametersContext apply2 = this.securityParametersContextLookupStrategy.apply(profileRequestContext);
        if (apply2 == null) {
            this.log.debug("{} No SecurityParametersContext returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        try {
            JWTDecryptionParameters jWTDecryptionParameters = (JWTDecryptionParameters) this.resolver.resolveSingle(buildCriteriaSet(profileRequestContext, apply));
            apply2.setDecryptionParameters(jWTDecryptionParameters);
            this.log.debug("{} {} DecryptionParameters", getLogPrefix(), jWTDecryptionParameters != null ? "Resolved" : "Failed to resolve");
        } catch (ResolverException e) {
            this.log.error("{} Error resolving DecryptionParameters", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
        }
    }

    @Nonnull
    private CriteriaSet buildCriteriaSet(@Nonnull ProfileRequestContext profileRequestContext, List<JWTDecryptionConfiguration> list) {
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(new JWTDecryptionConfigurationCriterion(list));
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply != null && apply.getConfiguration() != null && (apply.getProfileConfig() instanceof OIDCAuthorizationConfiguration)) {
            OIDCAuthorizationConfiguration profileConfig = apply.getProfileConfig();
            if (profileConfig != null) {
                criteriaSet.add(new StaticCredentialCriterion(profileConfig.getClientCredential(profileRequestContext)));
            } else {
                this.log.warn("{} Profile configuration not available, client credential missing", getLogPrefix());
            }
        }
        return criteriaSet;
    }
}
