package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.OAuth2ClientContext;
import net.shibboleth.oidc.profile.messaging.context.OIDCPeerEntityContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.component.AbstractIdentifiableInitializableComponent;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.apache.http.client.utils.URIBuilder;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/DefaultRedirectUriCreationFunction.class */
public class DefaultRedirectUriCreationFunction extends AbstractIdentifiableInitializableComponent implements BiFunction<HttpServletRequest, ProfileRequestContext, URI> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DefaultRedirectUriCreationFunction.class);

    @Nonnull
    private Function<ProfileRequestContext, OAuth2ClientContext> oauth2ClientContextLookupStrategy = new ChildContextLookup(OAuth2ClientContext.class).compose(new ChildContextLookup(OIDCPeerEntityContext.class).compose(new OutboundMessageContextLookup()));

    @NonnullAfterInit
    @NotEmpty
    private String callbackServletPath;

    @NonnullAfterInit
    private Set<String> allowedOrigins;

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (StringSupport.trimOrNull(this.callbackServletPath) == null) {
            throw new ComponentInitializationException("Callback servlet path can not be null");
        }
        if (this.allowedOrigins == null) {
            this.allowedOrigins = Collections.emptySet();
        }
    }

    public void setCallbackServletPath(@NotEmpty @Nonnull String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.callbackServletPath = Constraint.isNotEmpty(str, "callbackServletPath can not be null");
    }

    public void setAllowedOrigins(@Nullable Set<String> set) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        if (set == null) {
            this.allowedOrigins = Collections.emptySet();
        }
        this.allowedOrigins = Collections.unmodifiableSet(set);
    }

    public void setOAuth2ClientContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OAuth2ClientContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        ComponentSupport.ifDestroyedThrowDestroyedComponentException(this);
        this.oauth2ClientContextLookupStrategy = (Function) Constraint.isNotNull(function, "OAuth2 client context lookup strategy cannot be null");
    }

    @Override // java.util.function.BiFunction
    @Nullable
    public URI apply(@Nonnull HttpServletRequest httpServletRequest, @Nonnull ProfileRequestContext profileRequestContext) {
        OAuth2ClientContext apply = this.oauth2ClientContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("Could not locate the OAuth2 Client Context, can not compute redirect_uri");
            return null;
        }
        if (apply.getRedirectUriOverride() != null) {
            return apply.getRedirectUriOverride();
        }
        if (this.allowedOrigins.isEmpty()) {
            this.log.warn("Can not compute redirect_uri if allowed origins is empty");
            return null;
        }
        try {
            URI buildURIIgnoreDefaultPorts = buildURIIgnoreDefaultPorts(httpServletRequest.getScheme(), httpServletRequest.getServerName(), httpServletRequest.getServerPort(), httpServletRequest.getContextPath() + httpServletRequest.getServletPath() + this.callbackServletPath);
            String buildOrigin = buildOrigin(buildURIIgnoreDefaultPorts);
            if (this.allowedOrigins.contains(buildOrigin)) {
                return buildURIIgnoreDefaultPorts;
            }
            this.log.warn("The 'origin' of the computed redirect_uri ('{}') is not allowed. If permissible, add it to the allowed origins property.", buildOrigin);
            return null;
        } catch (URISyntaxException e) {
            this.log.warn("Unable to create redirect_uri for OIDC authentication request", e);
            return null;
        }
    }

    @Nonnull
    private String buildOrigin(@Nonnull URI uri) throws URISyntaxException {
        return uri.getPort() == -1 ? new URI(String.format("%s://%s", uri.getScheme(), uri.getHost())).toString() : new URI(String.format("%s://%s:%s", uri.getScheme(), uri.getHost(), Integer.valueOf(uri.getPort()))).toString();
    }

    @Nonnull
    private final URI buildURIIgnoreDefaultPorts(@Nonnull String str, @Nonnull String str2, @Nonnull int i, @Nonnull String str3) throws URISyntaxException {
        int i2 = i;
        if ("http".equalsIgnoreCase(str)) {
            if (i == 80) {
                i2 = -1;
            }
        } else if ("https".equalsIgnoreCase(str) && i == 443) {
            i2 = -1;
        }
        return new URIBuilder().setScheme(str).setHost(str2).setPort(i2).setPath(str3).build();
    }
}
