package net.shibboleth.idp.plugin.authn.oidc.rp.security.impl;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.idp.relyingparty.RelyingPartyConfigurationResolver;
import net.shibboleth.oidc.profile.config.JSONSecurityConfiguration;
import net.shibboleth.oidc.profile.config.OIDCAuthenticationRelyingPartyProfileConfiguration;
import net.shibboleth.oidc.security.jose.SignatureSigningConfiguration;
import net.shibboleth.oidc.security.jose.impl.BasicSignatureSigningConfiguration;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotLive;
import net.shibboleth.utilities.java.support.annotation.constraint.Unmodifiable;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.context.navigate.ContextDataLookupFunction;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.ParentProfileRequestContextLookup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/security/impl/ClientAuthenticationConfigurationLookupFunction.class */
public class ClientAuthenticationConfigurationLookupFunction implements ContextDataLookupFunction<MessageContext, List<SignatureSigningConfiguration>> {

    @Nonnull
    private static final ParentProfileRequestContextLookup<MessageContext> PRC_LOOKUP = new ParentProfileRequestContextLookup<>();

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ClientAuthenticationConfigurationLookupFunction.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nullable
    private RelyingPartyConfigurationResolver rpResolver;

    public void setRelyingPartyConfigurationResolver(@Nullable RelyingPartyConfigurationResolver relyingPartyConfigurationResolver) {
        this.rpResolver = relyingPartyConfigurationResolver;
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    @NonnullElements
    @Nonnull
    @NotLive
    @Unmodifiable
    public List<SignatureSigningConfiguration> apply(@Nullable MessageContext messageContext) {
        ArrayList<SignatureSigningConfiguration> arrayList = new ArrayList();
        String str = null;
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.apply((ProfileRequestContext) PRC_LOOKUP.apply(messageContext));
        if (apply != null) {
            OIDCAuthenticationRelyingPartyProfileConfiguration profileConfig = apply.getProfileConfig();
            if (profileConfig != null && (profileConfig.getSecurityConfiguration(PRC_LOOKUP.apply(messageContext)) instanceof JSONSecurityConfiguration) && profileConfig.getSecurityConfiguration(PRC_LOOKUP.apply(messageContext)).getJwtSignatureSigningConfiguration() != null) {
                arrayList.add(profileConfig.getSecurityConfiguration(PRC_LOOKUP.apply(messageContext)).getJwtSignatureSigningConfiguration());
            }
            if (profileConfig instanceof OIDCAuthenticationRelyingPartyProfileConfiguration) {
                str = profileConfig.getTokenEndpointAuthMethod(PRC_LOOKUP.apply(messageContext));
            }
        }
        if (messageContext != null && this.rpResolver != null) {
            JSONSecurityConfiguration defaultSecurityConfiguration = this.rpResolver.getDefaultSecurityConfiguration(PRC_LOOKUP.apply(messageContext).getProfileId());
            if ((defaultSecurityConfiguration instanceof JSONSecurityConfiguration) && defaultSecurityConfiguration.getJwtSignatureSigningConfiguration() != null) {
                arrayList.add(defaultSecurityConfiguration.getJwtSignatureSigningConfiguration());
            }
        }
        if (str == null) {
            this.log.trace("Token endpoint client authentication method can not be found");
            return Collections.emptyList();
        }
        ClientAuthenticationMethod clientAuthenticationMethod = new ClientAuthenticationMethod(str);
        ArrayList arrayList2 = new ArrayList();
        if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
            for (SignatureSigningConfiguration signatureSigningConfiguration : arrayList) {
                arrayList2.add(createSignatureSigningConfiguration(signatureSigningConfiguration, filterAlgorithmsAgainstFamily(JWSAlgorithm.Family.HMAC_SHA, signatureSigningConfiguration.getSignatureAlgorithms())));
            }
        } else if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
            for (SignatureSigningConfiguration signatureSigningConfiguration2 : arrayList) {
                arrayList2.add(createSignatureSigningConfiguration(signatureSigningConfiguration2, filterAlgorithmsAgainstFamily(JWSAlgorithm.Family.SIGNATURE, signatureSigningConfiguration2.getSignatureAlgorithms())));
            }
        }
        return Collections.unmodifiableList(arrayList2);
    }

    @NonnullElements
    @Nonnull
    @NotLive
    @Unmodifiable
    private List<String> filterAlgorithmsAgainstFamily(@Nonnull JWSAlgorithm.Family family, @Nullable List<String> list) {
        if (list == null) {
            return Collections.emptyList();
        }
        Stream<R> map = list.stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter(Predicate.not((v0) -> {
            return v0.isEmpty();
        })).map(JWSAlgorithm::parse);
        Objects.requireNonNull(family);
        return Collections.unmodifiableList((List) map.filter((v1) -> {
            return r1.contains(v1);
        }).map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toList()));
    }

    @Nonnull
    private BasicSignatureSigningConfiguration createSignatureSigningConfiguration(@Nonnull SignatureSigningConfiguration signatureSigningConfiguration, @Nonnull List<String> list) {
        BasicSignatureSigningConfiguration basicSignatureSigningConfiguration = new BasicSignatureSigningConfiguration();
        basicSignatureSigningConfiguration.setExcludedAlgorithms(signatureSigningConfiguration.getExcludedAlgorithms());
        basicSignatureSigningConfiguration.setIncludedAlgorithms(signatureSigningConfiguration.getIncludedAlgorithms());
        basicSignatureSigningConfiguration.setIncludeExcludePrecedence(signatureSigningConfiguration.getIncludeExcludePrecedence());
        basicSignatureSigningConfiguration.setSigningCredentials(signatureSigningConfiguration.getSigningCredentials());
        basicSignatureSigningConfiguration.setIncludeMerge(signatureSigningConfiguration.isIncludeMerge());
        basicSignatureSigningConfiguration.setExcludeMerge(signatureSigningConfiguration.isExcludeMerge());
        basicSignatureSigningConfiguration.setSignatureAlgorithms(list);
        return basicSignatureSigningConfiguration;
    }
}
