package net.shibboleth.idp.plugin.authn.oidc.rp.encoding.impl;

import com.nimbusds.jose.util.StandardCharset;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import java.net.URI;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.authn.oidc.rp.config.navigate.UserInfoHttpRequestMethodLookupStrategy;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.AccessTokenResponseContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.exception.OIDCRPException;
import net.shibboleth.oidc.profile.oauth2.config.OAuth2AuthorizationProfileConfiguration;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.apache.hc.core5.http.ClassicHttpRequest;
import org.apache.hc.core5.http.ContentType;
import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;
import org.apache.hc.core5.net.URIBuilder;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/encoding/impl/DefaultUserInfoRequestEncoder.class */
public class DefaultUserInfoRequestEncoder extends AbstractRequestEncoderFunction {

    @Nonnull
    @NotEmpty
    private static final String HTTPS = "https";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DefaultUserInfoRequestEncoder.class);

    @Nonnull
    private Function<ProfileRequestContext, AccessTokenResponseContext> tokenResponseContextLookupStrategy = new ChildContextLookup(AccessTokenResponseContext.class, true).compose(new InboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, OAuth2AuthorizationProfileConfiguration.HttpRequestMethod> httpMethodLookupStrategy = new UserInfoHttpRequestMethodLookupStrategy();
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setTokenResponseContextLookupStrategy(Function<ProfileRequestContext, AccessTokenResponseContext> function) {
        checkSetterPreconditions();
        this.tokenResponseContextLookupStrategy = (Function) Constraint.isNotNull(function, "tokenResponseContextLookupStrategy can not be null");
    }

    public void setHttpMethodLookupStrategy(Function<ProfileRequestContext, OAuth2AuthorizationProfileConfiguration.HttpRequestMethod> function) {
        checkSetterPreconditions();
        this.httpMethodLookupStrategy = (Function) Constraint.isNotNull(function, "httpMethodLookupStrategy can not be null");
    }

    @Override // net.shibboleth.idp.plugin.authn.oidc.rp.encoding.impl.AbstractRequestEncoderFunction
    @Nullable
    public ClassicHttpRequest doApply(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull OIDCProviderMetadata oIDCProviderMetadata) {
        ClassicRequestBuilder charset;
        try {
            OAuth2AuthorizationProfileConfiguration.HttpRequestMethod apply = this.httpMethodLookupStrategy.apply(profileRequestContext);
            AccessTokenResponseContext apply2 = this.tokenResponseContextLookupStrategy.apply(profileRequestContext);
            if (apply2 == null) {
                this.log.debug("No TokenResponseContext returned by lookup strategy");
                return null;
            }
            URI build = new URIBuilder().setScheme(HTTPS).setPort(oIDCProviderMetadata.getUserInfoEndpointURI().getPort()).setHost(oIDCProviderMetadata.getUserInfoEndpointURI().getHost()).setPath(oIDCProviderMetadata.getUserInfoEndpointURI().getPath()).build();
            if (apply == OAuth2AuthorizationProfileConfiguration.HttpRequestMethod.GET) {
                charset = ClassicRequestBuilder.get().setUri(build).setHeader("Content-Type", ContentType.APPLICATION_FORM_URLENCODED.getMimeType()).setCharset(StandardCharset.UTF_8);
                if (!$assertionsDisabled && charset == null) {
                    throw new AssertionError();
                }
                addBearerTokenToGet(charset, apply2);
            } else {
                if (apply != OAuth2AuthorizationProfileConfiguration.HttpRequestMethod.POST) {
                    this.log.error("Unable to construct UserInfo request, unknown request method: {}", apply);
                    return null;
                }
                charset = ClassicRequestBuilder.post().setUri(build).setHeader("Content-Type", ContentType.APPLICATION_FORM_URLENCODED.getMimeType()).setCharset(StandardCharset.UTF_8);
                if (!$assertionsDisabled && charset == null) {
                    throw new AssertionError();
                }
                addBearerTokenToPost(charset, apply2);
            }
            ClassicHttpRequest build2 = charset.build();
            this.log.debug("UserInfo request URL '{}'", build2);
            return build2;
        } catch (Exception e) {
            this.log.warn("Unable to encode token request", e);
            return null;
        }
    }

    private void addBearerTokenToPost(@Nonnull ClassicRequestBuilder classicRequestBuilder, @Nonnull AccessTokenResponseContext accessTokenResponseContext) throws OIDCRPException {
        OIDCTokenResponse tokenResponse = accessTokenResponseContext.getTokenResponse();
        if (tokenResponse == null) {
            throw new OIDCRPException("No access token response found");
        }
        BearerAccessToken bearerAccessToken = tokenResponse.getTokens().getBearerAccessToken();
        if (bearerAccessToken == null) {
            throw new OIDCRPException("Access token was not Bearer type");
        }
        classicRequestBuilder.addParameter("access_token", bearerAccessToken.getValue());
    }

    private void addBearerTokenToGet(@Nonnull ClassicRequestBuilder classicRequestBuilder, @Nonnull AccessTokenResponseContext accessTokenResponseContext) throws OIDCRPException {
        OIDCTokenResponse tokenResponse = accessTokenResponseContext.getTokenResponse();
        if (tokenResponse == null) {
            throw new OIDCRPException("No access token response found");
        }
        BearerAccessToken bearerAccessToken = tokenResponse.getTokens().getBearerAccessToken();
        if (bearerAccessToken == null) {
            throw new OIDCRPException("Access token was not Bearer type");
        }
        classicRequestBuilder.addHeader("Authorization", bearerAccessToken.toAuthorizationHeader());
    }

    static {
        $assertionsDisabled = !DefaultUserInfoRequestEncoder.class.desiredAssertionStatus();
    }
}
