package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.AccessTokenResponseContext;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/ValidateOAuthAccessTokenResponse.class */
public class ValidateOAuthAccessTokenResponse extends AbstractAuthenticationAction {

    @Nonnull
    @NotEmpty
    private final Logger log = LoggerFactory.getLogger(ValidateOAuthAccessTokenResponse.class);

    @Nonnull
    private Function<ProfileRequestContext, AccessTokenResponseContext> tokenResponseContextLookupStrategy = new ChildContextLookup(AccessTokenResponseContext.class, true).compose(new InboundMessageContextLookup());

    public void setTokenResponseContextLookupStrategy(@Nonnull Function<ProfileRequestContext, AccessTokenResponseContext> function) {
        checkSetterPreconditions();
        this.tokenResponseContextLookupStrategy = (Function) Constraint.isNotNull(function, "TokenResponseContext lookup strategy cannot be null");
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        AccessTokenResponseContext apply = this.tokenResponseContextLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.debug("{} No TokenResponseContext returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return;
        }
        OIDCTokenResponse tokenResponse = apply.getTokenResponse();
        if (tokenResponse == null) {
            this.log.warn("{} No Access Token response found, response invalid", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAcessToken");
            return;
        }
        if (!tokenResponse.indicatesSuccess()) {
            if (this.log.isWarnEnabled()) {
                this.log.warn("{} Error response found instead of access token response", getLogPrefix());
            }
            ActionSupport.buildEvent(profileRequestContext, "InvalidAcessToken");
            return;
        }
        if (tokenResponse.getOIDCTokens().getIDToken() == null) {
            this.log.warn("{} Access token response is invalid, no id_token found", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAcessToken");
            return;
        }
        if (tokenResponse.getTokens().getAccessToken() == null) {
            this.log.warn("{} Access token response is invalid, no access_token found", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAcessToken");
            return;
        }
        if (tokenResponse.getTokens().getBearerAccessToken() == null) {
            this.log.warn("{} Access token response is invalid, bearer token_type required", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAcessToken");
            return;
        }
        Instant tokenResponseCreatedAt = apply.getTokenResponseCreatedAt();
        if (tokenResponse.getTokens().getAccessToken().getLifetime() == 0 || tokenResponseCreatedAt == null) {
            return;
        }
        if (tokenResponseCreatedAt.plus((TemporalAmount) Duration.ofSeconds(tokenResponse.getTokens().getAccessToken().getLifetime())).isBefore(Instant.now())) {
            this.log.warn("{} Access token response is invalid, token has expired", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidAcessToken");
        }
    }
}
