package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.text.ParseException;
import java.util.function.BinaryOperator;
import java.util.function.Function;
import java.util.function.UnaryOperator;
import javax.annotation.Nonnull;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.AccessTokenResponseContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.EndUserClaimsContext;
import net.shibboleth.idp.plugin.authn.oidc.rp.context.UserInfoResponseContext;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/ProcessEndUserClaims.class */
public class ProcessEndUserClaims extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ProcessEndUserClaims.class);

    @Nonnull
    private Function<ProfileRequestContext, UserInfoResponseContext> userInfoResponseContextLookupStrategy = new ChildContextLookup(UserInfoResponseContext.class).compose(new InboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, AccessTokenResponseContext> accessTokenResponseContextLookupStrategy = new ChildContextLookup(AccessTokenResponseContext.class).compose(new InboundMessageContextLookup());

    @Nonnull
    private Function<ProfileRequestContext, EndUserClaimsContext> endUserClaimsContextLookupStrategy = new ChildContextLookup(EndUserClaimsContext.class, true).compose(new InboundMessageContextLookup());

    @Nonnull
    private BinaryOperator<ClaimsSet> claimMergingStrategy = new DefaultClaimMergingStrategy();

    @Nonnull
    private UnaryOperator<ClaimsSet> claimSanitizationStrategy = new DefaultClaimSanitizationStrategy();

    @NonnullBeforeExec
    private ClaimsSet userInfoClaims;

    @NonnullBeforeExec
    private JWTClaimsSet idTokenClaims;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setClaimMergingStrategy(@Nonnull BinaryOperator<ClaimsSet> binaryOperator) {
        checkSetterPreconditions();
        this.claimMergingStrategy = (BinaryOperator) Constraint.isNotNull(binaryOperator, "ClaimMergingStrategy cannot be null");
    }

    public void setClaimSanitizationStrategy(@Nonnull UnaryOperator<ClaimsSet> unaryOperator) {
        checkSetterPreconditions();
        this.claimSanitizationStrategy = (UnaryOperator) Constraint.isNotNull(unaryOperator, "ClaimSanatizationStrategy cannot be null");
    }

    public void setEnableClaimSanitizationStrategy(boolean z) {
        if (z) {
            return;
        }
        this.claimSanitizationStrategy = claimsSet -> {
            ClaimsSet claimsSet = new ClaimsSet();
            claimsSet.putAll(claimsSet);
            return claimsSet;
        };
    }

    public void setEndUserClaimsContextLookupStrategy(@Nonnull Function<ProfileRequestContext, EndUserClaimsContext> function) {
        checkSetterPreconditions();
        this.endUserClaimsContextLookupStrategy = (Function) Constraint.isNotNull(function, "EndUserClaimsContextLookupStrategy cannot be null");
    }

    public void setAccessTokenResponseContextLookupStrategy(@Nonnull Function<ProfileRequestContext, AccessTokenResponseContext> function) {
        checkSetterPreconditions();
        this.accessTokenResponseContextLookupStrategy = (Function) Constraint.isNotNull(function, "TokenResponseContext lookup strategy cannot be null");
    }

    public void setUserInfoResponseContextLookupStrategy(@Nonnull Function<ProfileRequestContext, UserInfoResponseContext> function) {
        checkSetterPreconditions();
        this.userInfoResponseContextLookupStrategy = (Function) Constraint.isNotNull(function, "UserInfoResponseContext lookup strategy cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        UserInfoResponseContext apply = this.userInfoResponseContextLookupStrategy.apply(profileRequestContext);
        UserInfoSuccessResponse userInfo = apply != null ? apply.getUserInfo() : null;
        if (apply == null || userInfo == null) {
            this.log.trace("{} No UserInfo response context returned by lookup strategy, creating empty UserInfo claims", getLogPrefix());
            this.userInfoClaims = new ClaimsSet();
        } else if (userInfo.getEntityContentType() == ContentType.APPLICATION_JSON) {
            this.userInfoClaims = userInfo.getUserInfo();
        } else {
            if (userInfo.getEntityContentType() != ContentType.APPLICATION_JWT) {
                this.log.warn("Unable to extract UserInfo claims, unknown entity content type");
                return false;
            }
            try {
                ClaimsSet claimsSet = new ClaimsSet();
                claimsSet.putAll(userInfo.getUserInfoJWT().getJWTClaimsSet().getClaims());
                this.userInfoClaims = claimsSet;
            } catch (ParseException e) {
                this.log.warn("Unable to extract UserInfo claims from JWT claimsset", e);
                return false;
            }
        }
        AccessTokenResponseContext apply2 = this.accessTokenResponseContextLookupStrategy.apply(profileRequestContext);
        OIDCTokenResponse tokenResponse = apply2 != null ? apply2.getTokenResponse() : null;
        if (apply2 == null || tokenResponse == null) {
            this.log.debug("{} No AccessTokenResponseContext or Access Token returned by lookup strategy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (tokenResponse.getOIDCTokens() == null || tokenResponse.getOIDCTokens().getIDToken() == null) {
            this.log.debug("{} AccessTokenResponseContext did not contain an id_token", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        try {
            this.idTokenClaims = tokenResponse.getOIDCTokens().getIDToken().getJWTClaimsSet();
            if (this.idTokenClaims != null) {
                return true;
            }
            this.log.debug("{} AccessTokenResponseContext did not contain an id_token with accessible claims, possibly still encrypted", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        } catch (ParseException e2) {
            this.log.debug("{} Unable to parse claims from id_token", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (this.log.isTraceEnabled()) {
            this.log.trace("{} Processing {} claims", getLogPrefix(), this.userInfoClaims.toJSONObject().size() > 0 ? "UserInfo and ID Token" : "ID Token");
        }
        ClaimsSet claimsSet = new ClaimsSet();
        claimsSet.putAll(this.idTokenClaims.toJSONObject());
        ClaimsSet claimsSet2 = (ClaimsSet) this.claimMergingStrategy.apply((ClaimsSet) this.claimSanitizationStrategy.apply(this.userInfoClaims), (ClaimsSet) this.claimSanitizationStrategy.apply(claimsSet));
        JWTClaimsSet jWTClaimsSet = this.idTokenClaims;
        if (!$assertionsDisabled && jWTClaimsSet == null) {
            throw new AssertionError();
        }
        this.endUserClaimsContextLookupStrategy.apply(profileRequestContext).setEndUserClaims(claimsSet2 != null ? claimsSet2 : new ClaimsSet()).setUnprocessedIdTokenClaims(jWTClaimsSet);
        if (!this.log.isTraceEnabled() || claimsSet2 == null) {
            return;
        }
        this.log.trace("{} Merged and sanitized claims to produce the claims set '{}'", getLogPrefix(), claimsSet2.toJSONString());
    }

    static {
        $assertionsDisabled = !ProcessEndUserClaims.class.desiredAssertionStatus();
    }
}
