package net.shibboleth.idp.plugin.authn.oidc.rp.impl;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretJWT;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext;
import net.shibboleth.oidc.metadata.context.OIDCProviderMetadataContext;
import net.shibboleth.oidc.profile.config.OIDCAuthenticationRelyingPartyProfileConfiguration;
import net.shibboleth.oidc.profile.messaging.context.OIDCPeerEntityContext;
import net.shibboleth.oidc.security.credential.ClientSecretCredential;
import net.shibboleth.oidc.security.impl.JWSTokenSigner;
import net.shibboleth.oidc.security.jose.SignatureException;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.handler.AbstractMessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.ParentProfileRequestContextLookup;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/idp/plugin/authn/oidc/rp/impl/InitializeOAuth2ClientAuthenticationMethodHandler.class */
public class InitializeOAuth2ClientAuthenticationMethodHandler extends AbstractMessageHandler {

    @Nonnull
    private static final ParentProfileRequestContextLookup<MessageContext> PRC_LOOKUP;

    @NonnullBeforeExec
    private OAuth2ClientAuthenticationContext oauth2ClientAuthenticationContext;

    @NonnullBeforeExec
    private OIDCAuthenticationRelyingPartyProfileConfiguration profileConfiguration;

    @Nullable
    private SecurityParametersContext jwtBearerClientAuthSecurityParameters;

    @NonnullBeforeExec
    private OIDCProviderMetadata providerMetadata;

    @Nullable
    private ClientSecretCredential clientCredential;

    @Nullable
    private String clientAuthMethod;

    @Nullable
    private String clientId;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(InitializeOAuth2ClientAuthenticationMethodHandler.class);

    @Nonnull
    private Function<MessageContext, OAuth2ClientAuthenticationContext> oauth2ClientAuthenticationContextLookupStrategy = new ChildContextLookup(OAuth2ClientAuthenticationContext.class, true).compose(new ChildContextLookup(OIDCPeerEntityContext.class));

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<MessageContext, SecurityParametersContext> securityParametersContextLookupStrategy = new ChildContextLookup(SecurityParametersContext.class);

    @Nonnull
    private Function<MessageContext, OIDCProviderMetadataContext> providerMetadataLookupStrategy = new ChildContextLookup(OIDCProviderMetadataContext.class).compose(new ChildContextLookup(OIDCPeerEntityContext.class));

    @Nonnull
    private Duration jwtBearerExpiryOffset = Duration.ofSeconds(30);

    public void setJwtBearerExpiryOffset(@Nonnull Duration duration) {
        checkSetterPreconditions();
        this.jwtBearerExpiryOffset = (Duration) Constraint.isNotNull(duration, "jwtBearerExpiryOffset can not be null");
    }

    public void setProviderMetadataLookupStrategy(@Nonnull Function<MessageContext, OIDCProviderMetadataContext> function) {
        checkSetterPreconditions();
        this.providerMetadataLookupStrategy = (Function) Constraint.isNotNull(function, "Provider metadata lookup strategy can not be null");
    }

    public void setSecurityParametersContextLookupStrategy(@Nonnull Function<MessageContext, SecurityParametersContext> function) {
        checkSetterPreconditions();
        this.securityParametersContextLookupStrategy = (Function) Constraint.isNotNull(function, "JWTSecurityParametersContext lookup strategy cannot be null");
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        checkSetterPreconditions();
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setOAuth2ClientAuthenticationContextLookupStrategy(@Nonnull Function<MessageContext, OAuth2ClientAuthenticationContext> function) {
        checkSetterPreconditions();
        this.oauth2ClientAuthenticationContextLookupStrategy = (Function) Constraint.isNotNull(function, "OAuth2 client authentication context lookup strategy cannot be null");
    }

    protected boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!super.doPreInvoke(messageContext)) {
            return false;
        }
        this.oauth2ClientAuthenticationContext = this.oauth2ClientAuthenticationContextLookupStrategy.apply(messageContext);
        if (this.oauth2ClientAuthenticationContext == null) {
            this.log.error("{} No OAuth2 client authentication context found or created", getLogPrefix());
            throw new MessageHandlerException("No OAuth2 client authentication context found or created");
        }
        RelyingPartyContext apply = this.relyingPartyContextLookupStrategy.compose(PRC_LOOKUP).apply(messageContext);
        if (apply != null && apply.getConfiguration() != null) {
            OIDCAuthenticationRelyingPartyProfileConfiguration profileConfig = apply.getProfileConfig();
            if (profileConfig instanceof OIDCAuthenticationRelyingPartyProfileConfiguration) {
                this.profileConfiguration = profileConfig;
            }
        }
        if (this.profileConfiguration == null) {
            this.log.error("{} Profile configuration not found", getLogPrefix());
            throw new MessageHandlerException("No OAuth2 client authentication context found or created");
        }
        this.jwtBearerClientAuthSecurityParameters = this.securityParametersContextLookupStrategy.apply(messageContext);
        OIDCProviderMetadataContext apply2 = this.providerMetadataLookupStrategy.apply(messageContext);
        if (apply2 == null || apply2.getProviderInformation() == null) {
            this.log.error("{} Provider metadata not found", getLogPrefix());
            throw new MessageHandlerException("Provider metadata not found");
        }
        this.providerMetadata = apply2.getProviderInformation();
        if (this.providerMetadata == null) {
            throw new MessageHandlerException("No provider metadata found from profile configuration");
        }
        this.clientAuthMethod = this.profileConfiguration.getTokenEndpointAuthMethod(PRC_LOOKUP.apply(messageContext));
        String str = this.clientAuthMethod;
        if (str == null || str.isEmpty()) {
            throw new MessageHandlerException("No client authentication method found from profile configuration");
        }
        this.clientId = this.profileConfiguration.getClientId(PRC_LOOKUP.apply(messageContext));
        if (this.clientId == null) {
            throw new MessageHandlerException("No client_id found from profile configuration");
        }
        this.clientCredential = this.profileConfiguration.getClientCredential(PRC_LOOKUP.apply(messageContext));
        return true;
    }

    protected void doInvoke(MessageContext messageContext) throws MessageHandlerException {
        ClientAuthenticationMethod clientAuthenticationMethod = new ClientAuthenticationMethod(this.clientAuthMethod);
        ClientSecretJWT clientSecretJWT = null;
        if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) || clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
            if (this.clientCredential == null) {
                throw new MessageHandlerException("No client secret credential found from profile configuration, can not construct client authenticaton");
            }
            if (!$assertionsDisabled && this.clientCredential == null) {
                throw new AssertionError();
            }
            Secret secret = new Secret(this.clientCredential.getSecret());
            if (secret.expired()) {
                this.log.warn("{} Client secret has expired for client '{}'", getLogPrefix(), this.clientId);
                throw new MessageHandlerException("Client secret has expired");
            }
            clientSecretJWT = clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) ? new ClientSecretBasic(new ClientID(this.clientId), secret) : new ClientSecretPost(new ClientID(this.clientId), secret);
        } else if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
            verifySuitableClientSecretJWTSecurityContext();
            clientSecretJWT = new ClientSecretJWT(buildClientAuthenticationJwt());
        } else if (clientAuthenticationMethod.equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
            verifySuitablePrivateKetJWTSecurityContext();
            clientSecretJWT = new PrivateKeyJWT(buildClientAuthenticationJwt());
        } else {
            this.log.warn("{}: Client authentication method '{}' not supported for client '{}'", new Object[]{getLogPrefix(), clientAuthenticationMethod, this.clientId});
        }
        if (clientSecretJWT == null) {
            throw new MessageHandlerException("Client authentication could not be constructed");
        }
        this.oauth2ClientAuthenticationContext.setClientAuthentication(clientSecretJWT);
        this.log.debug("{} Initialized OAuth2 Client Authentication Context: Found client authentication mode '{}' for client '{}'", new Object[]{getLogPrefix(), clientSecretJWT.getMethod(), clientSecretJWT.getClientID()});
    }

    private void verifySuitableClientSecretJWTSecurityContext() throws MessageHandlerException {
        SecurityParametersContext securityParametersContext = this.jwtBearerClientAuthSecurityParameters;
        if (securityParametersContext == null || securityParametersContext.getSignatureSigningParameters() == null) {
            throw new MessageHandlerException("Missing security parameters needed to sign client_secret_jwt");
        }
        SignatureSigningParameters signatureSigningParameters = securityParametersContext.getSignatureSigningParameters();
        if (!$assertionsDisabled && signatureSigningParameters == null) {
            throw new AssertionError();
        }
        if (signatureSigningParameters.getSignatureAlgorithm() == null || signatureSigningParameters.getSigningCredential() == null) {
            throw new MessageHandlerException("Missing credential needed to sign client_secret_jwt");
        }
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(signatureSigningParameters.getSignatureAlgorithm());
        if (!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm)) {
            throw new MessageHandlerException("Trying to construct client_secret_jwt using the wrong algorithm: " + jWSAlgorithm);
        }
    }

    private void verifySuitablePrivateKetJWTSecurityContext() throws MessageHandlerException {
        SecurityParametersContext securityParametersContext = this.jwtBearerClientAuthSecurityParameters;
        if (securityParametersContext == null || securityParametersContext.getSignatureSigningParameters() == null) {
            throw new MessageHandlerException("Missing security parameters needed to sign private_key_jwt");
        }
        SignatureSigningParameters signatureSigningParameters = securityParametersContext.getSignatureSigningParameters();
        if (!$assertionsDisabled && signatureSigningParameters == null) {
            throw new AssertionError();
        }
        if (signatureSigningParameters.getSigningCredential() == null) {
            throw new MessageHandlerException("Missing credential needed to sign private_key_jwt");
        }
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(signatureSigningParameters.getSignatureAlgorithm());
        if (!JWSAlgorithm.Family.SIGNATURE.contains(jWSAlgorithm)) {
            throw new MessageHandlerException("Trying to construct private_key_jwt using the wrong algorithm: " + jWSAlgorithm);
        }
    }

    @Nonnull
    private JWTClaimsSet buildClientAuthenticationJwtClaims() {
        JWTClaimsSet build = new JWTClaimsSet.Builder().subject(this.clientId).issuer(this.clientId).audience(this.providerMetadata.getTokenEndpointURI().toString()).jwtID(OIDCProxySupport.generateNonce(32)).issueTime(Date.from(Instant.now())).expirationTime(Date.from(Instant.now().plus((TemporalAmount) this.jwtBearerExpiryOffset))).build();
        if ($assertionsDisabled || build != null) {
            return build;
        }
        throw new AssertionError();
    }

    @Nonnull
    private SignedJWT buildClientAuthenticationJwt() throws MessageHandlerException {
        SecurityParametersContext securityParametersContext = this.jwtBearerClientAuthSecurityParameters;
        if (securityParametersContext == null) {
            throw new MessageHandlerException("Requested client_secret_jwt client authentication, but signing parameters context could not be found");
        }
        SignatureSigningParameters signatureSigningParameters = securityParametersContext.getSignatureSigningParameters();
        if (signatureSigningParameters == null) {
            throw new MessageHandlerException("Requested client_secret_jwt client authentication, but signing parameters could not be found");
        }
        try {
            SignedJWT sign = new JWSTokenSigner(signatureSigningParameters).sign(buildClientAuthenticationJwtClaims(), JOSEObjectType.JWT.getType());
            if (this.log.isDebugEnabled() && !this.log.isTraceEnabled()) {
                this.log.debug("{} Signed JWT Bearer Token for client authentication'", getLogPrefix());
            } else if (this.log.isTraceEnabled()) {
                this.log.trace("{} Signed JWT Bearer Token for client authentication: {}", getLogPrefix(), sign.serialize());
            }
            return sign;
        } catch (SignatureException e) {
            throw new MessageHandlerException(e);
        }
    }

    static {
        $assertionsDisabled = !InitializeOAuth2ClientAuthenticationMethodHandler.class.desiredAssertionStatus();
        PRC_LOOKUP = new ParentProfileRequestContextLookup<>();
    }
}
