package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.openid.connect.sdk.claims.AccessTokenHash;
import com.nimbusds.openid.connect.sdk.validators.AccessTokenValidator;
import com.nimbusds.openid.connect.sdk.validators.InvalidHashException;
import java.text.ParseException;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/AccessTokenHashValidator.class */
public class AccessTokenHashValidator extends AbstractClaimsValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AccessTokenHashValidator.class);

    @NonnullAfterInit
    private Function<ProfileRequestContext, AccessToken> accessTokenLookupStrategy;

    @NonnullAfterInit
    private Function<ProfileRequestContext, JWSHeader> joseHeaderLookupStrategy;
    private boolean allowMissing;

    public void setAllowMissing(boolean z) {
        this.allowMissing = z;
    }

    public void setAccessTokenLookupStrategy(@Nonnull Function<ProfileRequestContext, AccessToken> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.accessTokenLookupStrategy = (Function) Constraint.isNotNull(function, "Access Token Lookup Strategy can not be null");
    }

    public void setJoseHeaderLookupStrategy(@Nonnull Function<ProfileRequestContext, JWSHeader> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.joseHeaderLookupStrategy = (Function) Constraint.isNotNull(function, "Jose Header Lookup Strategy can not be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.accessTokenLookupStrategy == null) {
            throw new ComponentInitializationException("Token lookup strategy can not be null");
        }
        if (this.joseHeaderLookupStrategy == null) {
            throw new ComponentInitializationException("JOSE Header lookup strategy can not be null");
        }
    }

    protected void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        try {
            String stringClaim = jWTClaimsSet.getStringClaim("at_hash");
            if (StringSupport.trimOrNull(stringClaim) == null) {
                if (!this.allowMissing) {
                    throw new JWTValidationException("Required at_hash claim not present in id_token");
                }
                this.log.debug("No at_hash claim present in id_token, no checks performed");
                return;
            }
            AccessToken apply = this.accessTokenLookupStrategy.apply(profileRequestContext);
            if (apply == null) {
                throw new JWTValidationException("Access Tokene was not found, cannot validate 'at_hash' claim");
            }
            JWSHeader apply2 = this.joseHeaderLookupStrategy.apply(profileRequestContext);
            if (apply2 == null) {
                throw new JWTValidationException("JWS Header from id_token not found, cannot validate 'at_hash' claim");
            }
            AccessTokenValidator.validate(apply, apply2.getAlgorithm(), new AccessTokenHash(stringClaim));
        } catch (InvalidHashException | ParseException e) {
            throw new JWTValidationException(e);
        }
    }
}
