package net.shibboleth.oidc.security.credential.impl;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashSet;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwk.RemoteJwkSetCache;
import net.shibboleth.oidc.security.credential.DefaultClientSecretCredential;
import net.shibboleth.oidc.security.jose.criterion.ClientInformationCriterion;
import net.shibboleth.shared.annotation.ParameterName;
import net.shibboleth.shared.annotation.constraint.Positive;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.component.InitializableComponent;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/ClientInformationCredentialResolver.class */
public class ClientInformationCredentialResolver extends BasicJOSEObjectCredentialResolver implements InitializableComponent {

    @Nonnull
    private final Logger log;
    private boolean isInitialized;

    @Nonnull
    private final RemoteJwkSetCache remoteJwkSetCache;

    @Positive
    private final Duration keyFetchInterval;

    public ClientInformationCredentialResolver(@ParameterName(name = "remoteJwkSetCache") @Nonnull RemoteJwkSetCache remoteJwkSetCache) {
        this(remoteJwkSetCache, Duration.ofMinutes(30L));
    }

    public ClientInformationCredentialResolver(@ParameterName(name = "remoteJwkSetCache") @Nonnull RemoteJwkSetCache remoteJwkSetCache, @ParameterName(name = "keyFetchInterval") @Positive @Nonnull Duration duration) {
        this.log = LoggerFactory.getLogger(ClientInformationCredentialResolver.class);
        this.remoteJwkSetCache = (RemoteJwkSetCache) Constraint.isNotNull(remoteJwkSetCache, "The remote JWK set cache cannot be null");
        Constraint.isFalse(duration == null || duration.isNegative(), "Remote key refresh must be greater than 0");
        this.keyFetchInterval = duration;
    }

    public boolean isInitialized() {
        return this.isInitialized;
    }

    public void initialize() throws ComponentInitializationException {
        this.isInitialized = true;
    }

    @Override // net.shibboleth.oidc.security.credential.impl.BasicJOSEObjectCredentialResolver
    protected Iterable<Credential> resolveFromSource(@Nonnull CriteriaSet criteriaSet) throws ResolverException {
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        if (criteriaSet.contains(ClientInformationCriterion.class)) {
            return resolveFromMetadata(criteriaSet, ((ClientInformationCriterion) criteriaSet.get(ClientInformationCriterion.class)).getOidcClientInformation());
        }
        this.log.debug("Criteria did not contain a ClientInformationCriterion could not perform resolution");
        return Collections.emptySet();
    }

    @Nonnull
    protected Collection<Credential> resolveFromMetadata(@Nonnull CriteriaSet criteriaSet, @Nonnull OIDCClientInformation oIDCClientInformation) {
        JWKSet jWKSet;
        LinkedHashSet linkedHashSet = new LinkedHashSet(1);
        OIDCClientMetadata oIDCMetadata = oIDCClientInformation.getOIDCMetadata();
        if (oIDCClientInformation.getSecret() != null) {
            try {
                Credential deriveClientSecretCredential = deriveClientSecretCredential(new DefaultClientSecretCredential(oIDCClientInformation.getSecret().getValue()), criteriaSet);
                if (deriveClientSecretCredential != null) {
                    linkedHashSet.add(deriveClientSecretCredential);
                }
            } catch (ResolverException e) {
                this.log.warn("Unable to derive a client_secret based credential", e);
            }
        }
        if (oIDCMetadata.getJWKSetURI() != null) {
            String extractKeyIdFromCriteria = extractKeyIdFromCriteria(criteriaSet);
            jWKSet = StringSupport.trimOrNull(extractKeyIdFromCriteria) != null ? this.remoteJwkSetCache.fetch(oIDCMetadata.getJWKSetURI(), extractKeyIdFromCriteria, Instant.now().plus((TemporalAmount) this.keyFetchInterval)) : this.remoteJwkSetCache.fetch(oIDCMetadata.getJWKSetURI(), Instant.now().plus((TemporalAmount) this.keyFetchInterval));
            if (jWKSet == null) {
                this.log.debug("Remote keys could not be fetched, unable to resolve credentials");
                return linkedHashSet;
            }
        } else {
            if (oIDCMetadata.getJWKSet() == null) {
                return linkedHashSet;
            }
            jWKSet = oIDCMetadata.getJWKSet();
        }
        populateCredentialsFromKeySet(jWKSet, linkedHashSet);
        return linkedHashSet;
    }
}
