package net.shibboleth.oidc.profile.impl;

import com.google.common.base.Predicates;
import java.util.List;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.oidc.metadata.context.OIDCMetadataContext;
import net.shibboleth.oidc.metadata.context.OIDCProviderMetadataContext;
import net.shibboleth.oidc.profile.config.logic.EncryptionOptionalPredicate;
import net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableClientProfileConfiguration;
import net.shibboleth.oidc.security.credential.ClientSecretCredential;
import net.shibboleth.oidc.security.jose.EncryptionConfiguration;
import net.shibboleth.oidc.security.jose.EncryptionParameters;
import net.shibboleth.oidc.security.jose.EncryptionParametersResolver;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import net.shibboleth.oidc.security.jose.criterion.ClientInformationCriterion;
import net.shibboleth.oidc.security.jose.criterion.ClientSecretCredentialCriterion;
import net.shibboleth.oidc.security.jose.criterion.EncryptionConfigurationCriterion;
import net.shibboleth.oidc.security.jose.criterion.ProviderMetadataCriterion;
import net.shibboleth.profile.context.RelyingPartyContext;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NonnullElements;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.Criterion;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.xmlsec.criterion.EncryptionOptionalCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/profile/impl/PopulateJWTEncryptionParameters.class */
public class PopulateJWTEncryptionParameters extends AbstractProfileAction {

    @NonnullAfterInit
    private Function<ProfileRequestContext, List<EncryptionConfiguration>> configurationLookupStrategy;

    @NonnullAfterInit
    private EncryptionParametersResolver encParamsresolver;

    @Nullable
    @NonnullElements
    private List<EncryptionConfiguration> encryptionConfigurations;
    private boolean encryptionOptional;
    private SecurityParametersContext encryptionContext;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(PopulateJWTEncryptionParameters.class);

    @Nonnull
    private String forFriendlyName = "not-specified";

    @Nonnull
    private Predicate<ProfileRequestContext> encryptionOptionalPredicate = new EncryptionOptionalPredicate();

    @Nonnull
    private Function<ProfileRequestContext, SecurityParametersContext> securityParametersContextLookupStrategy = new ChildContextLookup(SecurityParametersContext.class, true).compose(new OutboundMessageContextLookup());

    @Nullable
    private Function<ProfileRequestContext, OIDCMetadataContext> oidcClientMetadataContextLookupStrategy = new ChildContextLookup(OIDCMetadataContext.class);

    @Nullable
    private Function<ProfileRequestContext, OIDCProviderMetadataContext> oidcProviderMetadataContextLookupStrategy = new ChildContextLookup(OIDCProviderMetadataContext.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setSecurityParametersContextLookupStrategy(Function<ProfileRequestContext, SecurityParametersContext> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.securityParametersContextLookupStrategy = (Function) Constraint.isNotNull(function, "securityParametersContextLookupStrategy can not be null");
    }

    public void setClientMetadataContextLookupStrategy(@Nullable Function<ProfileRequestContext, OIDCMetadataContext> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.oidcClientMetadataContextLookupStrategy = function;
    }

    public void setProviderMetadataContextLookupStrategy(@Nullable Function<ProfileRequestContext, OIDCProviderMetadataContext> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.oidcProviderMetadataContextLookupStrategy = function;
    }

    public void setForFriendlyName(@Nonnull @NotEmpty String str) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.forFriendlyName = Constraint.isNotEmpty(str, "ForFriendlyName can not be null or empty");
    }

    public void setConfigurationLookupStrategy(@Nonnull Function<ProfileRequestContext, List<EncryptionConfiguration>> function) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.configurationLookupStrategy = (Function) Constraint.isNotNull(function, "EncryptionConfiguration lookup strategy cannot be null");
    }

    public void setEncryptionParametersResolver(@Nonnull EncryptionParametersResolver encryptionParametersResolver) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.encParamsresolver = (EncryptionParametersResolver) Constraint.isNotNull(encryptionParametersResolver, "EncryptionParametersResolver cannot be null");
    }

    public void setEncryptionOptionalPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.encryptionOptionalPredicate = (Predicate) Constraint.isNotNull(predicate, "Condition cannot be null");
    }

    public void setEncryptionOptional(boolean z) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.encryptionOptionalPredicate = z ? Predicates.alwaysTrue() : Predicates.alwaysFalse();
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.encParamsresolver == null) {
            throw new ComponentInitializationException("EncryptionParametersResolver cannot be null");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            this.log.debug("{} Encryption disabled for '{}'", getLogPrefix(), this.forFriendlyName);
            return false;
        }
        this.encryptionContext = this.securityParametersContextLookupStrategy.apply(profileRequestContext);
        if (this.encryptionContext != null) {
            this.encryptionOptional = this.encryptionOptionalPredicate.test(profileRequestContext);
            return true;
        }
        this.log.debug("{} No EncryptionContext returned by lookup strategy", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        this.log.debug("{} Resolving EncryptionParameters for '{}' encryption", getLogPrefix(), this.forFriendlyName);
        try {
            this.encryptionConfigurations = this.configurationLookupStrategy.apply(profileRequestContext);
            if (this.encryptionConfigurations == null || this.encryptionConfigurations.isEmpty()) {
                throw new ResolverException("No EncryptionConfigurations returned by lookup strategy");
            }
            EncryptionParameters encryptionParameters = (EncryptionParameters) this.encParamsresolver.resolveSingle(buildCriteriaSet(profileRequestContext));
            if (encryptionParameters != null) {
                this.log.debug("{} Resolved EncryptionParameters for {}", getLogPrefix(), this.forFriendlyName);
                this.encryptionContext.setEncryptionParameters(encryptionParameters);
            } else if (this.encryptionOptional) {
                this.log.debug("{} Resolver returned no EncryptionParameters", getLogPrefix());
                this.log.debug("{} Encryption is optional, ignoring inability to encrypt", getLogPrefix());
            } else {
                this.log.warn("{} Resolver returned no EncryptionParameters", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
            }
        } catch (ResolverException e) {
            if (this.encryptionOptional) {
                this.log.debug("{} Encryption is optional, ignoring inability to encrypt", getLogPrefix());
            } else {
                this.log.error("{} Error resolving EncryptionParameters", getLogPrefix(), e);
                ActionSupport.buildEvent(profileRequestContext, "InvalidSecurityConfiguration");
            }
        }
    }

    @Nonnull
    private CriteriaSet buildCriteriaSet(@Nonnull ProfileRequestContext profileRequestContext) {
        CriteriaSet criteriaSet = new CriteriaSet(new Criterion[]{new EncryptionConfigurationCriterion(this.encryptionConfigurations)});
        criteriaSet.add(new UsageCriterion(UsageType.ENCRYPTION));
        criteriaSet.add(new EncryptionOptionalCriterion(this.encryptionOptional));
        OIDCMetadataContext apply = this.oidcClientMetadataContextLookupStrategy.apply(profileRequestContext);
        if (apply == null || apply.getClientInformation() == null) {
            this.log.debug("{} No OIDC client information available", getLogPrefix());
        } else {
            this.log.debug("{} Adding OIDC client information to resolution criteria for encryption algorithms", getLogPrefix());
            criteriaSet.add(new ClientInformationCriterion(apply.getClientInformation()));
        }
        OIDCProviderMetadataContext apply2 = this.oidcProviderMetadataContextLookupStrategy.apply(profileRequestContext);
        if (apply2 == null || apply2.getProviderInformation() == null) {
            this.log.debug("{} OIDCProviderMetadataContext is absent", getLogPrefix());
        } else {
            this.log.debug("{} Adding OIDC provider information to resolution criteria", getLogPrefix());
            criteriaSet.add(new ProviderMetadataCriterion(apply2.getProviderInformation()));
        }
        RelyingPartyContext apply3 = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (apply3 != null && apply3.getConfiguration() != null && (apply3.getProfileConfig() instanceof OAuth2ClientAuthenticableClientProfileConfiguration)) {
            OAuth2ClientAuthenticableClientProfileConfiguration profileConfig = apply3.getProfileConfig();
            if (profileConfig != null) {
                ClientSecretCredential clientCredential = profileConfig.getClientCredential(profileRequestContext);
                if (clientCredential != null) {
                    criteriaSet.add(new ClientSecretCredentialCriterion(clientCredential));
                    this.log.debug("{} Adding client_secret credential to resolution criteria", getLogPrefix());
                } else {
                    this.log.trace("{} No client_secret credential found from the profile configuration", getLogPrefix());
                }
            } else {
                this.log.trace("{} Profile configuration not available, shared secret direct encryption credential not present", getLogPrefix());
            }
        }
        return criteriaSet;
    }
}
