package net.shibboleth.oidc.profile.encoding.impl;

import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.ResponseMode;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.id.State;
import com.nimbusds.openid.connect.sdk.Display;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCClaimsRequest;
import com.nimbusds.openid.connect.sdk.Prompt;
import java.net.URI;
import java.time.Duration;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.profile.core.OAuthAuthorizationRequest;
import net.shibboleth.oidc.profile.core.OIDCAuthenticationRequest;
import net.shibboleth.oidc.profile.encoding.AuthenticationContextClassReferenceSupport;
import net.shibboleth.oidc.profile.encoding.OIDCMessageEncoder;
import net.shibboleth.shared.collection.Pair;
import net.shibboleth.shared.logic.PredicateSupport;
import net.shibboleth.shared.net.URLBuilder;
import net.shibboleth.shared.primitive.LoggerFactory;
import org.opensaml.messaging.encoder.MessageEncodingException;
import org.opensaml.messaging.encoder.servlet.AbstractHttpServletResponseMessageEncoder;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/profile/encoding/impl/AbstractOIDCMessageEncoder.class */
public abstract class AbstractOIDCMessageEncoder extends AbstractHttpServletResponseMessageEncoder implements OIDCMessageEncoder {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AbstractOIDCMessageEncoder.class);

    @Nonnull
    private Predicate<List<Pair<String, String>>> authorizationParamsAreValidPredicate = PredicateSupport.alwaysTrue();

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractOIDCMessageEncoder() {
        setProtocolMessageLoggerSubCategory("OAUTH2");
    }

    public void setAuthorizationParamsAreValidPredicate(@Nullable Predicate<List<Pair<String, String>>> predicate) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        if (predicate != null) {
            this.authorizationParamsAreValidPredicate = predicate;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void serializeAuthorizationParamsToUrl(@Nonnull OIDCAuthenticationRequest oIDCAuthenticationRequest, @Nonnull URLBuilder uRLBuilder) throws MessageEncodingException {
        createParametersFromRequest(oIDCAuthenticationRequest).forEach(pair -> {
            uRLBuilder.getQueryParams().add(pair);
        });
    }

    protected String serializeAuthorizationParamsToQueryString(@Nonnull OIDCAuthenticationRequest oIDCAuthenticationRequest) throws MessageEncodingException {
        URLBuilder uRLBuilder = new URLBuilder();
        createParametersFromRequest(oIDCAuthenticationRequest).forEach(pair -> {
            uRLBuilder.getQueryParams().add(pair);
        });
        return uRLBuilder.buildQueryString();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public List<Pair<String, String>> createParametersFromRequest(@Nonnull OIDCAuthenticationRequest oIDCAuthenticationRequest) throws MessageEncodingException {
        ArrayList arrayList = new ArrayList();
        if (oIDCAuthenticationRequest.getRequestObject() != null) {
            createParametersFromRequestWithRequestObject(arrayList, oIDCAuthenticationRequest);
        } else {
            createParametersFromRequestWithoutRequestObject(arrayList, oIDCAuthenticationRequest);
        }
        return arrayList;
    }

    private void createStandardOAuthParameters(@Nonnull List<Pair<String, String>> list, @Nonnull OIDCAuthenticationRequest oIDCAuthenticationRequest) {
        list.add(new Pair<>("client_id", oIDCAuthenticationRequest.getClientID().getValue()));
        ResponseType responseType = oIDCAuthenticationRequest.getResponseType();
        if (responseType != null) {
            list.add(new Pair<>("response_type", responseType.toString()));
        }
        list.add(new Pair<>("scope", oIDCAuthenticationRequest.getScope().toString()));
        ResponseMode responseMode = oIDCAuthenticationRequest.getResponseMode();
        if (responseMode != null && !responseMode.equals(oIDCAuthenticationRequest.getDefaultResponseMode())) {
            list.add(new Pair<>("response_mode", responseMode.getValue()));
        }
        OAuthAuthorizationRequest.CodeChallengeMethod codeChallengeMethod = oIDCAuthenticationRequest.getCodeChallengeMethod();
        if (oIDCAuthenticationRequest.getCodeChallenge() == null || codeChallengeMethod == null) {
            return;
        }
        list.add(new Pair<>("code_challenge", oIDCAuthenticationRequest.getCodeChallenge()));
        list.add(new Pair<>("code_challenge_method", codeChallengeMethod.getValue()));
    }

    private void createParametersFromRequestWithRequestObject(@Nonnull List<Pair<String, String>> list, @Nonnull OIDCAuthenticationRequest oIDCAuthenticationRequest) throws MessageEncodingException {
        createStandardOAuthParameters(list, oIDCAuthenticationRequest);
        JWT requestObject = oIDCAuthenticationRequest.getRequestObject();
        if (requestObject != null) {
            try {
                list.add(new Pair<>("request", requestObject.serialize()));
            } catch (IllegalStateException e) {
                throw new MessageEncodingException("Couldn't serialize request object to JWT: " + e.getMessage(), e);
            }
        }
        if (!validateParams(list)) {
            throw new MessageEncodingException("Authorization parameters are not valid");
        }
    }

    private void createParametersFromRequestWithoutRequestObject(@Nonnull List<Pair<String, String>> list, @Nonnull OIDCAuthenticationRequest oIDCAuthenticationRequest) throws MessageEncodingException {
        createStandardOAuthParameters(list, oIDCAuthenticationRequest);
        URI redirectURI = oIDCAuthenticationRequest.getRedirectURI();
        if (redirectURI != null) {
            list.add(new Pair<>("redirect_uri", redirectURI.toString()));
        }
        State state = oIDCAuthenticationRequest.getState();
        if (state != null) {
            list.add(new Pair<>("state", state.getValue()));
        }
        Prompt prompt = oIDCAuthenticationRequest.getPrompt();
        if (prompt != null) {
            list.add(new Pair<>("prompt", prompt.toString()));
        }
        Nonce nonce = oIDCAuthenticationRequest.getNonce();
        if (nonce != null) {
            list.add(new Pair<>("nonce", nonce.getValue()));
        }
        Duration maxAge = oIDCAuthenticationRequest.getMaxAge();
        if (maxAge != null) {
            list.add(new Pair<>("max_age", Long.toString(maxAge.toSeconds())));
        }
        Display display = oIDCAuthenticationRequest.getDisplay();
        if (display != null) {
            list.add(new Pair<>("display", display.toString()));
        }
        if (oIDCAuthenticationRequest.getLoginHint() != null) {
            list.add(new Pair<>("login_hint", oIDCAuthenticationRequest.getLoginHint()));
        }
        if (oIDCAuthenticationRequest.providerSupportsClaimsParameter()) {
            AuthenticationContextClassReferenceSupport.buildACRClaimsRequest(oIDCAuthenticationRequest);
            OIDCClaimsRequest requestedClaims = oIDCAuthenticationRequest.getRequestedClaims();
            if (requestedClaims != null) {
                list.add(new Pair<>("claims", requestedClaims.toJSONString()));
            }
        }
        if (!oIDCAuthenticationRequest.providerSupportsClaimsParameter() && oIDCAuthenticationRequest.getAcrs() != null && !oIDCAuthenticationRequest.getAcrs().isEmpty()) {
            list.add(new Pair<>("acr_values", String.join(" ", oIDCAuthenticationRequest.getAcrs().stream().map((v0) -> {
                return v0.getValue();
            }).toList())));
        }
        if (!validateParams(list)) {
            throw new MessageEncodingException("Authorization parameters are not valid");
        }
    }

    protected boolean validateParams(@Nonnull List<Pair<String, String>> list) {
        if (!this.authorizationParamsAreValidPredicate.test(list)) {
            return false;
        }
        if (!pairFirstEquals("response_type", list)) {
            this.log.error("Authorization request parameters are invalid, no response_type");
            return false;
        }
        if (!pairFirstEquals("client_id", list)) {
            this.log.error("Authorization request parameters are invalid, no client_id");
            return false;
        }
        if (!pairFirstEquals("scope", list)) {
            this.log.error("Authorization request parameters are invalid, no scope");
            return false;
        }
        if (pairSecondContains("scope", "openid", list)) {
            return true;
        }
        this.log.error("Authorization request parameters are invalid, scope does not contain 'openid'");
        return false;
    }

    private boolean pairFirstEquals(@Nonnull String str, @Nonnull List<Pair<String, String>> list) {
        return list.stream().map((v0) -> {
            return v0.getFirst();
        }).anyMatch(str2 -> {
            return str2.equals(str);
        });
    }

    private boolean pairSecondContains(@Nonnull String str, @Nonnull String str2, List<Pair<String, String>> list) {
        String str3;
        Optional<Pair<String, String>> findFirst = list.stream().filter(pair -> {
            return str.equals(pair.getFirst());
        }).findFirst();
        if (findFirst.isEmpty() || (str3 = (String) findFirst.get().getSecond()) == null) {
            return false;
        }
        return str3.contains(str2);
    }

    @Nullable
    protected String serializeMessageForLogging(@Nullable Object obj) {
        if (!(obj instanceof OIDCAuthenticationRequest)) {
            return null;
        }
        try {
            return "OIDCAuthenticationRequest{" + ((String) createParametersFromRequest((OIDCAuthenticationRequest) obj).stream().map(pair -> {
                return ((String) pair.getFirst()) + "=" + ((String) pair.getSecond());
            }).collect(Collectors.joining(", "))) + "}";
        } catch (MessageEncodingException e) {
            this.log.trace("Unable to generate serialized message for logging '{}'", e.getMessage());
            return null;
        }
    }
}
