package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.OIDCResponseTypeValue;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.minidev.json.JSONObject;
import net.shibboleth.idp.attribute.AttributeEncodingException;
import net.shibboleth.idp.attribute.IdPAttribute;
import net.shibboleth.idp.attribute.context.AttributeContext;
import net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry;
import net.shibboleth.idp.attribute.transcoding.TranscoderSupport;
import net.shibboleth.idp.attribute.transcoding.TranscodingRule;
import net.shibboleth.idp.plugin.oidc.op.config.navigate.AlwaysIncludedAttributesLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.config.navigate.DeniedUserInfoAttributesLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseConsentContext;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultResponseClaimsSetLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.OIDCAuthenticationResponseContextLookupFunction;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.utilities.java.support.annotation.constraint.Live;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.service.ReloadableService;
import net.shibboleth.utilities.java.support.service.ServiceableComponent;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/AddAttributesToClaimsSet.class */
public class AddAttributesToClaimsSet extends AbstractOIDCResponseAction {

    @NonnullAfterInit
    private ReloadableService<AttributeTranscoderRegistry> transcoderRegistry;

    @Nullable
    private AttributeContext attributeCtx;

    @Nullable
    private ClaimsSet claimsSet;
    private boolean targetIDToken;
    private boolean addToIDTokenByDefault;

    @NonnullElements
    @Nullable
    private List<String> reservedClaimNames;

    @NonnullElements
    @Nullable
    private Set<String> alwaysIncludedAttributes;

    @NonnullElements
    @Nullable
    private Set<String> deniedUserInfoAttributes;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(AddAttributesToClaimsSet.class);

    @Nonnull
    private Function<ProfileRequestContext, AttributeContext> attributeContextLookupStrategy = new ChildContextLookup(AttributeContext.class).compose(new ChildContextLookup(RelyingPartyContext.class));

    @Nonnull
    private Function<ProfileRequestContext, ClaimsSet> responseClaimsSetLookupStrategy = new DefaultResponseClaimsSetLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, OIDCAuthenticationResponseConsentContext> consentContextLookupStrategy = new ChildContextLookup(OIDCAuthenticationResponseConsentContext.class).compose(new OIDCAuthenticationResponseContextLookupFunction());

    @Nonnull
    private Function<ProfileRequestContext, Set<String>> alwaysIncludedAttributesLookupStrategy = new AlwaysIncludedAttributesLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, Set<String>> deniedUserInfoAttributesLookupStrategy = new DeniedUserInfoAttributesLookupFunction();
    private boolean ignoringUnencodableAttributes = true;

    AddAttributesToClaimsSet() {
    }

    public void setTranscoderRegistry(@Nonnull ReloadableService<AttributeTranscoderRegistry> reloadableService) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.transcoderRegistry = (ReloadableService) Constraint.isNotNull(reloadableService, "AttributeTranscoderRegistry cannot be null");
    }

    public void setIgnoringUnencodableAttributes(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.ignoringUnencodableAttributes = z;
    }

    public void setReservedClaimNames(List<String> list) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.reservedClaimNames = list;
    }

    public void setTargetIDToken(boolean z) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.targetIDToken = z;
    }

    public void setResponseClaimsSetLookupStrategy(@Nonnull Function<ProfileRequestContext, ClaimsSet> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.responseClaimsSetLookupStrategy = (Function) Constraint.isNotNull(function, "Response Claims Set lookup strategy cannot be null");
    }

    public void setAttributeContextLookupStrategy(@Nonnull Function<ProfileRequestContext, AttributeContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.attributeContextLookupStrategy = (Function) Constraint.isNotNull(function, "AttributeContext lookup strategy cannot be null");
    }

    public void setOIDCAuthenticationResponseConsentContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OIDCAuthenticationResponseConsentContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.consentContextLookupStrategy = (Function) Constraint.isNotNull(function, "OIDCAuthenticationResponseConsentContext lookup strategy cannot be null");
    }

    public void setAlwaysIncludedAttributesLookupStrategy(@Nonnull Function<ProfileRequestContext, Set<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.alwaysIncludedAttributesLookupStrategy = (Function) Constraint.isNotNull(function, "Always included attributes lookup strategy cannot be null");
    }

    public void setDeniedUserInfoAttributesLookupStrategy(@Nonnull Function<ProfileRequestContext, Set<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.deniedUserInfoAttributesLookupStrategy = (Function) Constraint.isNotNull(function, "Denied UserInfo attributes lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.transcoderRegistry == null) {
            throw new ComponentInitializationException("AttributeTranscoderRegistry cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.attributeCtx = this.attributeContextLookupStrategy.apply(profileRequestContext);
        if (this.attributeCtx == null) {
            this.log.debug("{} No AttributeSubcontext available, nothing to do", getLogPrefix());
            return false;
        }
        this.claimsSet = this.responseClaimsSetLookupStrategy.apply(profileRequestContext);
        if (this.claimsSet == null) {
            this.log.error("{} No claims set to fill", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        if (!this.targetIDToken) {
            this.deniedUserInfoAttributes = this.deniedUserInfoAttributesLookupStrategy.apply(profileRequestContext);
            if (this.deniedUserInfoAttributes == null) {
                this.deniedUserInfoAttributes = Collections.emptySet();
            }
            this.alwaysIncludedAttributes = Collections.emptySet();
            return true;
        }
        Object message = profileRequestContext.getInboundMessageContext().getMessage();
        if (message instanceof AuthenticationRequest) {
            ResponseType responseType = ((AuthenticationRequest) message).getResponseType();
            this.addToIDTokenByDefault = responseType.contains(OIDCResponseTypeValue.ID_TOKEN) && responseType.size() == 1;
        }
        this.alwaysIncludedAttributes = this.alwaysIncludedAttributesLookupStrategy.apply(profileRequestContext);
        if (this.alwaysIncludedAttributes == null) {
            this.alwaysIncludedAttributes = Collections.emptySet();
        }
        this.deniedUserInfoAttributes = Collections.emptySet();
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ArrayList<JSONObject> arrayList = new ArrayList();
        OIDCAuthenticationResponseConsentContext apply = this.consentContextLookupStrategy.apply(profileRequestContext);
        ServiceableComponent serviceableComponent = null;
        try {
            try {
                ServiceableComponent serviceableComponent2 = this.transcoderRegistry.getServiceableComponent();
                if (serviceableComponent2 == null) {
                    this.log.error("Attribute transoding service unavailable");
                    throw new AttributeEncodingException("Attribute transoding service unavailable");
                }
                for (IdPAttribute idPAttribute : this.attributeCtx.getIdPAttributes().values()) {
                    if (idPAttribute != null && !idPAttribute.getValues().isEmpty()) {
                        if (apply == null || apply.getConsentedAttributes().contains(idPAttribute.getId())) {
                            encodeAttribute((AttributeTranscoderRegistry) serviceableComponent2.getComponent(), profileRequestContext, idPAttribute, arrayList);
                        } else {
                            this.log.debug("{} Consentable attribute {} has no consent. Not added to claims set", getLogPrefix(), idPAttribute.getId());
                        }
                    }
                }
                if (null != serviceableComponent2) {
                    serviceableComponent2.unpinComponent();
                }
                for (JSONObject jSONObject : arrayList) {
                    for (String str : jSONObject.keySet()) {
                        if (this.reservedClaimNames == null || !this.reservedClaimNames.contains(str)) {
                            this.log.debug("{} Adding claim {} with value {}", new Object[]{getLogPrefix(), str, jSONObject.get(str)});
                            this.claimsSet.setClaim(str, jSONObject.get(str));
                        } else {
                            this.log.debug("{} claim has a reserved name {}. Not added to claims set", getLogPrefix(), str);
                        }
                    }
                }
                this.log.debug("{} claims set after mapping attributes to claims {}", getLogPrefix(), this.claimsSet.toJSONObject().toJSONString());
            } catch (AttributeEncodingException e) {
                ActionSupport.buildEvent(profileRequestContext, "UnableToEncodeAttribute");
                if (0 != 0) {
                    serviceableComponent.unpinComponent();
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                serviceableComponent.unpinComponent();
            }
            throw th;
        }
    }

    private void encodeAttribute(@Nonnull AttributeTranscoderRegistry attributeTranscoderRegistry, @Nonnull ProfileRequestContext profileRequestContext, @Nonnull IdPAttribute idPAttribute, @NonnullElements @Live @Nonnull Collection<JSONObject> collection) throws AttributeEncodingException {
        Collection<TranscodingRule> transcodingRules = attributeTranscoderRegistry.getTranscodingRules(idPAttribute, JSONObject.class);
        if (transcodingRules.isEmpty()) {
            this.log.debug("{} Attribute {} does not have any transcoding rules, nothing to do", getLogPrefix(), idPAttribute.getId());
            return;
        }
        for (TranscodingRule transcodingRule : transcodingRules) {
            try {
            } catch (AttributeEncodingException e) {
                this.log.warn("{} Unable to encode attribute {}", new Object[]{getLogPrefix(), idPAttribute.getId(), e});
                if (!this.ignoringUnencodableAttributes) {
                    throw e;
                }
            }
            if (this.targetIDToken) {
                if (!this.addToIDTokenByDefault && !this.alwaysIncludedAttributes.contains(idPAttribute.getId())) {
                    this.log.debug("{} Attribute {} not targeted for ID Token", getLogPrefix(), idPAttribute.getId());
                }
            } else if (this.deniedUserInfoAttributes.contains(idPAttribute.getId())) {
                this.log.debug("{} Attribute {} not targeted for Userinfo Token", getLogPrefix(), idPAttribute.getId());
            }
            JSONObject jSONObject = (JSONObject) TranscoderSupport.getTranscoder(transcodingRule).encode(profileRequestContext, idPAttribute, JSONObject.class, transcodingRule);
            if (jSONObject != null) {
                collection.add(jSONObject);
            }
        }
    }
}
