package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.oauth2.sdk.AbstractOptionallyAuthenticatedRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.JWTAuthentication;
import com.nimbusds.oauth2.sdk.auth.PlainClientSecret;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.util.List;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.config.navigate.TokenEndpointAuthMethodLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCMetadataContext;
import net.shibboleth.oidc.security.impl.JWTSignatureValidationUtil;
import net.shibboleth.oidc.security.impl.OIDCSignatureValidationParameters;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.opensaml.storage.ReplayCache;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidateEndpointAuthentication.class */
public class ValidateEndpointAuthentication extends AbstractOIDCRequestAction<AbstractOptionallyAuthenticatedRequest> {

    @NonnullAfterInit
    private ReplayCache replayCache;

    @Nullable
    private OIDCMetadataContext oidcMetadataContext;

    @Nullable
    private OIDCSignatureValidationParameters signatureValidationParameters;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateEndpointAuthentication.class);

    @Nonnull
    private Function<ProfileRequestContext, OIDCMetadataContext> oidcMetadataContextLookupStrategy = new ChildContextLookup(OIDCMetadataContext.class).compose(new InboundMessageContextLookup());

    @Nullable
    private Function<ProfileRequestContext, List<ClientAuthenticationMethod>> tokenEndpointAuthMethodsLookupStrategy = new TokenEndpointAuthMethodLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, SecurityParametersContext> securityParametersLookupStrategy = new ChildContextLookup(SecurityParametersContext.class);

    public void setOidcMetadataContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OIDCMetadataContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.oidcMetadataContextLookupStrategy = (Function) Constraint.isNotNull(function, "OIDCMetadataContext lookup strategy cannot be null");
    }

    public void setTokenEndpointAuthMethodsLookupStrategy(@Nonnull Function<ProfileRequestContext, List<ClientAuthenticationMethod>> function) {
        this.tokenEndpointAuthMethodsLookupStrategy = (Function) Constraint.isNotNull(function, "Strategy to obtain enabled token endpoint authentication methods cannot be null");
    }

    public void setReplayCache(@Nonnull ReplayCache replayCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.replayCache = (ReplayCache) Constraint.isNotNull(replayCache, "ReplayCache cannot be null");
    }

    public void setSecurityParametersLookupStrategy(@Nonnull Function<ProfileRequestContext, SecurityParametersContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.securityParametersLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParameterContext lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.replayCache == null) {
            throw new ComponentInitializationException("ReplayCache cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.oidcMetadataContext = this.oidcMetadataContextLookupStrategy.apply(profileRequestContext);
        if (this.oidcMetadataContext != null) {
            return true;
        }
        this.log.error("{} OICDMetadataContext is null", getLogPrefix());
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        AbstractOptionallyAuthenticatedRequest request = getRequest();
        OIDCClientInformation clientInformation = this.oidcMetadataContext.getClientInformation();
        OIDCClientMetadata oIDCMetadata = clientInformation.getOIDCMetadata();
        ClientAuthenticationMethod tokenEndpointAuthMethod = oIDCMetadata.getTokenEndpointAuthMethod() != null ? oIDCMetadata.getTokenEndpointAuthMethod() : ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
        ClientSecretBasic clientAuthentication = request.getClientAuthentication();
        List<ClientAuthenticationMethod> apply = this.tokenEndpointAuthMethodsLookupStrategy.apply(profileRequestContext);
        if (enabledAndEquals(apply, tokenEndpointAuthMethod, ClientAuthenticationMethod.NONE)) {
            this.log.debug("{} None authentication is requested and enabled, nothing to do", getLogPrefix());
            return;
        }
        if (enabledAndEquals(apply, tokenEndpointAuthMethod, ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
            if (!(clientAuthentication instanceof ClientSecretBasic)) {
                this.log.warn("{} Unrecognized client authentication {} for client_secret_basic", getLogPrefix(), request.getClientAuthentication());
            } else if (validateSecret(clientAuthentication, clientInformation)) {
                return;
            }
        } else if (enabledAndEquals(apply, tokenEndpointAuthMethod, ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
            if (!(clientAuthentication instanceof ClientSecretPost)) {
                this.log.warn("{} Unrecognized client authentication {} for client_secret_post", getLogPrefix(), request.getClientAuthentication());
            } else if (validateSecret((ClientSecretPost) clientAuthentication, clientInformation)) {
                return;
            }
        } else if (!enabledAndEquals(apply, tokenEndpointAuthMethod, ClientAuthenticationMethod.CLIENT_SECRET_JWT) && !enabledAndEquals(apply, tokenEndpointAuthMethod, ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
            this.log.warn("{} Unsupported client authentication method {}", getLogPrefix(), clientAuthentication.getMethod());
        } else if (clientAuthentication instanceof JWTAuthentication) {
            String validateSignature = JWTSignatureValidationUtil.validateSignature(this.securityParametersLookupStrategy.apply(profileRequestContext), ((JWTAuthentication) clientAuthentication).getClientAssertion(), "AccessDenied");
            if (validateSignature != null) {
                ActionSupport.buildEvent(profileRequestContext, validateSignature);
                return;
            }
            return;
        }
        ActionSupport.buildEvent(profileRequestContext, "AccessDenied");
    }

    protected boolean enabledAndEquals(List<ClientAuthenticationMethod> list, ClientAuthenticationMethod clientAuthenticationMethod, ClientAuthenticationMethod clientAuthenticationMethod2) {
        if (!clientAuthenticationMethod.equals(clientAuthenticationMethod2)) {
            return false;
        }
        if (list == null || list.isEmpty()) {
            this.log.warn("{} List of enabled methods is empty, all methods are disabled", getLogPrefix());
            return false;
        }
        if (list.contains(clientAuthenticationMethod)) {
            return true;
        }
        this.log.warn("{} The requested method {} is not enabled", getLogPrefix(), clientAuthenticationMethod);
        return false;
    }

    protected boolean validateSecret(PlainClientSecret plainClientSecret, OIDCClientInformation oIDCClientInformation) {
        Secret clientSecret = plainClientSecret.getClientSecret();
        if (clientSecret == null) {
            this.log.warn("{} The client secret was null and cannot be validated", getLogPrefix());
            return false;
        }
        if (clientSecret.equals(oIDCClientInformation.getSecret())) {
            this.log.debug("{} The client secret successfully verified", getLogPrefix());
            return true;
        }
        this.log.warn("{} The client secret validation failed", getLogPrefix());
        return false;
    }
}
