package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.text.ParseException;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseContext;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCMetadataContext;
import net.shibboleth.oidc.jwt.claims.JWTClaimsValidation;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.oidc.security.impl.JWTSignatureValidationUtil;
import net.shibboleth.oidc.security.impl.OIDCSignatureValidationParameters;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.commons.cli.HelpFormatter;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.xmlsec.context.SecurityParametersContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidateRequestObject.class */
public class ValidateRequestObject extends AbstractOIDCAuthenticationResponseAction {

    @Nullable
    private OIDCSignatureValidationParameters signatureValidationParameters;

    @Nullable
    private JWT requestObject;

    @NonnullAfterInit
    private JWTClaimsValidation signedClaimsValidation;

    @NonnullAfterInit
    private JWTClaimsValidation plainClaimsValidation;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateRequestObject.class);

    @Nonnull
    private Function<ProfileRequestContext, SecurityParametersContext> securityParametersLookupStrategy = new ChildContextLookup(SecurityParametersContext.class);

    public void setSecurityParametersLookupStrategy(@Nonnull Function<ProfileRequestContext, SecurityParametersContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.securityParametersLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParameterContext lookup strategy cannot be null");
    }

    public void setSignedClaimsValidation(@Nonnull JWTClaimsValidation jWTClaimsValidation) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.signedClaimsValidation = (JWTClaimsValidation) Constraint.isNotNull(jWTClaimsValidation, "Signed claims validator cannot be null");
    }

    public void setPlainClaimsValidation(@Nonnull JWTClaimsValidation jWTClaimsValidation) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.plainClaimsValidation = (JWTClaimsValidation) Constraint.isNotNull(jWTClaimsValidation, "Plain claims validator cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.signedClaimsValidation == null) {
            throw new ComponentInitializationException("ClaimsValidation for signed requests cannot be null");
        }
        if (this.plainClaimsValidation == null) {
            throw new ComponentInitializationException("ClaimsValidation for plain requests cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction, net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.requestObject = getOidcResponseContext().getRequestObject();
        if (this.requestObject != null) {
            return true;
        }
        this.log.debug("{} No request object, nothing to do", getLogPrefix());
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        String validateSignature;
        if ((this.requestObject instanceof PlainJWT) && getMetadataContext().getClientInformation().getOIDCMetadata().getRequestObjectJWSAlg() != null && !"none".equals(getMetadataContext().getClientInformation().getOIDCMetadata().getRequestObjectJWSAlg().getName())) {
            this.log.error("{} Request object is not signed evethough registered alg is {}", getLogPrefix(), getMetadataContext().getClientInformation().getOIDCMetadata().getRequestObjectJWSAlg().getName());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRequestObject");
            return;
        }
        if (!(this.requestObject instanceof PlainJWT) && (validateSignature = JWTSignatureValidationUtil.validateSignature(this.securityParametersLookupStrategy.apply(profileRequestContext), (SignedJWT) this.requestObject, "InvalidRequestObject")) != null) {
            ActionSupport.buildEvent(profileRequestContext, validateSignature);
            return;
        }
        try {
            JWTClaimsSet jWTClaimsSet = this.requestObject.getJWTClaimsSet();
            if (jWTClaimsSet.getClaims().containsKey("client_id") && !getAuthenticationRequest().getClientID().equals(new ClientID((String) jWTClaimsSet.getClaim("client_id")))) {
                this.log.error("{} client_id in request object not matching client_id request parameter", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRequestObject");
                return;
            }
            if (jWTClaimsSet.getClaims().containsKey("response_type") && !getAuthenticationRequest().getResponseType().equals(new ResponseType(((String) this.requestObject.getJWTClaimsSet().getClaim("response_type")).split(HelpFormatter.DEFAULT_LONG_OPT_SEPARATOR)))) {
                this.log.error("{} response_type in request object not matching response_type request parameter", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRequestObject");
                return;
            }
            try {
                if (this.requestObject instanceof SignedJWT) {
                    this.signedClaimsValidation.validate(jWTClaimsSet, profileRequestContext);
                } else {
                    this.plainClaimsValidation.validate(jWTClaimsSet, profileRequestContext);
                }
            } catch (JWTValidationException e) {
                this.log.warn("{} JWT validation failed: {}", getLogPrefix(), e.getMessage());
                ActionSupport.buildEvent(profileRequestContext, "InvalidRequestObject");
            }
        } catch (ParseException e2) {
            this.log.error("{} Unable to parse request object {}", getLogPrefix(), e2.getMessage());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRequestObject");
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction
    public /* bridge */ /* synthetic */ OIDCMetadataContext getMetadataContext() {
        return super.getMetadataContext();
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction
    @Nonnull
    public /* bridge */ /* synthetic */ OIDCAuthenticationResponseContext getOidcResponseContext() {
        return super.getOidcResponseContext();
    }
}
