package net.shibboleth.idp.plugin.oidc.op.authn.impl;

import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.util.Collections;
import java.util.Set;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.AbstractAuthenticationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.oidc.authn.context.OAuth2ClientAuthenticationContext;
import net.shibboleth.oidc.metadata.context.OIDCMetadataContext;
import net.shibboleth.oidc.profile.config.navigate.TokenEndpointAuthMethodLookupFunction;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.InboundMessageContextLookup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/authn/impl/ValidateClientAuthenticationType.class */
public class ValidateClientAuthenticationType extends AbstractAuthenticationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateClientAuthenticationType.class);

    @Nonnull
    private Function<ProfileRequestContext, OIDCMetadataContext> oidcMetadataContextLookupStrategy = new ChildContextLookup(OIDCMetadataContext.class).compose(new InboundMessageContextLookup());

    @Nullable
    private Function<ProfileRequestContext, Set<ClientAuthenticationMethod>> tokenEndpointAuthMethodsLookupStrategy = new TokenEndpointAuthMethodLookupFunction();

    @Nullable
    private OIDCMetadataContext oidcMetadataContext;

    @Nullable
    private ClientAuthentication clientAuthentication;

    @NonnullElements
    @Nullable
    private Set<ClientAuthenticationMethod> enabledMethods;

    public void setOIDCMetadataContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OIDCMetadataContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.oidcMetadataContextLookupStrategy = (Function) Constraint.isNotNull(function, "OIDCMetadataContext lookup strategy cannot be null");
    }

    public void setTokenEndpointAuthMethodsLookupStrategy(@Nonnull Function<ProfileRequestContext, Set<ClientAuthenticationMethod>> function) {
        this.tokenEndpointAuthMethodsLookupStrategy = (Function) Constraint.isNotNull(function, "Strategy to obtain enabled token endpoint authentication methods cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        OAuth2ClientAuthenticationContext subcontext = authenticationContext.getSubcontext(OAuth2ClientAuthenticationContext.class);
        if (subcontext != null) {
            this.clientAuthentication = subcontext.getClientAuthentication();
        }
        this.oidcMetadataContext = this.oidcMetadataContextLookupStrategy.apply(profileRequestContext);
        this.enabledMethods = this.tokenEndpointAuthMethodsLookupStrategy.apply(profileRequestContext);
        if (this.enabledMethods != null) {
            return true;
        }
        this.enabledMethods = Collections.emptySet();
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        ClientAuthenticationMethod clientAuthenticationMethod;
        if (this.oidcMetadataContext == null || this.oidcMetadataContext.getClientInformation() == null) {
            clientAuthenticationMethod = null;
        } else {
            OIDCClientMetadata oIDCMetadata = this.oidcMetadataContext.getClientInformation().getOIDCMetadata();
            clientAuthenticationMethod = oIDCMetadata.getTokenEndpointAuthMethod() != null ? oIDCMetadata.getTokenEndpointAuthMethod() : ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
        }
        ClientAuthenticationMethod method = this.clientAuthentication != null ? this.clientAuthentication.getMethod() : ClientAuthenticationMethod.NONE;
        if (clientAuthenticationMethod != null && !clientAuthenticationMethod.equals(method)) {
            this.log.warn("{} Client '{}' registered {} but attempted {}", new Object[]{getLogPrefix(), this.clientAuthentication.getClientID(), clientAuthenticationMethod, method});
            ActionSupport.buildEvent(profileRequestContext, "AccessDenied");
        } else {
            if (this.enabledMethods.contains(method)) {
                return;
            }
            this.log.warn("{} Requested method {} not enabled in profile configuration", getLogPrefix(), method);
            ActionSupport.buildEvent(profileRequestContext, "AccessDenied");
        }
    }
}
