package net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl;

import java.text.ParseException;
import javax.annotation.Nonnull;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseContext;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.RevocationCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/userinfo/profile/impl/ValidateAccessToken.class */
public class ValidateAccessToken extends AbstractOIDCUserInfoValidationResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateAccessToken.class);

    @NonnullAfterInit
    private DataSealer dataSealer;

    @NonnullAfterInit
    private RevocationCache revocationCache;

    public void setDataSealer(@Nonnull DataSealer dataSealer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.dataSealer = (DataSealer) Constraint.isNotNull(dataSealer, "DataSealer cannot be null");
    }

    public void setRevocationCache(@Nonnull RevocationCache revocationCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.revocationCache = (RevocationCache) Constraint.isNotNull(revocationCache, "RevocationCache cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.revocationCache == null || this.dataSealer == null) {
            throw new ComponentInitializationException("RevocationCache and DataSealer cannot be null");
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        try {
            AccessTokenClaimsSet parse = AccessTokenClaimsSet.parse(getUserInfoRequest().getAccessToken().getValue(), this.dataSealer);
            this.log.debug("{} Access token unwrapped: {}", getLogPrefix(), parse.serialize());
            if (!parse.isTimeValid()) {
                this.log.warn("{} Access token is expired or future dated", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
            } else if (!parse.getAudience().isEmpty()) {
                this.log.warn("{} Access token was not issued for use by this OP");
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
            } else if (this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, parse.getID())) {
                this.log.warn("{} Authorization code {} and all derived tokens have been revoked", getLogPrefix(), parse.getID());
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
            } else {
                this.log.debug("{} Access token {} validated", getLogPrefix(), parse.getID());
                getOidcResponseContext().setAuthorizationGrantClaimsSet(parse);
            }
        } catch (DataSealerException | ParseException e) {
            this.log.warn("{} Parsing access token failed: {}", getLogPrefix(), e.getMessage());
            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.AbstractOIDCUserInfoValidationResponseAction
    @Nonnull
    public /* bridge */ /* synthetic */ OIDCAuthenticationResponseContext getOidcResponseContext() {
        return super.getOidcResponseContext();
    }
}
