package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientRegistrationRequest;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.minidev.json.JSONObject;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCClientRegistrationMetadataPolicyContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.oidc.metadata.policy.MetadataPolicy;
import net.shibboleth.oidc.metadata.policy.impl.DefaultMetadataPolicyEnforcer;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidateRegistrationRequestMetadata.class */
public class ValidateRegistrationRequestMetadata extends AbstractProfileAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateRegistrationRequestMetadata.class);

    @Nonnull
    private Function<MessageContext, OIDCClientRegistrationMetadataPolicyContext> registrationMetadataPolicyContextLookupStrategy = new ChildContextLookup(OIDCClientRegistrationMetadataPolicyContext.class);

    @Nonnull
    private BiFunction<Object, MetadataPolicy, Pair<Object, Boolean>> metadataPolicyEnforcer = new DefaultMetadataPolicyEnforcer();

    @Nullable
    private OIDCClientRegistrationRequest request;

    @Nullable
    private OIDCClientRegistrationMetadataPolicyContext registrationMetadataPolicyContext;

    @Nullable
    private Map<String, MetadataPolicy> metadataPolicy;

    public void setRegistrationMetadataPolicyContextLookupStrategy(@Nonnull Function<MessageContext, OIDCClientRegistrationMetadataPolicyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.registrationMetadataPolicyContextLookupStrategy = (Function) Constraint.isNotNull(function, "Registration metadata policy context lookup strategy cannot be null");
    }

    public void setMetadataPolicyEnforcer(@Nonnull BiFunction<Object, MetadataPolicy, Pair<Object, Boolean>> biFunction) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.metadataPolicyEnforcer = (BiFunction) Constraint.isNotNull(biFunction, "The metadata policy enforcer cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        MessageContext inboundMessageContext = profileRequestContext.getInboundMessageContext();
        if (inboundMessageContext == null) {
            this.log.debug("{} No inbound message context associated with this profile request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        Object message = inboundMessageContext.getMessage();
        if (message == null || !(message instanceof OIDCClientRegistrationRequest)) {
            this.log.debug("{} No inbound message associated with this profile request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return false;
        }
        this.request = (OIDCClientRegistrationRequest) message;
        this.registrationMetadataPolicyContext = this.registrationMetadataPolicyContextLookupStrategy.apply(inboundMessageContext);
        if (this.registrationMetadataPolicyContext != null) {
            this.metadataPolicy = this.registrationMetadataPolicyContext.getMetadataPolicy();
            return true;
        }
        this.log.debug("{} No metadata policy context associated with this request", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.metadataPolicy == null || this.metadataPolicy.isEmpty()) {
            this.log.debug("{} No metadata policy found, setting the request as policy enforced", getLogPrefix());
            this.registrationMetadataPolicyContext.setPolicyEnforcedMetadata(this.request.getOIDCClientMetadata());
            return;
        }
        this.log.debug("{} Metadata policy used for request validation: {}", getLogPrefix(), this.metadataPolicy);
        boolean z = true;
        JSONObject jSONObject = this.request.getOIDCClientMetadata().toJSONObject();
        for (String str : this.metadataPolicy.keySet()) {
            MetadataPolicy metadataPolicy = this.metadataPolicy.get(str);
            Object obj = jSONObject.get(str);
            Logger logger = this.log;
            Object[] objArr = new Object[3];
            objArr[0] = getLogPrefix();
            objArr[1] = str;
            objArr[2] = Boolean.valueOf(obj == null);
            logger.debug("{} Claim {} set in policy included in the request: {}", objArr);
            Pair<Object, Boolean> apply = this.metadataPolicyEnforcer.apply(obj, metadataPolicy);
            if (((Boolean) apply.getSecond()).booleanValue()) {
                this.log.trace("{} Validation result is OK for claim {}", getLogPrefix(), str);
                jSONObject.put(str, apply.getFirst());
            } else {
                this.log.warn("{} Metadata claim {} is not compliant with the policy", getLogPrefix(), str);
                z = false;
            }
        }
        if (!z) {
            this.log.warn("{} The requested metadata is not compliant with the policy", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
        }
        try {
            this.registrationMetadataPolicyContext.setPolicyEnforcedMetadata(OIDCClientMetadata.parse(jSONObject));
            this.log.debug("{} The enforced metadata stored in context", getLogPrefix());
        } catch (ParseException e) {
            this.log.error("{} Could not parse the enforced metadata", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
        }
    }
}
