package net.shibboleth.idp.plugin.oidc.op.admin.impl;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import java.io.IOException;
import java.time.Duration;
import java.time.Instant;
import java.time.format.DateTimeParseException;
import java.time.temporal.TemporalAmount;
import java.util.Map;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.SubjectContext;
import net.shibboleth.idp.plugin.oidc.op.cli.IssueRegistrationAccessTokenArguments;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractBuildErrorResponseFromEvent;
import net.shibboleth.idp.plugin.oidc.op.token.support.RegistrationClaimsSet;
import net.shibboleth.idp.profile.context.navigate.ResponderIdLookupFunction;
import net.shibboleth.idp.profile.function.SpringFlowScopeLookupFunction;
import net.shibboleth.oidc.metadata.policy.MetadataPolicy;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.security.AccessControlService;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/admin/impl/IssueRegistrationAccessToken.class */
public class IssueRegistrationAccessToken extends AbstractAdminApiProfileAction {

    @NonnullAfterInit
    private DataSealer dataSealer;

    @NonnullAfterInit
    private AccessControlService accessControlService;

    @NotEmpty
    @Nullable
    private String policyLocationPolicyName;

    @NotEmpty
    @Nullable
    private String policyIdPolicyName;

    @NotEmpty
    @Nullable
    private String clientIdPolicyName;

    @NonnullAfterInit
    private Function<ProfileRequestContext, Map<String, MetadataPolicy>> metadataPolicyLookupStrategy;

    @Nullable
    private IdentifierGenerationStrategy idGenerator;

    @Nullable
    private Map<String, MetadataPolicy> metadataPolicy;

    @Nonnull
    private String issuer;

    @Nullable
    private String policyLocation;

    @Nullable
    private String policyId;

    @Nullable
    private String clientId;

    @Nullable
    private Duration tokenLifetime;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(IssueRegistrationAccessToken.class);

    @Nonnull
    private Function<ProfileRequestContext, IdentifierGenerationStrategy> idGeneratorLookupStrategy = FunctionSupport.constant(new SecureRandomIdentifierGenerationStrategy());

    @NonnullAfterInit
    private Function<ProfileRequestContext, String> issuerLookupStrategy = new ResponderIdLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, String> tokenLifetimeLookupStrategy = new SpringFlowScopeLookupFunction(IssueRegistrationAccessTokenArguments.URL_PARAM_LIFETIME);

    @Nonnull
    private Function<ProfileRequestContext, String> policyLocationLookupStrategy = new SpringFlowScopeLookupFunction(IssueRegistrationAccessTokenArguments.URL_PARAM_POLICY_LOCATION);

    @Nonnull
    private Function<ProfileRequestContext, String> policyIdLookupStrategy = new SpringFlowScopeLookupFunction(IssueRegistrationAccessTokenArguments.URL_PARAM_POLICY_ID);

    @Nonnull
    private Function<ProfileRequestContext, String> clientIdLookupStrategy = new SpringFlowScopeLookupFunction("clientId");

    @Nonnull
    private Function<ProfileRequestContext, String> replacementLookupStrategy = new SpringFlowScopeLookupFunction(IssueRegistrationAccessTokenArguments.URL_PARAM_REPLACEMENT);

    @Nullable
    private Duration defaultTokenLifetime = Duration.ofDays(1);

    public void setSealer(@Nonnull DataSealer dataSealer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.dataSealer = (DataSealer) Constraint.isNotNull(dataSealer, "Data sealer cannot be null");
    }

    public void setAccessControlService(@Nonnull AccessControlService accessControlService) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.accessControlService = (AccessControlService) Constraint.isNotNull(accessControlService, "AccessControlService cannot be null");
    }

    public void setIdentifierGeneratorLookupStrategy(@Nonnull Function<ProfileRequestContext, IdentifierGenerationStrategy> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.idGeneratorLookupStrategy = (Function) Constraint.isNotNull(function, "IdentifierGenerationStrategy lookup strategy cannot be null");
    }

    public void setIssuerLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.issuerLookupStrategy = (Function) Constraint.isNotNull(function, "Issuer lookup strategy cannot be null");
    }

    public void setMetadataPolicyLookupStrategy(@Nonnull Function<ProfileRequestContext, Map<String, MetadataPolicy>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.metadataPolicyLookupStrategy = (Function) Constraint.isNotNull(function, "Metadata policy lookup strategy cannot be null");
    }

    public void setTokenLifetimeLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.tokenLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Token lifetime lookup strategy cannot be null");
    }

    public void setPolicyLocationLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.policyLocationLookupStrategy = (Function) Constraint.isNotNull(function, "Policy location lookup strategy cannot be null");
    }

    public void setPolicyIdLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.policyIdLookupStrategy = (Function) Constraint.isNotNull(function, "Policy ID lookup strategy cannot be null");
    }

    public void setClientIdLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.clientIdLookupStrategy = (Function) Constraint.isNotNull(function, "Client ID lookup strategy cannot be null");
    }

    public void setReplacementLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.replacementLookupStrategy = (Function) Constraint.isNotNull(function, "Replacement lookup strategy cannot be null");
    }

    public void setPolicyLocationPolicyName(@NotEmpty @Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.policyLocationPolicyName = StringSupport.trimOrNull(str);
    }

    public void setPolicyIdPolicyName(@NotEmpty @Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.policyIdPolicyName = StringSupport.trimOrNull(str);
    }

    public void setClientIdPolicyName(@NotEmpty @Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.clientIdPolicyName = StringSupport.trimOrNull(str);
    }

    public void setDefaultTokenLifetime(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.defaultTokenLifetime = (Duration) Constraint.isNotNull(duration, "Default token lifetime cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.admin.impl.AbstractAdminApiProfileAction
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.dataSealer == null) {
            throw new ComponentInitializationException("DataSealer cannot be null");
        }
        if (this.accessControlService == null) {
            throw new ComponentInitializationException("AccessControlService cannot be null");
        }
        if (this.metadataPolicyLookupStrategy == null) {
            throw new ComponentInitializationException("Metadata policy lookup strategy cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.admin.impl.AbstractAdminApiProfileAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.idGenerator = this.idGeneratorLookupStrategy.apply(profileRequestContext);
        try {
            if (this.idGenerator == null) {
                this.log.error("{} No identifier generation strategy", getLogPrefix());
                sendError(500, "Internal Server Error", "System misconfiguration.");
                return false;
            }
            this.issuer = this.issuerLookupStrategy.apply(profileRequestContext);
            if (this.issuer == null) {
                this.log.error("{} No issuer could be resolved", getLogPrefix());
                sendError(500, "Internal Server Error", "System misconfiguration.");
                return false;
            }
            this.policyLocation = this.policyLocationLookupStrategy.apply(profileRequestContext);
            this.policyId = this.policyIdLookupStrategy.apply(profileRequestContext);
            this.metadataPolicy = this.metadataPolicyLookupStrategy.apply(profileRequestContext);
            if (this.policyLocation != null && this.metadataPolicy == null) {
                this.log.warn("{} No metadata policy could be resolved from the given location: {}", getLogPrefix(), this.policyLocation);
                sendError(AbstractBuildErrorResponseFromEvent.DEFAULT_HTTP_STATUS_CODE, "Invalid Request", "No metadata policy or policy ID could be resolved.");
                return false;
            }
            if (this.metadataPolicy == null && this.policyId == null) {
                this.log.warn("{} No metadata policy or policy ID could be resolved", getLogPrefix());
                sendError(AbstractBuildErrorResponseFromEvent.DEFAULT_HTTP_STATUS_CODE, "Invalid Request", "No metadata policy or policy ID could be resolved.");
                return false;
            }
            this.clientId = this.clientIdLookupStrategy.apply(profileRequestContext);
            String apply = this.tokenLifetimeLookupStrategy.apply(profileRequestContext);
            if (apply == null) {
                this.log.debug("{} No token lifetime specified, using default", getLogPrefix());
                this.tokenLifetime = this.defaultTokenLifetime;
                return true;
            }
            try {
                this.tokenLifetime = Duration.parse(apply);
                if (this.tokenLifetime.compareTo(this.defaultTokenLifetime) > 0) {
                    this.log.warn("Requested token lifetime greater than default, lowering to default", getLogPrefix());
                    this.tokenLifetime = this.defaultTokenLifetime;
                }
                return true;
            } catch (DateTimeParseException e) {
                this.log.warn("{} Token lifetime was not in a supported format", getLogPrefix(), e);
                return true;
            }
        } catch (IOException e2) {
            this.log.error("{} I/O error issuing API response", getLogPrefix(), e2);
            ActionSupport.buildEvent(profileRequestContext, "InputOutputError");
            return false;
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (checkAccess(profileRequestContext)) {
            String generateIdentifier = this.idGenerator.generateIdentifier();
            Instant now = Instant.now();
            RegistrationClaimsSet.Builder withRelyingPartyId = new RegistrationClaimsSet.Builder(generateIdentifier).withIssuer(this.issuer).withIssuedAt(now).withExpiration(now.plus((TemporalAmount) this.tokenLifetime)).withMetadata(this.metadataPolicy).withRelyingPartyId(this.policyId);
            if (this.clientId != null) {
                withRelyingPartyId.withClientId(this.clientId).withReplacement(Boolean.valueOf(this.replacementLookupStrategy.apply(profileRequestContext)));
            }
            addAuthenticationClaims(profileRequestContext, withRelyingPartyId);
            RegistrationClaimsSet build = withRelyingPartyId.build();
            try {
                String writeValueAsString = getObjectMapper().writeValueAsString(build);
                this.log.debug("{} Built the following JSON to be sealed {}", getLogPrefix(), writeValueAsString);
                String wrap = this.dataSealer.wrap(writeValueAsString, build.getExpiration());
                this.log.debug("{} Encrypted the JSON into {}", getLogPrefix(), wrap);
                AccessTokenResponse accessTokenResponse = new AccessTokenResponse(new Tokens(new BearerAccessToken(wrap, this.tokenLifetime.getSeconds(), (Scope) null), (RefreshToken) null));
                MessageContext messageContext = new MessageContext();
                messageContext.setMessage(accessTokenResponse);
                profileRequestContext.setOutboundMessageContext(messageContext);
            } catch (JsonProcessingException e) {
                this.log.error("{} Could not build JSON", getLogPrefix(), e);
                ActionSupport.buildEvent(profileRequestContext, "InputOutputError");
            } catch (DataSealerException e2) {
                this.log.error("{} Could not encrypt the claims set", getLogPrefix(), e2);
                ActionSupport.buildEvent(profileRequestContext, "InputOutputError");
            }
        }
    }

    private boolean checkAccess(@Nonnull ProfileRequestContext profileRequestContext) {
        try {
            if (this.policyId != null) {
                if (this.policyIdPolicyName == null) {
                    this.log.warn("{} No policy name govering policyId usage, disallowing access", getLogPrefix());
                    sendError(403, "Access Denied", "No policy name govering policyId usage, disallowing access.");
                    return false;
                }
                if (!this.accessControlService.getInstance(this.policyIdPolicyName).checkAccess(getHttpServletRequest(), "read", this.policyId)) {
                    sendError(403, "Access Denied", "Operation is not allowed with the current policy.");
                    return false;
                }
            }
            if (this.policyLocation != null) {
                if (this.policyLocationPolicyName == null) {
                    this.log.warn("{} No policy name govering policyLocation usage, disallowing access", getLogPrefix());
                    sendError(403, "Access Denied", "No policy name govering policyId usage, disallowing access.");
                    return false;
                }
                if (!this.accessControlService.getInstance(this.policyLocationPolicyName).checkAccess(getHttpServletRequest(), "read", this.policyLocation)) {
                    sendError(403, "Access Denied", "Operation is not allowed with the current policy.");
                    return false;
                }
            }
            if (this.clientId == null) {
                return true;
            }
            if (this.clientIdPolicyName == null) {
                this.log.warn("{} No policy name govering clientId usage, disallowing access", getLogPrefix());
                sendError(403, "Access Denied", "No policy name govering policyId usage, disallowing access.");
                return false;
            }
            if (this.accessControlService.getInstance(this.clientIdPolicyName).checkAccess(getHttpServletRequest(), "write", this.clientId)) {
                return true;
            }
            sendError(403, "Access Denied", "Operation is not allowed with the current policy.");
            return false;
        } catch (IOException e) {
            this.log.error("{} I/O error issuing API response", getLogPrefix(), e);
            ActionSupport.buildEvent(profileRequestContext, "InputOutputError");
            return false;
        }
    }

    private void addAuthenticationClaims(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull RegistrationClaimsSet.Builder builder) {
        AuthenticationContext subcontext = profileRequestContext.getSubcontext(AuthenticationContext.class);
        if (subcontext != null && subcontext.getAuthenticationResult() != null) {
            builder.withAuthTime(subcontext.getAuthenticationResult().getAuthenticationInstant());
        }
        SubjectContext subcontext2 = profileRequestContext.getSubcontext(SubjectContext.class);
        if (subcontext2 == null || subcontext2.getPrincipalName() == null) {
            return;
        }
        builder.withPrincipal(subcontext2.getPrincipalName());
    }
}
