package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseTokenClaimsContext;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.ClientInfoAudienceLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultOIDCMetadataContextLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.TokenRequestAudienceLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCAuthenticationResponseAction;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.IssueIDTokenCondition;
import net.shibboleth.idp.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.ProxiedRequesterContext;
import org.opensaml.profile.context.navigate.OutboundMessageContextLookup;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/oauth2/profile/impl/ValidateAudience.class */
public class ValidateAudience extends AbstractOIDCAuthenticationResponseAction {

    @Nonnull
    private Function<ProfileRequestContext, OIDCAuthenticationResponseTokenClaimsContext> tokenClaimsContextLookupStrategy;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateAudience.class);

    @Nullable
    private Function<ProfileRequestContext, List<String>> requestedAudienceLookupStrategy = new TokenRequestAudienceLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, String> relyingPartyIdLookupStrategy = new RelyingPartyIdLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, List<String>> allowedAudienceLookupStrategy = new ClientInfoAudienceLookupFunction().compose(new DefaultOIDCMetadataContextLookupFunction());

    @Nonnull
    private Function<ProfileRequestContext, ProxiedRequesterContext> proxiedRequesterContextCreationStrategy = new ChildContextLookup(ProxiedRequesterContext.class, true).compose(new OutboundMessageContextLookup());

    @Nonnull
    private Predicate<ProfileRequestContext> selfAudienceCondition = new IssueIDTokenCondition();

    public void setRelyingPartyIdLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyIdLookupStrategy = (Function) Constraint.isNotNull(function, "Relying party ID lookup strategy cannot be null");
    }

    public void setRequestedAudienceLookupStrategy(@Nullable Function<ProfileRequestContext, List<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requestedAudienceLookupStrategy = function;
    }

    public void setAllowedAudienceLookupStrategy(@Nonnull Function<ProfileRequestContext, List<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.allowedAudienceLookupStrategy = (Function) Constraint.isNotNull(function, "Allowed scope lookup strategy cannot be null");
    }

    public void setProxiedRequesterContextCreationStrategy(@Nonnull Function<ProfileRequestContext, ProxiedRequesterContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.proxiedRequesterContextCreationStrategy = (Function) Constraint.isNotNull(function, "ProxiedRequesterContext lookup strategy cannot be null");
    }

    public void setSelfAudienceCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.selfAudienceCondition = (Predicate) Constraint.isNotNull(predicate, "Self audience condition cannot be null");
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        String apply = this.relyingPartyIdLookupStrategy.apply(profileRequestContext);
        boolean test = this.selfAudienceCondition.test(profileRequestContext);
        List<String> apply2 = this.allowedAudienceLookupStrategy.apply(profileRequestContext);
        List<String> audience = getOidcResponseContext().getAuthorizationGrantClaimsSet() != null ? getOidcResponseContext().getAuthorizationGrantClaimsSet().getAudience() : null;
        List<String> apply3 = this.requestedAudienceLookupStrategy != null ? this.requestedAudienceLookupStrategy.apply(profileRequestContext) : null;
        if (apply2 == null || apply2.isEmpty()) {
            if (!test) {
                this.log.warn("{} No allowed audience for client {}", getLogPrefix(), apply);
                ActionSupport.buildEvent(profileRequestContext, "InvalidTarget");
                return;
            } else if ((audience == null || audience.isEmpty()) && (apply3 == null || apply3.isEmpty())) {
                this.log.debug("{} No allowed audiences for client {}, OP will be sole audience", getLogPrefix(), apply);
                return;
            } else {
                this.log.warn("{} No allowed audiences for client {}, OP will be sole audience", getLogPrefix(), apply);
                return;
            }
        }
        if (apply3 == null) {
            apply3 = audience;
            audience = null;
        }
        if (apply3 == null || apply3.isEmpty()) {
            if (test) {
                this.log.debug("{} No audience in request for client {}, OP will be sole audience", getLogPrefix(), apply);
                return;
            } else {
                this.log.debug("{} No audience in request for client {}, using first allowed", getLogPrefix(), apply);
                apply3 = Collections.singletonList(apply2.get(0));
            }
        }
        ArrayList arrayList = new ArrayList();
        for (String str : apply3) {
            if (!apply2.contains(str)) {
                this.log.warn("{} Omitting requested but unregistered audience {} for RP {}", new Object[]{getLogPrefix(), str, apply});
            } else if (audience == null || audience.contains(str)) {
                arrayList.add(str);
            } else {
                this.log.warn("{} Omitting requested but previously ungranted audience {} for RP {}", new Object[]{getLogPrefix(), str, apply});
            }
        }
        if (arrayList.isEmpty()) {
            if (test) {
                this.log.debug("{} No allowed audience for client {}, OP will be sole audience", getLogPrefix(), apply);
                return;
            } else {
                this.log.warn("{} No allowed audience for client {}", getLogPrefix(), apply);
                ActionSupport.buildEvent(profileRequestContext, "InvalidTarget");
                return;
            }
        }
        this.log.debug("{} Computed audience for client {}: {}", new Object[]{getLogPrefix(), apply, arrayList});
        getOidcResponseContext().getAudience().addAll(arrayList);
        ProxiedRequesterContext apply4 = this.proxiedRequesterContextCreationStrategy.apply(profileRequestContext);
        if (apply4 != null) {
            apply4.getRequesters().addAll(arrayList);
        } else {
            this.log.error("{} Unable to locate/create ProxiedRequesterContext", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
        }
    }
}
