package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.jose.util.Base64URL;
import java.nio.charset.Charset;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultRequestCodeVerifierLookupFunction;
import net.shibboleth.oidc.profile.config.logic.AllowPKCEPlainPredicate;
import net.shibboleth.oidc.profile.config.logic.ForcePKCEPredicate;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidatePKCE.class */
public class ValidatePKCE extends AbstractOIDCResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidatePKCE.class);

    @Nonnull
    private Function<ProfileRequestContext, String> codeVerifierLookupStrategy = new DefaultRequestCodeVerifierLookupFunction();

    @Nonnull
    private Predicate<ProfileRequestContext> forcePKCECondition = new ForcePKCEPredicate();

    @Nonnull
    private Predicate<ProfileRequestContext> allowPKCEPlainCondition = new AllowPKCEPlainPredicate();
    private boolean forcePKCE;
    private boolean plainPKCE;

    @Nullable
    private String codeChallenge;

    @Nullable
    private String codeVerifier;

    public void setForcePKCECondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.forcePKCECondition = (Predicate) Constraint.isNotNull(predicate, "Condition cannot be null");
    }

    public void setAllowPKCEPlainCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.allowPKCEPlainCondition = (Predicate) Constraint.isNotNull(predicate, "Condition cannot be null");
    }

    public void setCodeVerifierLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.codeVerifierLookupStrategy = (Function) Constraint.isNotNull(function, "CodeVerifier lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        if (getOidcResponseContext().getAuthorizationGrantClaimsSet() == null) {
            this.log.warn("{} No validated authorization grant claims set available", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        if (!"ac".equals(getOidcResponseContext().getAuthorizationGrantClaimsSet().getType())) {
            this.log.debug("{} No authorization code presented, PKCE not applied, nothing to do", getLogPrefix());
            return false;
        }
        this.forcePKCE = this.forcePKCECondition.test(profileRequestContext);
        this.plainPKCE = this.allowPKCEPlainCondition.test(profileRequestContext);
        this.codeChallenge = getOidcResponseContext().getAuthorizationGrantClaimsSet().getCodeChallenge();
        if ((this.codeChallenge == null || this.codeChallenge.isEmpty()) && !this.forcePKCE) {
            this.log.debug("{} No PKCE code challenge in request, nothing to do", getLogPrefix());
            return false;
        }
        this.codeVerifier = this.codeVerifierLookupStrategy.apply(profileRequestContext);
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (this.codeChallenge == null || this.codeChallenge.isEmpty()) {
            this.log.warn("{} No PKCE code challenge presented in authentication request even though required to access token endpoint", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        if (this.codeVerifier == null || this.codeVerifier.isEmpty()) {
            this.log.warn("{} No PKCE code verifier for code challenge presented in token request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        if (this.codeChallenge.startsWith("plain")) {
            if (!this.plainPKCE) {
                this.log.warn("{} Plain PKCE code challenge method not allowed", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
                return;
            }
            String substring = this.codeChallenge.substring("plain".length());
            if (this.codeVerifier.equals(substring)) {
                return;
            }
            this.log.warn("{} PKCE code challenge {} not matching code verifier {}", new Object[]{getLogPrefix(), substring, this.codeVerifier});
            ActionSupport.buildEvent(profileRequestContext, "MessageAuthenticationError");
            return;
        }
        if (!this.codeChallenge.startsWith("S256")) {
            this.log.warn("{} Unknown code challenge method", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        String substring2 = this.codeChallenge.substring("S256".length());
        try {
            String base64URL = Base64URL.encode(MessageDigest.getInstance("SHA-256").digest(this.codeVerifier.getBytes(Charset.forName("utf-8")))).toString();
            if (base64URL.equals(substring2)) {
                return;
            }
            this.log.warn("{} PKCE code challenge {} not matching code verifier {}({})", new Object[]{getLogPrefix(), substring2, this.codeVerifier, base64URL});
            ActionSupport.buildEvent(profileRequestContext, "MessageAuthenticationError");
        } catch (NoSuchAlgorithmException e) {
            this.log.warn("{} PKCE S256 code challenge verification requires SHA-256", new Object[]{getLogPrefix(), substring2, this.codeVerifier});
            ActionSupport.buildEvent(profileRequestContext, "MessageAuthenticationError");
        }
    }
}
