package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformationResponse;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.time.Instant;
import java.util.Date;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCClientRegistrationResponseContext;
import net.shibboleth.idp.profile.AbstractProfileAction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/BuildClientInformation.class */
public class BuildClientInformation extends AbstractProfileAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(BuildClientInformation.class);

    @Nonnull
    private Function<MessageContext, OIDCClientRegistrationResponseContext> oidcResponseContextLookupStrategy = new ChildContextLookup(OIDCClientRegistrationResponseContext.class);
    private MessageContext messageContext;
    private OIDCClientRegistrationResponseContext oidcResponseContext;

    public void setOidcResponseContextLookupStrategy(@Nonnull Function<MessageContext, OIDCClientRegistrationResponseContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.oidcResponseContextLookupStrategy = (Function) Constraint.isNotNull(function, "OIDCClientRegistrationResponseContext lookup strategy cannot be null");
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.messageContext = profileRequestContext.getOutboundMessageContext();
        if (this.messageContext == null) {
            this.log.error("{} No message context found", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.oidcResponseContext = this.oidcResponseContextLookupStrategy.apply(this.messageContext);
        if (this.oidcResponseContext != null) {
            return true;
        }
        this.log.error("{} No OIDC response context found", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        Secret secret;
        String clientId = this.oidcResponseContext.getClientId();
        if (StringSupport.trimOrNull(clientId) == null) {
            this.log.error("{} No client ID in the OIDC response context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return;
        }
        ClientID clientID = new ClientID(clientId);
        OIDCClientMetadata clientMetadata = this.oidcResponseContext.getClientMetadata();
        if (clientMetadata == null) {
            this.log.error("{} No client metadata in the OIDC response context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return;
        }
        ClientAuthenticationMethod tokenEndpointAuthMethod = clientMetadata.getTokenEndpointAuthMethod();
        if (!(tokenEndpointAuthMethod == null || tokenEndpointAuthMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) || tokenEndpointAuthMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT) || tokenEndpointAuthMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_POST))) {
            secret = null;
        } else if (StringSupport.trimOrNull(this.oidcResponseContext.getClientSecret()) == null) {
            this.log.error("{} No required client secret in the OIDC response context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessageContext");
            return;
        } else {
            Instant clientSecretExpiresAt = this.oidcResponseContext.getClientSecretExpiresAt();
            if (clientSecretExpiresAt != null) {
                this.log.warn("{} client secret expiration time {} is ignored", getLogPrefix(), clientSecretExpiresAt);
            }
            secret = new Secret(this.oidcResponseContext.getClientSecret());
        }
        this.messageContext.setMessage(new OIDCClientInformationResponse(new OIDCClientInformation(clientID, new Date(), clientMetadata, secret), true));
        this.log.info("{} Client information successfully added to the outbound context", getLogPrefix());
    }
}
