package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.RefreshTokenGrant;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.DefaultChainRevocationLifetimeLookupStrategy;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.oidc.profile.config.logic.RefreshTokensEnabledPredicate;
import net.shibboleth.oidc.profile.config.navigate.RefreshTokenChainLifetimeLookupFunction;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.ReplayCache;
import org.opensaml.storage.RevocationCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/ValidateGrant.class */
public class ValidateGrant extends AbstractOIDCTokenResponseAction {

    @Nonnull
    private final DataSealer dataSealer;

    @NonnullAfterInit
    private ReplayCache replayCache;

    @NonnullAfterInit
    private RevocationCache revocationCache;

    @Nonnull
    private Function<ProfileRequestContext, Duration> refreshTokenChainLifetimeLookupStrategy;

    @Nullable
    private RelyingPartyContext rpCtx;

    @Nullable
    private Duration refreshTokenChainLifetime;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateGrant.class);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Predicate<ProfileRequestContext> refreshTokensEnabledPredicate = new RefreshTokensEnabledPredicate();

    @Nonnull
    private Function<ProfileRequestContext, Duration> chainRevocationLifetimeLookupStrategy = new DefaultChainRevocationLifetimeLookupStrategy();

    public ValidateGrant(@Nonnull @ParameterName(name = "sealer") DataSealer dataSealer) {
        this.dataSealer = (DataSealer) Constraint.isNotNull(dataSealer, "DataSealer cannot be null");
        this.chainRevocationLifetimeLookupStrategy.setUseActiveProfileOnly(false);
        this.refreshTokenChainLifetimeLookupStrategy = new RefreshTokenChainLifetimeLookupFunction();
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    public void setRefreshTokensEnabledPredicate(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.refreshTokensEnabledPredicate = (Predicate) Constraint.isNotNull(predicate, "Refresh tokens enabled predicate cannot be null");
    }

    public void setReplayCache(@Nonnull ReplayCache replayCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.replayCache = (ReplayCache) Constraint.isNotNull(replayCache, "ReplayCache cannot be null");
    }

    public void setRevocationCache(@Nonnull RevocationCache revocationCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.revocationCache = (RevocationCache) Constraint.isNotNull(revocationCache, "RevocationCache cannot be null");
    }

    public void setChainRevocationLifetimeLookupStrategy(@Nullable Function<ProfileRequestContext, Duration> function) {
        this.chainRevocationLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Lookup strategy cannot be null");
    }

    public void setRefreshTokenChainLifetimeLookupStrategy(@Nonnull Function<ProfileRequestContext, Duration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.refreshTokenChainLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Refresh token chain lifetime lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.replayCache == null || this.revocationCache == null) {
            throw new ComponentInitializationException("ReplayCache and RevocationCache cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCTokenResponseAction, net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCRequestAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.rpCtx = this.relyingPartyContextLookupStrategy.apply(profileRequestContext);
        if (this.rpCtx == null) {
            this.log.error("{} No relying party context associated with this profile request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidRelyingPartyContext");
            return false;
        }
        this.refreshTokenChainLifetime = this.refreshTokenChainLifetimeLookupStrategy.apply(profileRequestContext);
        if (this.refreshTokenChainLifetime != null) {
            return true;
        }
        this.log.warn("{} No lifetime supplied for refresh token", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        String str;
        AuthorizationCodeGrant authorizationGrant = getTokenRequest().getAuthorizationGrant();
        this.log.debug("{} Validating grant type: {}", getLogPrefix(), authorizationGrant.getType());
        TokenClaimsSet tokenClaimsSet = null;
        if (GrantType.AUTHORIZATION_CODE.equals(authorizationGrant.getType())) {
            AuthorizationCodeGrant authorizationCodeGrant = authorizationGrant;
            if (authorizationCodeGrant.getAuthorizationCode() != null && authorizationCodeGrant.getAuthorizationCode().getValue() != null) {
                try {
                    TokenClaimsSet parse = AuthorizeCodeClaimsSet.parse(authorizationCodeGrant.getAuthorizationCode().getValue(), this.dataSealer);
                    this.log.debug("{} Authz code unwrapped {}", getLogPrefix(), parse.serialize());
                    if (!this.replayCache.check(getClass().getName(), parse.getID(), parse.getExp())) {
                        this.log.error("{} Replay detected of authz code {}", getLogPrefix(), parse.getID());
                        if (!revokeChain(parse.getID(), this.chainRevocationLifetimeLookupStrategy.apply(profileRequestContext))) {
                            this.log.warn("{} Fatal error, unable to save replayed code to revocation cache", getLogPrefix());
                        }
                        ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                        return;
                    }
                    tokenClaimsSet = parse;
                } catch (DataSealerException | ParseException e) {
                    this.log.warn("{} Unwrapping authz code failed: {}", getLogPrefix(), e.getMessage());
                    ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                    return;
                }
            }
        } else if (GrantType.REFRESH_TOKEN.equals(authorizationGrant.getType())) {
            if (!this.refreshTokensEnabledPredicate.test(profileRequestContext)) {
                this.log.warn("{} Refresh token grant detected, but not enabled", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                return;
            }
            RefreshTokenGrant refreshTokenGrant = (RefreshTokenGrant) authorizationGrant;
            if (refreshTokenGrant.getRefreshToken() != null && refreshTokenGrant.getRefreshToken().getValue() != null) {
                try {
                    TokenClaimsSet parse2 = RefreshTokenClaimsSet.parse(refreshTokenGrant.getRefreshToken().getValue(), this.dataSealer);
                    String rootTokenIdentifier = parse2.getRootTokenIdentifier();
                    if (StringSupport.trimOrNull(rootTokenIdentifier) == null) {
                        this.log.warn("{} No root token identifier returned, using JWT id for checking revocation status", getLogPrefix());
                        str = parse2.getID();
                    } else {
                        str = rootTokenIdentifier;
                    }
                    if (this.revocationCache.isRevoked(RevocationCacheContexts.AUTHORIZATION_CODE, str)) {
                        this.log.error("{} Authz code {} and all derived tokens have been revoked", getLogPrefix(), str);
                        ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                        return;
                    }
                    if (this.revocationCache.isRevoked(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, parse2.getID())) {
                        this.log.error("{} The refresh token {} has been revoked. Revoking the full chain now.", getLogPrefix(), parse2.getID());
                        if (revokeChain(str, this.chainRevocationLifetimeLookupStrategy.apply(profileRequestContext))) {
                            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                            return;
                        } else {
                            this.log.error("{} Fatal error, unable to store revocation into the revocation cache", getLogPrefix());
                            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
                            return;
                        }
                    }
                    if (parse2.getChainExp() != null && parse2.getChainExp().isBefore(Instant.now())) {
                        this.log.warn("{} Refresh token chain has expired on {}", getLogPrefix(), parse2.getChainExp());
                        ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                        return;
                    } else {
                        tokenClaimsSet = parse2;
                        if (Instant.now().isAfter(tokenClaimsSet.getAuthenticationTime().plus((TemporalAmount) this.refreshTokenChainLifetime))) {
                            this.log.warn("{} Refresh token chain is expired, the authentication instant was {}", getLogPrefix(), tokenClaimsSet.getAuthenticationTime());
                            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                            return;
                        }
                    }
                } catch (ParseException | DataSealerException e2) {
                    this.log.warn("{} Unwrapping refresh token failed {}", getLogPrefix(), e2.getMessage());
                    ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                    return;
                }
            }
        } else if (GrantType.CLIENT_CREDENTIALS.equals(authorizationGrant.getType())) {
            return;
        }
        if (tokenClaimsSet == null) {
            this.log.warn("{} Grant type not supported", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
        } else if (!tokenClaimsSet.isTimeValid()) {
            this.log.warn("{} Token is expired or not net valid", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
        } else if (tokenClaimsSet.getClientID().getValue().equals(this.rpCtx.getRelyingPartyId())) {
            getOidcResponseContext().setAuthorizationGrantClaimsSet(tokenClaimsSet);
        } else {
            this.log.warn("{} Token issued to client {}, invalid for {}", new Object[]{getLogPrefix(), tokenClaimsSet.getClientID().getValue(), this.rpCtx.getRelyingPartyId()});
            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
        }
    }

    protected boolean revokeChain(@Nonnull String str, @Nullable Duration duration) {
        if (duration != null) {
            return this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, str, duration);
        }
        this.log.warn("{} No profile-specific revocation lifetime could be resolved, using default value", getLogPrefix());
        return this.revocationCache.revoke(RevocationCacheContexts.AUTHORIZATION_CODE, str);
    }
}
