package net.shibboleth.idp.plugin.oidc.op.oauth2.profile.impl;

import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import java.util.Iterator;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseTokenClaimsContext;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.ClientInfoScopeLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultOIDCMetadataContextLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultRequestResponseTypeLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.DefaultRequestedScopeLookupFunction;
import net.shibboleth.idp.plugin.oidc.op.profile.context.navigate.OIDCAuthenticationResponseContextLookupFunction;
import net.shibboleth.idp.profile.context.navigate.RelyingPartyIdLookupFunction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/oauth2/profile/impl/ValidateScope.class */
public class ValidateScope extends AbstractOAuthAuthorizationResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateScope.class);

    @Nullable
    private Function<ProfileRequestContext, Scope> requestedScopeLookupStrategy = new DefaultRequestedScopeLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, String> relyingPartyIdLookupStrategy = new RelyingPartyIdLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, Scope> allowedScopeLookupStrategy = new ClientInfoScopeLookupFunction().compose(new DefaultOIDCMetadataContextLookupFunction());

    @Nonnull
    private Function<ProfileRequestContext, Scope> mandatoryScopeLookupStrategy = profileRequestContext -> {
        return null;
    };

    @Nonnull
    private Function<ProfileRequestContext, OIDCAuthenticationResponseTokenClaimsContext> tokenClaimsContextLookupStrategy = new ChildContextLookup(OIDCAuthenticationResponseTokenClaimsContext.class).compose(new OIDCAuthenticationResponseContextLookupFunction());

    public void setRelyingPartyIdLookupStrategy(@Nonnull Function<ProfileRequestContext, String> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyIdLookupStrategy = (Function) Constraint.isNotNull(function, "Relying party ID lookup strategy cannot be null");
    }

    public void setRequestedScopeLookupStrategy(@Nullable Function<ProfileRequestContext, Scope> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.requestedScopeLookupStrategy = function;
    }

    public void setAllowedScopeLookupStrategy(@Nonnull Function<ProfileRequestContext, Scope> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.allowedScopeLookupStrategy = (Function) Constraint.isNotNull(function, "Allowed scope lookup strategy cannot be null");
    }

    public void setMandatoryScopeLookupStrategy(@Nonnull Function<ProfileRequestContext, Scope> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.mandatoryScopeLookupStrategy = (Function) Constraint.isNotNull(function, "Mandatory scope lookup strategy cannot be null");
    }

    public void setOIDCAuthenticationResponseTokenClaimsContextLookupStrategy(@Nonnull Function<ProfileRequestContext, OIDCAuthenticationResponseTokenClaimsContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.tokenClaimsContextLookupStrategy = (Function) Constraint.isNotNull(function, "OIDCAuthenticationResponseTokenClaimsContextt lookup strategy cannot be null");
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        OIDCAuthenticationResponseTokenClaimsContext apply;
        ResponseType responseType;
        String apply2 = this.relyingPartyIdLookupStrategy.apply(profileRequestContext);
        Scope scope = null;
        if (getOidcResponseContext().getAuthorizationGrantClaimsSet() != null) {
            scope = getOidcResponseContext().getAuthorizationGrantClaimsSet().getScope();
        }
        Scope apply3 = this.requestedScopeLookupStrategy != null ? this.requestedScopeLookupStrategy.apply(profileRequestContext) : null;
        if (apply3 == null) {
            apply3 = scope;
            scope = null;
        }
        Scope apply4 = this.allowedScopeLookupStrategy.apply(profileRequestContext);
        String value = OIDCScopeValue.OPENID.getValue();
        if (apply3 != null && apply3.contains(value) && (apply4 == null || !apply4.contains(value))) {
            this.log.warn("{} OIDC sequence was requested but no openid scope granted for RP {}", getLogPrefix(), apply2);
            ActionSupport.buildEvent(profileRequestContext, "InvalidScope");
            return;
        }
        Scope apply5 = this.mandatoryScopeLookupStrategy.apply(profileRequestContext);
        if (apply5 != null && !apply5.isEmpty()) {
            if (apply3 == null || apply3.isEmpty()) {
                this.log.warn("{} Mendatory scope set to {} but none requested", getLogPrefix(), apply5.toString());
                ActionSupport.buildEvent(profileRequestContext, "InvalidScope");
                return;
            }
            Iterator it = apply5.iterator();
            while (it.hasNext()) {
                Scope.Value value2 = (Scope.Value) it.next();
                if (!apply3.contains(value2.getValue())) {
                    this.log.warn("{} Mandatory scope {} is not requested", getLogPrefix(), value2.getValue());
                    ActionSupport.buildEvent(profileRequestContext, "InvalidScope");
                    return;
                }
            }
        }
        if (apply4 == null || apply4.isEmpty()) {
            this.log.debug("{} No allowed scope for client {}, nothing to do", getLogPrefix(), apply2);
            return;
        }
        boolean z = false;
        Iterator it2 = apply3.iterator();
        while (it2.hasNext()) {
            Scope.Value value3 = (Scope.Value) it2.next();
            if (!apply4.contains(value3)) {
                this.log.warn("{} Removing requested but unregistered scope {} for RP {}", new Object[]{getLogPrefix(), value3.getValue(), apply2});
                it2.remove();
            } else if (scope != null && !scope.contains(value3)) {
                this.log.warn("{} Removing requested but previously ungranted scope {} for RP {}", new Object[]{getLogPrefix(), value3.getValue(), apply2});
                it2.remove();
                z = true;
            }
        }
        if (apply3.contains(OIDCScopeValue.OFFLINE_ACCESS) && (responseType = (ResponseType) new DefaultRequestResponseTypeLookupFunction().apply(profileRequestContext)) != null && !responseType.contains(ResponseType.Value.CODE)) {
            apply3.remove(OIDCScopeValue.OFFLINE_ACCESS);
        }
        if (!apply3.isEmpty()) {
            getOidcResponseContext().setScope(apply3);
        }
        if (!z || (apply = this.tokenClaimsContextLookupStrategy.apply(profileRequestContext)) == null) {
            return;
        }
        this.log.debug("{} Removing grant-encoded attributes due to reduction of requested scopes", getLogPrefix());
        apply.getParent().removeSubcontext(apply);
    }
}
