package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.oauth2.sdk.ResponseType;
import java.util.List;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.profile.config.navigate.JWEDataEncryptionAlgorithmsLookupFunction;
import net.shibboleth.oidc.profile.config.navigate.JWEKeyTransportEncryptionAlgorithmsLookupFunction;
import net.shibboleth.oidc.profile.config.navigate.JWSSignatureAlgorithmsLookupFunction;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/AddSecurityConfigurationToClientMetadata.class */
public class AddSecurityConfigurationToClientMetadata extends AbstractOIDCClientMetadataPopulationAction {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AddSecurityConfigurationToClientMetadata.class);

    @Nullable
    private Function<ProfileRequestContext, List<String>> signatureAlgorithmsLookupStrategy = new JWSSignatureAlgorithmsLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, List<String>> dataEncryptionAlgorithmsLookupStrategy = new JWEDataEncryptionAlgorithmsLookupFunction();

    @Nullable
    private Function<ProfileRequestContext, List<String>> keyTransportEncryptionAlgorithmsLookupStrategy = new JWEKeyTransportEncryptionAlgorithmsLookupFunction();

    @Nullable
    private List<String> supportedSigningAlgs;

    @Nullable
    private List<String> supportedEncryptionEncs;

    @Nullable
    private List<String> supportedEncryptionAlgs;

    public void setSignatureAlgorithmsLookupStrategy(@Nonnull Function<ProfileRequestContext, List<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.signatureAlgorithmsLookupStrategy = (Function) Constraint.isNotNull(function, "Signature algorithms lookup strategy cannot be null");
    }

    public void setDataEncryptionAlgorithmsLookupStrategy(@Nonnull Function<ProfileRequestContext, List<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.dataEncryptionAlgorithmsLookupStrategy = (Function) Constraint.isNotNull(function, "Data encryption algorithms lookup strategy cannot be null");
    }

    public void setKeyTransportAlgorithmsLookupStrategy(@Nonnull Function<ProfileRequestContext, List<String>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.keyTransportEncryptionAlgorithmsLookupStrategy = (Function) Constraint.isNotNull(function, "Key transport encryption algorithms lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCClientMetadataPopulationAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.supportedSigningAlgs = this.signatureAlgorithmsLookupStrategy.apply(profileRequestContext);
        if (this.supportedSigningAlgs.isEmpty()) {
            this.log.warn("{} No supported signature signing algorithms resolved", getLogPrefix());
        }
        this.supportedEncryptionAlgs = this.keyTransportEncryptionAlgorithmsLookupStrategy.apply(profileRequestContext);
        if (this.supportedEncryptionAlgs.isEmpty()) {
            this.log.warn("{} No supported key transport encryption algorithms resolved", getLogPrefix());
        }
        this.supportedEncryptionEncs = this.dataEncryptionAlgorithmsLookupStrategy.apply(profileRequestContext);
        if (!this.supportedEncryptionEncs.isEmpty()) {
            return true;
        }
        this.log.warn("{} No supported data encryption algorithms resolved", getLogPrefix());
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        JWSAlgorithm iDTokenJWSAlg = getInputMetadata().getIDTokenJWSAlg();
        if (iDTokenJWSAlg == null) {
            getOutputMetadata().setIDTokenJWSAlg(new JWSAlgorithm("RS256"));
        } else {
            getOutputMetadata().setIDTokenJWSAlg(iDTokenJWSAlg);
        }
        if (!this.supportedSigningAlgs.contains(getOutputMetadata().getIDTokenJWSAlg().getName())) {
            this.log.warn("{} The requested id_token_signed_response_alg {} is not supported", getLogPrefix(), getOutputMetadata().getIDTokenJWSAlg().getName());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        boolean z = false;
        if (getOutputMetadata().getResponseTypes() != null) {
            for (ResponseType responseType : getOutputMetadata().getResponseTypes()) {
                if (responseType.impliesHybridFlow() || responseType.impliesImplicitFlow()) {
                    z = true;
                    break;
                }
            }
        }
        if (getOutputMetadata().getIDTokenJWSAlg().equals(Algorithm.NONE) && z) {
            this.log.warn("{} The requested id_token_signed_response_alg 'none' is not supported when implicit or hybrid flow in response type", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        JWSAlgorithm userInfoJWSAlg = getInputMetadata().getUserInfoJWSAlg();
        if (userInfoJWSAlg != null) {
            if (!this.supportedSigningAlgs.contains(userInfoJWSAlg.getName())) {
                this.log.warn("{} The requested userinfo_signed_response_alg {} is not supported", getLogPrefix(), userInfoJWSAlg.getName());
                ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
                return;
            }
            getOutputMetadata().setUserInfoJWSAlg(userInfoJWSAlg);
        }
        JWEAlgorithm iDTokenJWEAlg = getInputMetadata().getIDTokenJWEAlg();
        if ((iDTokenJWEAlg == null) == (getInputMetadata().getIDTokenJWEEnc() == null)) {
            getOutputMetadata().setIDTokenJWEAlg(getInputMetadata().getIDTokenJWEAlg());
            getOutputMetadata().setIDTokenJWEEnc(getInputMetadata().getIDTokenJWEEnc());
        } else if (iDTokenJWEAlg == null) {
            this.log.warn("{} The requested id_token_encrypted_response_alg was not defined even though _enc was", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        } else {
            this.log.debug("{} Using default algorithm for id_token_encrypted_response_alg", getLogPrefix());
            getOutputMetadata().setIDTokenJWEEnc(EncryptionMethod.A128CBC_HS256);
            getOutputMetadata().setIDTokenJWEAlg(iDTokenJWEAlg);
        }
        if (getOutputMetadata().getIDTokenJWEAlg() != null && !this.supportedEncryptionAlgs.contains(getOutputMetadata().getIDTokenJWEAlg().getName())) {
            this.log.warn("{} The requested id_token_encrypted_response_alg {} is not supported", getLogPrefix(), getOutputMetadata().getIDTokenJWEAlg());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        if (getOutputMetadata().getIDTokenJWEEnc() != null && !this.supportedEncryptionEncs.contains(getOutputMetadata().getIDTokenJWEEnc().getName())) {
            this.log.warn("{} The requested id_token_encrypted_response_enc {} is not supported", getLogPrefix(), getOutputMetadata().getIDTokenJWEEnc());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        }
        JWEAlgorithm userInfoJWEAlg = getInputMetadata().getUserInfoJWEAlg();
        if ((userInfoJWEAlg == null) == (getInputMetadata().getUserInfoJWEEnc() == null)) {
            getOutputMetadata().setUserInfoJWEAlg(getInputMetadata().getUserInfoJWEAlg());
            getOutputMetadata().setUserInfoJWEEnc(getInputMetadata().getUserInfoJWEEnc());
        } else if (userInfoJWEAlg == null) {
            this.log.warn("{} The requested userinfo_encrypted_response_alg was not defined even though _enc was", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
            return;
        } else {
            this.log.debug("{} Using default algorithm for userinfo_encrypted_response_alg", getLogPrefix());
            getOutputMetadata().setUserInfoJWEEnc(EncryptionMethod.A128CBC_HS256);
            getOutputMetadata().setUserInfoJWEAlg(userInfoJWEAlg);
        }
        if (getOutputMetadata().getUserInfoJWEAlg() == null || this.supportedEncryptionAlgs.contains(getOutputMetadata().getUserInfoJWEAlg().getName())) {
            if (getOutputMetadata().getUserInfoJWEEnc() == null || this.supportedEncryptionEncs.contains(getOutputMetadata().getUserInfoJWEEnc().getName())) {
                return;
            }
            this.log.warn("{} The requested userinfo_encrypted_response_enc {} is not supported", getLogPrefix(), getOutputMetadata().getUserInfoJWEEnc());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
        } else {
            this.log.warn("{} The requested userinfo_encrypted_response_alg {} is not supported", getLogPrefix(), getOutputMetadata().getUserInfoJWEAlg());
            ActionSupport.buildEvent(profileRequestContext, "InvalidMessage");
        }
    }
}
