package net.shibboleth.idp.plugin.oidc.op.profile.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.profile.logic.DefaultTokenRevocationLifetimeLookupStrategy;
import net.shibboleth.idp.plugin.oidc.op.storage.RevocationCacheContexts;
import net.shibboleth.idp.plugin.oidc.op.token.support.AuthorizeCodeClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.TokenClaimsSet;
import net.shibboleth.oidc.profile.config.logic.EnforceRefreshTokenRotationPredicate;
import net.shibboleth.oidc.profile.config.navigate.RefreshTokenChainLifetimeLookupFunction;
import net.shibboleth.oidc.profile.config.navigate.RefreshTokenClaimsSetManipulationStrategyLookupFunction;
import net.shibboleth.oidc.profile.config.navigate.RefreshTokenTimeoutLookupFunction;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import net.shibboleth.utilities.java.support.security.impl.SecureRandomIdentifierGenerationStrategy;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.storage.RevocationCache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/impl/SetRefreshTokenToResponseContext.class */
public class SetRefreshTokenToResponseContext extends AbstractOIDCResponseAction {

    @Nonnull
    private final DataSealer dataSealer;

    @NonnullAfterInit
    private RevocationCache revocationCache;

    @Nullable
    private BiFunction<ProfileRequestContext, Map<String, Object>, Map<String, Object>> manipulationStrategy;

    @Nullable
    private TokenClaimsSet tokenClaimsSet;

    @Nullable
    private Duration refreshTokenChainLifetime;

    @Nullable
    private Duration refreshTokenTimeout;

    @Nullable
    private IdentifierGenerationStrategy idGenerator;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(SetRefreshTokenToResponseContext.class);

    @Nonnull
    private Function<ProfileRequestContext, Duration> refreshTokenChainLifetimeLookupStrategy = new RefreshTokenChainLifetimeLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, Duration> refreshTokenTimeoutLookupStrategy = new RefreshTokenTimeoutLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, BiFunction<ProfileRequestContext, Map<String, Object>, Map<String, Object>>> tokenClaimsSetManipulationStrategyLookupStrategy = new RefreshTokenClaimsSetManipulationStrategyLookupFunction();

    @Nonnull
    private Function<ProfileRequestContext, IdentifierGenerationStrategy> idGeneratorLookupStrategy = FunctionSupport.constant(new SecureRandomIdentifierGenerationStrategy());

    @Nonnull
    private Predicate<ProfileRequestContext> enforceRefreshTokenRotationCondition = new EnforceRefreshTokenRotationPredicate();

    @Nonnull
    private Function<JWTClaimsSet, Duration> tokenRevocationLifetimeLookupStrategy = new DefaultTokenRevocationLifetimeLookupStrategy();

    public SetRefreshTokenToResponseContext(@Nonnull @ParameterName(name = "sealer") DataSealer dataSealer) {
        this.dataSealer = (DataSealer) Constraint.isNotNull(dataSealer, "DataSealer cannot be null");
    }

    public void setRevocationCache(@Nonnull RevocationCache revocationCache) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.revocationCache = (RevocationCache) Constraint.isNotNull(revocationCache, "RevocationCache cannot be null");
    }

    public void setRefreshTokenChainLifetimeLookupStrategy(@Nonnull Function<ProfileRequestContext, Duration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.refreshTokenChainLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Refresh token chain lifetime lookup strategy cannot be null");
    }

    public void setRefreshTokenTimeoutLookupStrategy(@Nonnull Function<ProfileRequestContext, Duration> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.refreshTokenTimeoutLookupStrategy = (Function) Constraint.isNotNull(function, "Refresh token timeout lookup strategy cannot be null");
    }

    public void setTokenClaimsSetManipulationStrategyLookupStrategy(@Nonnull Function<ProfileRequestContext, BiFunction<ProfileRequestContext, Map<String, Object>, Map<String, Object>>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.tokenClaimsSetManipulationStrategyLookupStrategy = (Function) Constraint.isNotNull(function, "Manipulation strategy lookup strategy cannot be null");
    }

    public void setIdentifierGeneratorLookupStrategy(@Nonnull Function<ProfileRequestContext, IdentifierGenerationStrategy> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.idGeneratorLookupStrategy = (Function) Constraint.isNotNull(function, "Identifier generation strategy cannot be null");
    }

    public void setEnforceRefreshTokenRotationCondition(@Nonnull Predicate<ProfileRequestContext> predicate) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.enforceRefreshTokenRotationCondition = (Predicate) Constraint.isNotNull(predicate, "Condition cannot be null");
    }

    public void setTokenRevocationLifetimeLookupStrategy(@Nullable Function<JWTClaimsSet, Duration> function) {
        this.tokenRevocationLifetimeLookupStrategy = (Function) Constraint.isNotNull(function, "Lookup strategy cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.revocationCache == null) {
            throw new ComponentInitializationException("RevocationCache cannot be null");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.plugin.oidc.op.profile.impl.AbstractOIDCResponseAction
    public boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        if (!super.doPreExecute(profileRequestContext)) {
            return false;
        }
        this.refreshTokenChainLifetime = this.refreshTokenChainLifetimeLookupStrategy.apply(profileRequestContext);
        if (this.refreshTokenChainLifetime == null) {
            this.log.warn("{} No lifetime supplied for refresh token", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        this.refreshTokenTimeout = this.refreshTokenTimeoutLookupStrategy.apply(profileRequestContext);
        if (this.refreshTokenTimeout == null) {
            this.log.warn("{} No timeout supplied for refresh token", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
            return false;
        }
        this.tokenClaimsSet = getOidcResponseContext().getAuthorizationGrantClaimsSet();
        if (this.tokenClaimsSet == null || !((this.tokenClaimsSet instanceof RefreshTokenClaimsSet) || (this.tokenClaimsSet instanceof AuthorizeCodeClaimsSet))) {
            this.log.error("{} No token to base refresh on", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.manipulationStrategy = this.tokenClaimsSetManipulationStrategyLookupStrategy.apply(profileRequestContext);
        this.idGenerator = this.idGeneratorLookupStrategy.apply(profileRequestContext);
        if (this.idGenerator != null) {
            return true;
        }
        this.log.error("{} No identifier generation strategy", getLogPrefix());
        ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        Instant calculateChainExp = calculateChainExp();
        Instant plus = Instant.now().plus((TemporalAmount) this.refreshTokenTimeout);
        RefreshTokenClaimsSet build = new RefreshTokenClaimsSet.Builder(this.tokenClaimsSet, Instant.now(), calculateChainExp.isBefore(plus) ? calculateChainExp : plus, calculateChainExp).setJWTID(this.idGenerator).setRootTokenIdentifier(StringSupport.trimOrNull(this.tokenClaimsSet.getRootTokenIdentifier()) == null ? this.tokenClaimsSet.getID() : this.tokenClaimsSet.getRootTokenIdentifier()).build();
        if (this.manipulationStrategy != null) {
            this.log.debug("{} Manipulation strategy has been set, applying it to the claims set {}", getLogPrefix(), build.serialize());
            Map<String, Object> apply = this.manipulationStrategy.apply(profileRequestContext, build.getClaimsSet().toJSONObject());
            if (apply == null) {
                this.log.debug("{} Manipulation strategy returned null, leaving token claims set untouched.", getLogPrefix());
            } else {
                this.log.debug("{} Applying the manipulated claims into the token claims set", getLogPrefix());
                try {
                    build.setClaimsSet(JWTClaimsSet.parse(apply));
                } catch (ParseException e) {
                    this.log.error("{} The resulted claims set could not be transformed into ", getLogPrefix(), e);
                    ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
                    return;
                }
            }
        } else {
            this.log.debug("{} No manipulation strategy configured", getLogPrefix());
        }
        try {
            getOidcResponseContext().setRefreshToken(build.serialize(this.dataSealer));
            this.log.debug("{} Setting refresh token {} as {} to response context ", new Object[]{getLogPrefix(), build.serialize(), getOidcResponseContext().getRefreshToken()});
        } catch (DataSealerException e2) {
            this.log.error("{} Refresh Token generation failed {}", getLogPrefix(), e2.getMessage());
            ActionSupport.buildEvent(profileRequestContext, "UnableToEncrypt");
        }
        if (this.enforceRefreshTokenRotationCondition.test(profileRequestContext) && (this.tokenClaimsSet instanceof RefreshTokenClaimsSet)) {
            String id = this.tokenClaimsSet.getID();
            Duration apply2 = this.tokenRevocationLifetimeLookupStrategy.apply(this.tokenClaimsSet.getClaimsSet());
            if (apply2 == null || Duration.ZERO.equals(apply2)) {
                this.log.error("{} Unable to fetch lifetime for the single token revocation", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
                return;
            }
            this.log.debug("{} Revoking the refresh token {} used for issuing the new one", getLogPrefix(), id);
            if (this.revocationCache.revoke(RevocationCacheContexts.SINGLE_ACCESS_OR_REFRESH_TOKENS, id, apply2)) {
                return;
            }
            this.log.error("{} Unable to store revocation into the revocation cache", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileConfiguration");
        }
    }

    protected Instant getExistingChainExp(JWTClaimsSet jWTClaimsSet) {
        if (!jWTClaimsSet.getClaims().containsKey("c_exp")) {
            return null;
        }
        try {
            return this.tokenClaimsSet.getClaimsSet().getDateClaim("c_exp").toInstant();
        } catch (ParseException e) {
            this.log.warn("{} Could not parse the chain expiration time from the claims set", e);
            return null;
        }
    }

    protected Instant calculateChainExp() {
        Instant plus = this.tokenClaimsSet.getAuthenticationTime().plus((TemporalAmount) this.refreshTokenChainLifetime);
        Instant existingChainExp = getExistingChainExp(this.tokenClaimsSet.getClaimsSet());
        if (existingChainExp != null && !plus.isBefore(existingChainExp)) {
            return existingChainExp;
        }
        return plus;
    }
}
