package net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Objects;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.plugin.oidc.op.messaging.context.OIDCAuthenticationResponseContext;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.oidc.security.impl.JWTSignatureValidationUtil;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.Criterion;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.security.credential.CredentialResolver;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/userinfo/profile/impl/ParseAccessToken.class */
public class ParseAccessToken extends AbstractOIDCUserInfoValidationResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ParseAccessToken.class);

    @NonnullAfterInit
    private DataSealer dataSealer;

    @Nullable
    private CredentialResolver credentialResolver;

    @Nullable
    private SignedJWT signedJWT;

    public void setDataSealer(@Nonnull DataSealer dataSealer) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.dataSealer = (DataSealer) Constraint.isNotNull(dataSealer, "DataSealer cannot be null");
    }

    public void setCredentialResolver(@Nullable CredentialResolver credentialResolver) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.credentialResolver = credentialResolver;
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.dataSealer == null) {
            throw new ComponentInitializationException("DataSealer cannot be null");
        }
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        AccessToken accessToken = getUserInfoRequest().getAccessToken();
        if (accessToken == null) {
            this.log.error("{} Token missing from request", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
            return;
        }
        AccessTokenClaimsSet parseAccessToken = parseAccessToken(accessToken);
        if (parseAccessToken == null) {
            this.log.warn("{} Unable to parse/decode token for validation", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
            return;
        }
        this.log.debug("{} Access token unwrapped: {}", getLogPrefix(), parseAccessToken.serialize());
        if (this.signedJWT != null) {
            JOSEObjectType type = this.signedJWT.getHeader().getType();
            if (type == null || !"at+jwt".equals(type.getType())) {
                this.log.warn("{} Missing or invalid token type: {}", getLogPrefix(), type != null ? type.getType() : "null");
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                return;
            }
            if (this.credentialResolver == null) {
                this.log.error("{} No CredentialResolver available, can't verify JWT signature", getLogPrefix());
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                return;
            }
            this.log.debug("{} Checking JWT signature", getLogPrefix());
            ArrayList arrayList = new ArrayList();
            try {
                Iterable resolve = this.credentialResolver.resolve(new CriteriaSet(new Criterion[]{new UsageCriterion(UsageType.SIGNING)}));
                if (resolve != null) {
                    Objects.requireNonNull(arrayList);
                    resolve.forEach((v1) -> {
                        r1.add(v1);
                    });
                }
                String validateSignatureEx = JWTSignatureValidationUtil.validateSignatureEx(arrayList, this.signedJWT, "InvalidGrant");
                if (validateSignatureEx != null) {
                    this.log.warn("{} Signature on token ID '{}' invalid", getLogPrefix(), parseAccessToken.getID());
                    ActionSupport.buildEvent(profileRequestContext, validateSignatureEx);
                    return;
                }
            } catch (ResolverException e) {
                this.log.error("{} Failure resolving signing credentials, can't verify JWT signature", getLogPrefix(), e);
                ActionSupport.buildEvent(profileRequestContext, "InvalidGrant");
                return;
            }
        }
        this.log.debug("{} Access token {} parsed", getLogPrefix(), parseAccessToken.getID());
        getOidcResponseContext().setAuthorizationGrantClaimsSet(parseAccessToken);
    }

    @Nullable
    protected AccessTokenClaimsSet parseAccessToken(@NotEmpty @Nonnull AccessToken accessToken) {
        try {
            this.signedJWT = SignedJWT.parse(accessToken.getValue());
            return AccessTokenClaimsSet.parse(this.signedJWT, this.dataSealer);
        } catch (DataSealerException | ParseException e) {
            try {
                return AccessTokenClaimsSet.parse(accessToken.getValue(), this.dataSealer);
            } catch (DataSealerException | ParseException e2) {
                return null;
            }
        }
    }

    @Override // net.shibboleth.idp.plugin.oidc.op.userinfo.profile.impl.AbstractOIDCUserInfoValidationResponseAction
    @Nonnull
    public /* bridge */ /* synthetic */ OIDCAuthenticationResponseContext getOidcResponseContext() {
        return super.getOidcResponseContext();
    }
}
