package net.shibboleth.oidc.security.impl;

import com.google.common.base.Strings;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.idp.profile.context.RelyingPartyContext;
import net.shibboleth.oidc.metadata.criterion.IssuerIDCriterion;
import net.shibboleth.oidc.profile.messaging.context.OIDCPeerEntityContext;
import net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableClientProfileConfiguration;
import net.shibboleth.oidc.profile.oauth2.config.OAuth2ClientAuthenticableProfileConfiguration;
import net.shibboleth.oidc.security.credential.ClientSecretCredential;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import net.shibboleth.oidc.security.jose.criterion.ClientInformationCriterion;
import net.shibboleth.oidc.security.jose.criterion.ClientSecretCredentialCriterion;
import net.shibboleth.oidc.security.jose.criterion.ProviderMetadataCriterion;
import net.shibboleth.oidc.security.jose.criterion.SignatureValidationParametersCriterion;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.FunctionSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.opensaml.profile.context.ProfileRequestContext;
import org.opensaml.profile.context.navigate.ParentProfileRequestContextLookup;
import org.opensaml.security.credential.UsageType;
import org.opensaml.security.criteria.UsageCriterion;
import org.opensaml.security.messaging.impl.BaseTrustEngineSecurityHandler;
import org.opensaml.security.trust.TrustEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/BaseJWTSignatureSecurityHandler.class */
public abstract class BaseJWTSignatureSecurityHandler extends BaseTrustEngineSecurityHandler<SignedJWT> {

    @Nonnull
    private static final ParentProfileRequestContextLookup<MessageContext> PRC_LOOKUP = new ParentProfileRequestContextLookup<>();

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(BaseJWTSignatureSecurityHandler.class);

    @Nonnull
    private Function<MessageContext, OIDCProviderMetadata> providerMetadataLookupStrategy = FunctionSupport.constant((Object) null);

    @Nonnull
    private Function<MessageContext, OIDCClientInformation> clientInformationLookupStrategy = FunctionSupport.constant((Object) null);

    @Nonnull
    private Function<ProfileRequestContext, RelyingPartyContext> relyingPartyContextLookupStrategy = new ChildContextLookup(RelyingPartyContext.class);

    @Nonnull
    private Function<MessageContext, SecurityParametersContext> securityParametersContextLookupStrategy = new ChildContextLookup(SecurityParametersContext.class, true);

    @Nullable
    private OAuth2ClientAuthenticableClientProfileConfiguration profileConfiguration;

    @Nullable
    private OIDCPeerEntityContext peerContext;

    @Nullable
    private OIDCProviderMetadata providerMetadata;

    @Nullable
    private OIDCClientInformation clientInformation;

    public void setSecurityParametersContextLookupStrategy(@Nonnull Function<MessageContext, SecurityParametersContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.securityParametersContextLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParametersContext lookup strategy cannot be null");
    }

    public void setProviderMetadataLookupStrategy(@Nonnull Function<MessageContext, OIDCProviderMetadata> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.providerMetadataLookupStrategy = (Function) Constraint.isNotNull(function, "Provider metadata lookup strategy can not be null");
    }

    public void setClientInformationLookupStrategy(@Nonnull Function<MessageContext, OIDCClientInformation> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.clientInformationLookupStrategy = (Function) Constraint.isNotNull(function, "Client information lookup strategy can not be null");
    }

    public void setRelyingPartyContextLookupStrategy(@Nonnull Function<ProfileRequestContext, RelyingPartyContext> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.relyingPartyContextLookupStrategy = (Function) Constraint.isNotNull(function, "RelyingPartyContext lookup strategy cannot be null");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public OIDCPeerEntityContext getOIDCPeerEntityContext() {
        return this.peerContext;
    }

    @Nullable
    protected TrustEngine<SignedJWT> resolveTrustEngine(MessageContext messageContext) {
        SecurityParametersContext subcontext = messageContext.getSubcontext(SecurityParametersContext.class);
        if (subcontext == null || subcontext.getSignatureValidationParameters() == null) {
            return null;
        }
        return subcontext.getSignatureValidationParameters().getSignatureTrustEngine();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!super.doPreInvoke(messageContext)) {
            return false;
        }
        this.providerMetadata = this.providerMetadataLookupStrategy.apply(messageContext);
        this.clientInformation = this.clientInformationLookupStrategy.apply(messageContext);
        this.peerContext = messageContext.getSubcontext(OIDCPeerEntityContext.class);
        RelyingPartyContext relyingPartyContext = (RelyingPartyContext) adapt(this.relyingPartyContextLookupStrategy).apply(messageContext);
        if (relyingPartyContext == null || relyingPartyContext.getConfiguration() == null || !(relyingPartyContext.getProfileConfig() instanceof OAuth2ClientAuthenticableProfileConfiguration)) {
            return true;
        }
        this.profileConfiguration = relyingPartyContext.getProfileConfig();
        return true;
    }

    protected CriteriaSet buildCriteriaSet(@Nullable String str, @Nonnull MessageContext messageContext) throws MessageHandlerException {
        CriteriaSet criteriaSet = new CriteriaSet();
        if (!Strings.isNullOrEmpty(str)) {
            criteriaSet.add(new IssuerIDCriterion(new Issuer(str)));
        }
        if (this.providerMetadata != null) {
            criteriaSet.add(new ProviderMetadataCriterion(this.providerMetadata));
        }
        if (this.clientInformation != null) {
            criteriaSet.add(new ClientInformationCriterion(this.clientInformation));
        }
        if (this.profileConfiguration != null) {
            ClientSecretCredential clientCredential = this.profileConfiguration.getClientCredential(PRC_LOOKUP.apply(messageContext));
            if (clientCredential != null) {
                criteriaSet.add(new ClientSecretCredentialCriterion(clientCredential));
            } else {
                this.log.trace("{} No client_secret credential found from the profile configuration", getLogPrefix());
            }
        }
        criteriaSet.add(new UsageCriterion(UsageType.SIGNING));
        SecurityParametersContext apply = this.securityParametersContextLookupStrategy.apply(messageContext);
        if (apply == null) {
            throw new MessageHandlerException("Security parameters context could not be found, must be set");
        }
        criteriaSet.add(new SignatureValidationParametersCriterion(apply.getSignatureValidationParameters()));
        return criteriaSet;
    }

    @Nullable
    protected <T> Function<MessageContext, T> adapt(@Nullable Function<ProfileRequestContext, T> function) {
        if (function == null) {
            return null;
        }
        return (Function<MessageContext, T>) function.compose(PRC_LOOKUP);
    }
}
