package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.openid.connect.sdk.OIDCClaimsRequest;
import com.nimbusds.openid.connect.sdk.claims.ClaimRequirement;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSetRequest;
import java.util.function.BiPredicate;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.profile.core.OIDCAuthenticationRequest;
import net.shibboleth.utilities.java.support.annotation.ParameterName;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/AuthTimeRequestedActivationCondition.class */
public final class AuthTimeRequestedActivationCondition implements BiPredicate<ProfileRequestContext, JWTClaimsSet> {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(AuthTimeRequestedActivationCondition.class);

    @Nonnull
    private final Function<ProfileRequestContext, OIDCAuthenticationRequest> authenticationRequestLookupStrategy;

    public AuthTimeRequestedActivationCondition(@Nonnull @ParameterName(name = "authenticationRequestLookupStrategy") Function<ProfileRequestContext, OIDCAuthenticationRequest> function) {
        this.authenticationRequestLookupStrategy = (Function) Constraint.isNotNull(function, "authenticationRequestLookupStrategy can not be null");
    }

    @Override // java.util.function.BiPredicate
    public boolean test(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull JWTClaimsSet jWTClaimsSet) {
        ClaimsSetRequest iDTokenClaimsRequest;
        ClaimsSetRequest.Entry entry;
        OIDCAuthenticationRequest apply = this.authenticationRequestLookupStrategy.apply(profileRequestContext);
        if (apply == null) {
            this.log.warn("Authentication request not found in profile context, is the authenticationRequestLookupStrategy configured correctly? The 'auth_time' is now active");
            return true;
        }
        if (apply.getMaxAge() != null) {
            return true;
        }
        OIDCClaimsRequest requestedClaims = apply.getRequestedClaims();
        if (requestedClaims == null || (iDTokenClaimsRequest = requestedClaims.getIDTokenClaimsRequest()) == null || (entry = iDTokenClaimsRequest.get("auth_time")) == null) {
            return false;
        }
        if (entry.getClaimRequirement() == ClaimRequirement.ESSENTIAL) {
            return true;
        }
        return entry.getClaimRequirement() == ClaimRequirement.VOLUNTARY && jWTClaimsSet.getClaim("auth_time") != null;
    }
}
