package net.shibboleth.oidc.security.credential.impl;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.net.URI;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.LinkedHashSet;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.jwk.RemoteJwkSetCache;
import net.shibboleth.oidc.security.jose.criterion.ClientInformationCriterion;
import net.shibboleth.shared.annotation.ParameterName;
import net.shibboleth.shared.annotation.constraint.Positive;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.security.credential.Credential;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/credential/impl/ClientInformationCredentialResolver.class */
public class ClientInformationCredentialResolver extends AbstractClientInformationCredentialResolver {

    @Nonnull
    private final Logger log;

    @Nonnull
    private final RemoteJwkSetCache remoteJwkSetCache;

    @Positive
    @Nonnull
    private final Duration keyFetchInterval;
    static final /* synthetic */ boolean $assertionsDisabled;

    public ClientInformationCredentialResolver(@ParameterName(name = "remoteJwkSetCache") @Nonnull RemoteJwkSetCache remoteJwkSetCache) {
        this(remoteJwkSetCache, Duration.ofMinutes(30L));
    }

    public ClientInformationCredentialResolver(@ParameterName(name = "remoteJwkSetCache") @Nonnull RemoteJwkSetCache remoteJwkSetCache, @ParameterName(name = "keyFetchInterval") @Positive @Nonnull Duration duration) {
        this.log = LoggerFactory.getLogger(ClientInformationCredentialResolver.class);
        this.remoteJwkSetCache = (RemoteJwkSetCache) Constraint.isNotNull(remoteJwkSetCache, "The remote JWK set cache cannot be null");
        Constraint.isFalse(duration == null || duration.isNegative(), "Remote key refresh must be greater than 0");
        this.keyFetchInterval = duration;
    }

    @Override // net.shibboleth.oidc.security.credential.impl.BasicJOSEObjectCredentialResolver
    @Nonnull
    protected Iterable<Credential> resolveFromSource(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        ClientInformationCriterion clientInformationCriterion;
        Constraint.isNotNull(criteriaSet, "CriteriaSet was null");
        if (criteriaSet != null && (clientInformationCriterion = (ClientInformationCriterion) criteriaSet.get(ClientInformationCriterion.class)) != null) {
            return resolveFromMetadata(criteriaSet, clientInformationCriterion.getOidcClientInformation());
        }
        this.log.debug("Criteria did not contain a ClientInformationCriterion could not perform resolution");
        return CollectionSupport.emptySet();
    }

    @Nonnull
    protected Collection<Credential> resolveFromMetadata(@Nonnull CriteriaSet criteriaSet, @Nonnull OIDCClientInformation oIDCClientInformation) {
        JWKSet jWKSet;
        LinkedHashSet linkedHashSet = new LinkedHashSet(1);
        OIDCClientMetadata oIDCMetadata = oIDCClientInformation.getOIDCMetadata();
        linkedHashSet.addAll(resolveSecretCredentials(criteriaSet));
        URI jWKSetURI = oIDCMetadata.getJWKSetURI();
        if (jWKSetURI != null) {
            String extractKeyIdFromCriteria = extractKeyIdFromCriteria(criteriaSet);
            Instant now = Instant.now();
            if (!$assertionsDisabled && now == null) {
                throw new AssertionError();
            }
            Instant plus = now.plus((TemporalAmount) this.keyFetchInterval);
            if (!$assertionsDisabled && plus == null) {
                throw new AssertionError();
            }
            if (StringSupport.trimOrNull(extractKeyIdFromCriteria) == null) {
                jWKSet = this.remoteJwkSetCache.fetch(jWKSetURI, plus);
            } else {
                if (!$assertionsDisabled && extractKeyIdFromCriteria == null) {
                    throw new AssertionError();
                }
                jWKSet = this.remoteJwkSetCache.fetch(jWKSetURI, extractKeyIdFromCriteria, plus);
            }
            if (jWKSet == null) {
                this.log.debug("Remote keys could not be fetched, unable to resolve credentials");
                return linkedHashSet;
            }
        } else {
            if (oIDCMetadata.getJWKSet() == null) {
                return linkedHashSet;
            }
            jWKSet = oIDCMetadata.getJWKSet();
        }
        if (!$assertionsDisabled && jWKSet == null) {
            throw new AssertionError();
        }
        populateCredentialsFromKeySet(jWKSet, linkedHashSet);
        return linkedHashSet;
    }

    static {
        $assertionsDisabled = !ClientInformationCredentialResolver.class.desiredAssertionStatus();
    }
}
