package net.shibboleth.oidc.security.jose.impl;

import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.security.credential.ClientSecretCredential;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.oidc.security.jose.criterion.ClientSecretCredentialCriterion;
import net.shibboleth.oidc.security.jose.criterion.ProviderMetadataCriterion;
import net.shibboleth.shared.annotation.constraint.NotLive;
import net.shibboleth.shared.annotation.constraint.Unmodifiable;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.FunctionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.NonnullSupplier;
import net.shibboleth.shared.resolver.CriteriaSet;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/jose/impl/RelyingPartySigningParametersResolver.class */
public class RelyingPartySigningParametersResolver extends BasicSignatureSigningParametersResolver {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(RelyingPartySigningParametersResolver.class);

    @Nonnull
    private Function<OIDCProviderMetadata, List<String>> providerMetadataAlgorithmLookupStrategy = FunctionSupport.constant((Object) null);

    public void setProviderMetadataAlgorithmLookupStrategy(@Nonnull Function<OIDCProviderMetadata, List<String>> function) {
        this.providerMetadataAlgorithmLookupStrategy = (Function) Constraint.isNotNull(function, "ProviderMetadataAlgorithmLookupStrategy can not be null");
    }

    @Override // net.shibboleth.oidc.security.jose.impl.BasicSignatureSigningParametersResolver
    protected void resolveAndPopulateCredentialAndSignatureAlgorithm(@Nonnull SignatureSigningParameters signatureSigningParameters, @Nonnull CriteriaSet criteriaSet, @Nonnull Predicate<String> predicate) {
        ArrayList arrayList = new ArrayList();
        ClientSecretCredentialCriterion clientSecretCredentialCriterion = (ClientSecretCredentialCriterion) criteriaSet.get(ClientSecretCredentialCriterion.class);
        if (clientSecretCredentialCriterion != null) {
            ClientSecretCredential credential = clientSecretCredentialCriterion.getCredential();
            this.log.trace("Client secret signing credential found in criterion");
            arrayList.add(credential.toSigningCredential());
        }
        arrayList.addAll(getEffectiveSigningCredentials(criteriaSet));
        List<String> effectiveSignatureAlgorithms = getEffectiveSignatureAlgorithms(criteriaSet, predicate);
        this.log.debug("Resolved effective signature algorithms from config: '{}'", effectiveSignatureAlgorithms);
        List<String> filterForProviderSupportedAlgorithms = filterForProviderSupportedAlgorithms(criteriaSet, effectiveSignatureAlgorithms);
        this.log.trace("Resolved effective signature algorithms: {}", filterForProviderSupportedAlgorithms);
        findCompatibleAlgorithmAndCredential(filterForProviderSupportedAlgorithms, arrayList, signatureSigningParameters);
    }

    @Unmodifiable
    @Nonnull
    @NotLive
    private List<String> filterForProviderSupportedAlgorithms(@Nonnull CriteriaSet criteriaSet, @Nonnull List<String> list) {
        ProviderMetadataCriterion providerMetadataCriterion = (ProviderMetadataCriterion) criteriaSet.get(ProviderMetadataCriterion.class);
        if (providerMetadataCriterion == null) {
            this.log.debug("No provider metadata criterion, unable to filter for provider supported algorithms");
            return CollectionSupport.copyToList(list);
        }
        List<String> apply = this.providerMetadataAlgorithmLookupStrategy.apply(providerMetadataCriterion.getMetadata());
        this.log.trace("Provider metadata supports the following signature algorithms '{}'", apply);
        if (apply == null) {
            this.log.trace("Lookup strategy could not determine provider supported algorithms from metadata, no further filtering performed");
            return CollectionSupport.copyToList(list);
        }
        Stream<String> stream = list.stream();
        Objects.requireNonNull(apply);
        return (List) ((NonnullSupplier) stream.filter((v1) -> {
            return r1.contains(v1);
        }).collect(CollectionSupport.nonnullCollector(Collectors.toList()))).get();
    }
}
