package net.shibboleth.oidc.security.jose.impl;

import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.credential.JOSEObjectCredentialResolver;
import net.shibboleth.oidc.security.jose.DecryptionConfiguration;
import net.shibboleth.oidc.security.jose.DecryptionParameters;
import net.shibboleth.oidc.security.jose.DecryptionParametersResolver;
import net.shibboleth.oidc.security.jose.criterion.DecryptionConfigurationCriterion;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.resolver.CriteriaSet;
import net.shibboleth.shared.resolver.ResolverException;
import org.opensaml.xmlsec.impl.AbstractSecurityParametersResolver;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/jose/impl/DefaultDecryptionParametersResolver.class */
public class DefaultDecryptionParametersResolver extends AbstractSecurityParametersResolver<DecryptionParameters> implements DecryptionParametersResolver {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(DefaultDecryptionParametersResolver.class);
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    public Iterable<DecryptionParameters> resolve(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        DecryptionParameters resolveSingle = resolveSingle(criteriaSet);
        return resolveSingle != null ? CollectionSupport.singletonList(resolveSingle) : CollectionSupport.emptyList();
    }

    @Nullable
    public DecryptionParameters resolveSingle(@Nullable CriteriaSet criteriaSet) throws ResolverException {
        DecryptionConfigurationCriterion decryptionConfigurationCriterion = criteriaSet != null ? (DecryptionConfigurationCriterion) criteriaSet.get(DecryptionConfigurationCriterion.class) : null;
        if (decryptionConfigurationCriterion == null) {
            throw new ResolverException("Resolver requires an instance of DecryptionConfigurationCriterion");
        }
        if (!$assertionsDisabled && criteriaSet == null) {
            throw new AssertionError();
        }
        DecryptionParameters decryptionParameters = new DecryptionParameters();
        resolveAndPopulateIncludesExcludes(decryptionParameters, criteriaSet, decryptionConfigurationCriterion.getConfigurations());
        decryptionParameters.setContentEncryptionKeyCredentialResolver(resolveContentEncryptionKeyCredentialResolver(criteriaSet));
        decryptionParameters.setKEKCredentialResolver(resolveKEKCredentialResolver(criteriaSet));
        criteriaSet.forEach(criterion -> {
            decryptionParameters.getAdditionalCriteria().add(criterion);
        });
        logResult(decryptionParameters);
        return decryptionParameters;
    }

    @Nullable
    protected JOSEObjectCredentialResolver resolveKEKCredentialResolver(@Nonnull CriteriaSet criteriaSet) {
        DecryptionConfigurationCriterion decryptionConfigurationCriterion = (DecryptionConfigurationCriterion) criteriaSet.get(DecryptionConfigurationCriterion.class);
        if (!$assertionsDisabled && decryptionConfigurationCriterion == null) {
            throw new AssertionError();
        }
        for (DecryptionConfiguration decryptionConfiguration : decryptionConfigurationCriterion.getConfigurations()) {
            if (decryptionConfiguration.getKEKCredentialResolver() != null) {
                return decryptionConfiguration.getKEKCredentialResolver();
            }
        }
        return null;
    }

    @Nullable
    protected JOSEObjectCredentialResolver resolveContentEncryptionKeyCredentialResolver(@Nonnull CriteriaSet criteriaSet) {
        DecryptionConfigurationCriterion decryptionConfigurationCriterion = (DecryptionConfigurationCriterion) criteriaSet.get(DecryptionConfigurationCriterion.class);
        if (!$assertionsDisabled && decryptionConfigurationCriterion == null) {
            throw new AssertionError();
        }
        for (DecryptionConfiguration decryptionConfiguration : decryptionConfigurationCriterion.getConfigurations()) {
            if (decryptionConfiguration.getContentEncryptionKeyCredentialResolver() != null) {
                return decryptionConfiguration.getContentEncryptionKeyCredentialResolver();
            }
        }
        return null;
    }

    protected void logResult(@Nonnull DecryptionParameters decryptionParameters) {
        if (this.log.isDebugEnabled()) {
            this.log.debug("Resolved DecryptionParameters:");
            this.log.debug("\tAlgorithm includes: {}", decryptionParameters.getIncludedAlgorithms());
            this.log.debug("\tAlgorithm excludes: {}", decryptionParameters.getExcludedAlgorithms());
            this.log.debug("\tContent Encryption Key CredentialResolver: {}", decryptionParameters.getContentEncryptionKeyCredentialResolver() != null ? "present" : "null");
            this.log.debug("\tKEK CredentialResolver: {}", decryptionParameters.getKEKCredentialResolver() != null ? "present" : "null");
        }
    }

    static {
        $assertionsDisabled = !DefaultDecryptionParametersResolver.class.desiredAssertionStatus();
    }
}
