package net.shibboleth.oidc.security.impl;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.function.BiConsumer;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.security.jose.SignatureException;
import net.shibboleth.oidc.security.jose.SignatureSigningParameters;
import net.shibboleth.oidc.security.jose.context.SecurityParametersContext;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NonnullBeforeExec;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.logic.FunctionSupport;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.opensaml.messaging.context.MessageContext;
import org.opensaml.messaging.context.navigate.ChildContextLookup;
import org.opensaml.messaging.handler.AbstractMessageHandler;
import org.opensaml.messaging.handler.MessageHandlerException;
import org.slf4j.Logger;

/* loaded from: input_file:net/shibboleth/oidc/security/impl/SignJWTHandler.class */
public class SignJWTHandler extends AbstractMessageHandler {

    @NonnullAfterInit
    private BiConsumer<JWT, MessageContext> jwtUpdateConsumer;

    @NonnullAfterInit
    private Function<MessageContext, JWTClaimsSet> claimsToSignLookupStrategy;

    @NonnullBeforeExec
    private JWTClaimsSet jwtClaimSetToSign;

    @NonnullBeforeExec
    private JWSTokenSigner signer;
    static final /* synthetic */ boolean $assertionsDisabled;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(SignJWTHandler.class);

    @Nonnull
    @NotEmpty
    private String logName = "not-specified";

    @Nonnull
    private Function<MessageContext, SecurityParametersContext> securityParametersLookupStrategy = new ChildContextLookup(SecurityParametersContext.class);

    @Nonnull
    private Function<MessageContext, String> typeHeaderLookupStrategy = FunctionSupport.constant((Object) null);

    public void setLogName(@Nonnull @NotEmpty String str) {
        checkSetterPreconditions();
        this.logName = Constraint.isNotEmpty(str, "ForFriendlyName can not be null or empty");
    }

    protected void doInitialize() throws ComponentInitializationException {
        if (this.claimsToSignLookupStrategy == null) {
            throw new ComponentInitializationException("Claims To Sign Lookup Strategy can not be null");
        }
        if (this.jwtUpdateConsumer == null) {
            throw new ComponentInitializationException("JWT Update Consumer can not be null");
        }
        super.doInitialize();
    }

    public void setClaimsToSignLookupStrategy(@Nonnull Function<MessageContext, JWTClaimsSet> function) {
        checkSetterPreconditions();
        this.claimsToSignLookupStrategy = (Function) Constraint.isNotNull(function, "Claims To Sign Lookup Strategy can not be null");
    }

    public void setJwtUpdateConsumer(BiConsumer<JWT, MessageContext> biConsumer) {
        checkSetterPreconditions();
        this.jwtUpdateConsumer = (BiConsumer) Constraint.isNotNull(biConsumer, "JWT Update Consumer can not be null");
    }

    public void setTypeHeader(@NotEmpty @Nullable String str) {
        checkSetterPreconditions();
        this.typeHeaderLookupStrategy = FunctionSupport.constant(StringSupport.trimOrNull(str));
    }

    public void setSecurityParametersLookupStrategy(@Nonnull Function<MessageContext, SecurityParametersContext> function) {
        checkSetterPreconditions();
        this.securityParametersLookupStrategy = (Function) Constraint.isNotNull(function, "SecurityParameterContext lookup strategy cannot be null");
    }

    public void setTypeHeaderLookupStrategy(@Nonnull Function<MessageContext, String> function) {
        checkSetterPreconditions();
        this.typeHeaderLookupStrategy = (Function) Constraint.isNotNull(function, "Type header lookup strategy cannot be null");
    }

    protected boolean doPreInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        if (!super.doPreInvoke(messageContext)) {
            return false;
        }
        SecurityParametersContext apply = this.securityParametersLookupStrategy.apply(messageContext);
        if (apply == null) {
            this.log.debug("{} Message context did not contain a signing parameters context, signing skipped", getLogPrefix());
            return false;
        }
        SignatureSigningParameters signatureSigningParameters = apply.getSignatureSigningParameters();
        if (signatureSigningParameters == null) {
            this.log.debug("{} No signature signing parameters available, signing skipped", getLogPrefix());
            return false;
        }
        this.jwtClaimSetToSign = this.claimsToSignLookupStrategy.apply(messageContext);
        if (this.jwtClaimSetToSign == null) {
            this.log.debug("{} No JWT claims, nothing to sign", getLogPrefix());
            return false;
        }
        this.signer = new JWSTokenSigner(signatureSigningParameters);
        return true;
    }

    protected void doInvoke(@Nonnull MessageContext messageContext) throws MessageHandlerException {
        String apply = this.typeHeaderLookupStrategy.apply(messageContext);
        try {
            if (!$assertionsDisabled && this.jwtClaimSetToSign == null) {
                throw new AssertionError();
            }
            JWT sign = this.signer.sign(this.jwtClaimSetToSign, apply);
            this.log.debug("{} '{}' signed successfully", getLogPrefix(), this.logName);
            if (this.log.isTraceEnabled()) {
                logJWT(sign);
            }
            this.jwtUpdateConsumer.accept(sign, messageContext);
        } catch (SignatureException e) {
            this.log.error("{} Error signing '{}' : {}", new Object[]{getLogPrefix(), this.logName, e.getMessage()});
            throw new MessageHandlerException("Error signing token", e);
        }
    }

    private void logJWT(@Nonnull SignedJWT signedJWT) {
        try {
            this.log.trace("{} Signed JWT: {}, signature '{}'", new Object[]{getLogPrefix(), signedJWT.getJWTClaimsSet(), signedJWT.getSignature()});
        } catch (IllegalStateException | ParseException e) {
            this.log.trace("{} Unable to print signed JWT: {}", getLogPrefix(), e.getMessage());
        }
    }

    static {
        $assertionsDisabled = !SignJWTHandler.class.desiredAssertionStatus();
    }
}
