package net.shibboleth.oidc.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.collection.CollectionSupport;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/oidc/security/jwt/claims/impl/AudienceClaimsValidator.class */
public class AudienceClaimsValidator extends AbstractClaimsValidator {

    @NonnullAfterInit
    private BiFunction<ProfileRequestContext, JWTClaimsSet, String> audienceLookupStrategy;
    private boolean allowMissing;

    @Nonnull
    private BiFunction<ProfileRequestContext, JWTClaimsSet, Set<String>> additionalAudiencesLookupStrategy = (profileRequestContext, jWTClaimsSet) -> {
        return CollectionSupport.emptySet();
    };
    private boolean extraAudienceValidation = false;

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.audienceLookupStrategy == null) {
            throw new ComponentInitializationException("Audience lookup strategy can not be null");
        }
    }

    public void setAudienceLookupStrategy(@Nonnull BiFunction<ProfileRequestContext, JWTClaimsSet, String> biFunction) {
        ifInitializedThrowUnmodifiabledComponentException();
        this.audienceLookupStrategy = (BiFunction) Constraint.isNotNull(biFunction, "Audience lookup strategy can not be null");
    }

    public void setAdditionalAudiencesLookupStrategy(@Nonnull BiFunction<ProfileRequestContext, JWTClaimsSet, Set<String>> biFunction) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.additionalAudiencesLookupStrategy = (BiFunction) Constraint.isNotNull(biFunction, "Additional audiences lookup strategy can not be null");
    }

    public void setAllowMissing(boolean z) {
        this.allowMissing = z;
    }

    public void setExtraAudienceValidation(boolean z) {
        ifInitializedThrowUnmodifiabledComponentException();
        ifDestroyedThrowDestroyedComponentException();
        this.extraAudienceValidation = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    @NotEmpty
    public Set<String> resolveAcceptedAudiences(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        String apply = this.audienceLookupStrategy.apply(profileRequestContext, jWTClaimsSet);
        if (apply == null) {
            throw new JWTValidationException("Audience value not returned by lookup function");
        }
        return CollectionSupport.setOf(apply);
    }

    protected void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        Set<String> resolveAcceptedAudiences = resolveAcceptedAudiences(jWTClaimsSet, profileRequestContext);
        Set<String> apply = this.additionalAudiencesLookupStrategy.apply(profileRequestContext, jWTClaimsSet);
        if (apply == null) {
            apply = CollectionSupport.emptySet();
        }
        List audience = jWTClaimsSet.getAudience();
        if (audience == null || audience.isEmpty()) {
            if (!this.allowMissing) {
                throw new JWTValidationException("JWT missing required audience");
            }
            return;
        }
        List list = audience.stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
        Stream stream = list.stream();
        Objects.requireNonNull(resolveAcceptedAudiences);
        if (!stream.anyMatch((v1) -> {
            return r1.contains(v1);
        })) {
            throw new JWTValidationException("JWT audience rejected, no accepted audiences found in: " + list);
        }
        if (list.size() <= 1 || !this.extraAudienceValidation) {
            return;
        }
        List list2 = list.stream().filter(str -> {
            return !resolveAcceptedAudiences.contains(str);
        }).toList();
        Stream stream2 = list2.stream();
        Set<String> set = apply;
        Objects.requireNonNull(set);
        if (!stream2.allMatch((v1) -> {
            return r1.contains(v1);
        })) {
            throw new JWTValidationException("JWT audience rejected, additional audiences not trusted: " + list2);
        }
    }
}
