package net.shibboleth.oidc.metadata.impl;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.SoftwareID;
import com.nimbusds.oauth2.sdk.id.SoftwareVersion;
import com.nimbusds.openid.connect.sdk.SubjectType;
import com.nimbusds.openid.connect.sdk.claims.ACR;
import com.nimbusds.openid.connect.sdk.rp.ApplicationType;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientInformation;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.shibboleth.oidc.saml.xmlobject.DefaultAcrValue;
import net.shibboleth.oidc.saml.xmlobject.MetadataValueSAMLObject;
import net.shibboleth.oidc.saml.xmlobject.OAuthRPExtensions;
import net.shibboleth.oidc.security.credential.JWKReferenceCredential;
import net.shibboleth.oidc.security.credential.NimbusSecretCredential;
import net.shibboleth.oidc.security.impl.CredentialConversionUtil;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import net.shibboleth.utilities.java.support.resolver.CriteriaSet;
import net.shibboleth.utilities.java.support.resolver.ResolverException;
import org.opensaml.core.xml.XMLObject;
import org.opensaml.saml.criterion.RoleDescriptorCriterion;
import org.opensaml.saml.metadata.resolver.RoleDescriptorResolver;
import org.opensaml.saml.metadata.resolver.filter.FilterException;
import org.opensaml.saml.metadata.resolver.filter.MetadataNodeProcessor;
import org.opensaml.saml.saml2.metadata.AssertionConsumerService;
import org.opensaml.saml.saml2.metadata.EntityDescriptor;
import org.opensaml.saml.saml2.metadata.Extensions;
import org.opensaml.saml.saml2.metadata.NameIDFormat;
import org.opensaml.saml.saml2.metadata.RoleDescriptor;
import org.opensaml.saml.saml2.metadata.SPSSODescriptor;
import org.opensaml.saml.security.impl.MetadataCredentialResolver;
import org.opensaml.security.credential.Credential;
import org.opensaml.xmlsec.keyinfo.KeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.BasicProviderKeyInfoCredentialResolver;
import org.opensaml.xmlsec.keyinfo.impl.KeyInfoProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/oidc/metadata/impl/ClientInformationNodeProcessor.class */
public class ClientInformationNodeProcessor implements MetadataNodeProcessor {
    public static final String BINDING_ID_REDIRECT_URI = "https://tools.ietf.org/html/rfc6749#section-3.1.2";
    private final Logger log = LoggerFactory.getLogger(ClientInformationNodeProcessor.class);

    @Nonnull
    private final KeyInfoCredentialResolver keyInfoCredentialResolver;

    /* loaded from: input_file:net/shibboleth/oidc/metadata/impl/ClientInformationNodeProcessor$SkeletonEchoingRoleDescriptorResolver.class */
    protected abstract class SkeletonEchoingRoleDescriptorResolver implements RoleDescriptorResolver {
        protected SkeletonEchoingRoleDescriptorResolver() {
        }

        public Iterable<RoleDescriptor> resolve(CriteriaSet criteriaSet) throws ResolverException {
            return Arrays.asList((RoleDescriptor) resolveSingle(criteriaSet));
        }

        public String getId() {
            return "EmbeddedLocalRoleDescriptorResolver";
        }

        public boolean isRequireValidMetadata() {
            return false;
        }

        public void setRequireValidMetadata(boolean z) {
        }
    }

    public ClientInformationNodeProcessor(@Nonnull List<KeyInfoProvider> list) {
        this.keyInfoCredentialResolver = new BasicProviderKeyInfoCredentialResolver(list);
    }

    public void process(@Nullable XMLObject xMLObject) throws FilterException {
        if (xMLObject instanceof SPSSODescriptor) {
            SPSSODescriptor sPSSODescriptor = (SPSSODescriptor) xMLObject;
            if (sPSSODescriptor.isSupportedProtocol("http://openid.net/specs/openid-connect-core-1_0.html")) {
                ClientID parseClientID = parseClientID(sPSSODescriptor);
                if (parseClientID == null || StringSupport.trimOrNull(parseClientID.getValue()) == null) {
                    this.log.error("Could not find a value for client_id, nothing to do");
                    return;
                }
                Iterable<Credential> resolveCredentials = resolveCredentials(sPSSODescriptor);
                xMLObject.getObjectMetadata().put(new OIDCClientInformation(parseClientID, (Date) null, populateMetadata(sPSSODescriptor, resolveCredentials, parseClientID.getValue()), parseClientSecret(resolveCredentials)));
            }
        }
    }

    @Nullable
    protected ClientID parseClientID(@Nonnull SPSSODescriptor sPSSODescriptor) {
        if (sPSSODescriptor.hasParent() && (sPSSODescriptor.getParent() instanceof EntityDescriptor)) {
            return new ClientID(sPSSODescriptor.getParent().getEntityID());
        }
        this.log.warn("Unexpected structure, EntityDescriptor not as a parent for OAuthRPRoleDescriptor");
        return null;
    }

    @Nullable
    protected Secret parseClientSecret(@Nonnull Iterable<Credential> iterable) {
        Iterator<Credential> it = iterable.iterator();
        while (it.hasNext()) {
            NimbusSecretCredential nimbusSecretCredential = (Credential) it.next();
            this.log.trace("Processing credential type {}", nimbusSecretCredential.getCredentialType());
            if (NimbusSecretCredential.class.isAssignableFrom(nimbusSecretCredential.getCredentialType())) {
                this.log.debug("Found client secret from the credentials");
                return nimbusSecretCredential.getSecret();
            }
        }
        this.log.trace("No client secret found from the credentials");
        return null;
    }

    @Nonnull
    protected OIDCClientMetadata populateMetadata(@Nonnull SPSSODescriptor sPSSODescriptor, @Nonnull Iterable<Credential> iterable, @Nonnull String str) {
        OIDCClientMetadata oIDCClientMetadata = new OIDCClientMetadata();
        OAuthRPExtensions oAuthRPExtensions = getOAuthRPExtensions(sPSSODescriptor);
        if (oAuthRPExtensions != null) {
            oIDCClientMetadata.setApplicationType(parseApplicationType(oAuthRPExtensions));
            oIDCClientMetadata.setURI(getSingleURIValue(oAuthRPExtensions.getClientUri()));
            oIDCClientMetadata.setDefaultACRs(parseDefaultAcrValues(oAuthRPExtensions));
            oIDCClientMetadata.setGrantTypes(parseGrantTypes(oAuthRPExtensions));
            oIDCClientMetadata.setIDTokenJWEAlg(parseJweAlgorithm(oAuthRPExtensions.getIdTokenEncryptedResponseAlg()));
            oIDCClientMetadata.setIDTokenJWEEnc(parseEncryptionMethod(oAuthRPExtensions.getIdTokenEncryptedResponseEnc()));
            oIDCClientMetadata.setIDTokenJWSAlg(parseJwsAlgorithm(oAuthRPExtensions.getIdTokenSignedResponseAlg()));
            oIDCClientMetadata.setInitiateLoginURI(getSingleURIValue(oAuthRPExtensions.getInitiateLoginUri()));
            oIDCClientMetadata.setPostLogoutRedirectionURIs(parseUris(oAuthRPExtensions.getPostLogoutRedirectUris()));
            oIDCClientMetadata.setRedirectionURIs(parseRedirectUris(sPSSODescriptor));
            oIDCClientMetadata.setRequestObjectJWEAlg(parseJweAlgorithm(oAuthRPExtensions.getRequestObjectEncryptionAlg()));
            oIDCClientMetadata.setRequestObjectJWEEnc(parseEncryptionMethod(oAuthRPExtensions.getRequestObjectEncryptionEnc()));
            oIDCClientMetadata.setRequestObjectJWSAlg(parseJwsAlgorithm(oAuthRPExtensions.getRequestObjectSigningAlg()));
            oIDCClientMetadata.setRequestObjectURIs(parseUris(oAuthRPExtensions.getRequestUris()));
            oIDCClientMetadata.setResponseTypes(parseResponseTypes(oAuthRPExtensions));
            oIDCClientMetadata.setScope(parseScopes(oAuthRPExtensions));
            oIDCClientMetadata.setSectorIDURI(getSingleURIValue(oAuthRPExtensions.getSectorIdentifierUri()));
            String softwareId = oAuthRPExtensions.getSoftwareId();
            if (softwareId != null) {
                oIDCClientMetadata.setSoftwareID(new SoftwareID(softwareId));
            }
            String softwareVersion = oAuthRPExtensions.getSoftwareVersion();
            if (softwareVersion != null) {
                oIDCClientMetadata.setSoftwareVersion(new SoftwareVersion(softwareVersion));
            }
            if (oAuthRPExtensions.getDefaultMaxAge() > 0) {
                oIDCClientMetadata.setDefaultMaxAge(oAuthRPExtensions.getDefaultMaxAge());
            }
            oIDCClientMetadata.requiresAuthTime(oAuthRPExtensions.isRequireAuthTime());
            oIDCClientMetadata.setSubjectType(parseSubjectType(sPSSODescriptor));
            oIDCClientMetadata.setTokenEndpointAuthMethod(parseClientAuthenticationMethod(oAuthRPExtensions));
            oIDCClientMetadata.setTokenEndpointAuthJWSAlg(parseJwsAlgorithm(oAuthRPExtensions.getTokenEndpointAuthSigningAlg()));
            oIDCClientMetadata.setUserInfoJWEAlg(parseJweAlgorithm(oAuthRPExtensions.getUserInfoEncryptedResponseAlg()));
            oIDCClientMetadata.setUserInfoJWEEnc(parseEncryptionMethod(oAuthRPExtensions.getUserInfoEncryptedResponseEnc()));
            oIDCClientMetadata.setUserInfoJWSAlg(parseJwsAlgorithm(oAuthRPExtensions.getUserInfoSignedResponseAlg()));
            oIDCClientMetadata.setJWKSetURI(parseJwkUri(iterable, str));
            if (oIDCClientMetadata.getJWKSetURI() == null) {
                oIDCClientMetadata.setJWKSet(parseJwkSet(iterable, str));
            }
        } else {
            this.log.debug("No {} found to be processed", "OAuthRPExtensions");
        }
        return oIDCClientMetadata;
    }

    @Nullable
    protected OAuthRPExtensions getOAuthRPExtensions(SPSSODescriptor sPSSODescriptor) {
        Extensions extensions = sPSSODescriptor.getExtensions();
        if (extensions == null) {
            this.log.debug("No extensions found from the given SPSSODescriptor");
            return null;
        }
        List unknownXMLObjects = extensions.getUnknownXMLObjects(OAuthRPExtensions.TYPE_NAME);
        if (unknownXMLObjects == null || unknownXMLObjects.isEmpty()) {
            this.log.debug("SPSSODescriptor Extensions element had no {} child elements", "OAuthRPExtensions");
            return null;
        }
        if (unknownXMLObjects.size() > 1) {
            this.log.warn("More than one {} defined, using only one of them", "OAuthRPExtensions");
        }
        if (unknownXMLObjects.get(0) instanceof OAuthRPExtensions) {
            this.log.debug("Successfully parsed {}", "OAuthRPExtensions");
            return (OAuthRPExtensions) unknownXMLObjects.get(0);
        }
        this.log.warn("Could not parse {} from the element", "OAuthRPExtensions");
        return null;
    }

    @Nonnull
    protected Iterable<Credential> resolveCredentials(final SPSSODescriptor sPSSODescriptor) {
        MetadataCredentialResolver metadataCredentialResolver = new MetadataCredentialResolver();
        metadataCredentialResolver.setKeyInfoCredentialResolver(this.keyInfoCredentialResolver);
        metadataCredentialResolver.setRoleDescriptorResolver(new SkeletonEchoingRoleDescriptorResolver() { // from class: net.shibboleth.oidc.metadata.impl.ClientInformationNodeProcessor.1
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super();
            }

            public RoleDescriptor resolveSingle(CriteriaSet criteriaSet) throws ResolverException {
                return sPSSODescriptor;
            }
        });
        RoleDescriptorCriterion roleDescriptorCriterion = new RoleDescriptorCriterion(sPSSODescriptor);
        CriteriaSet criteriaSet = new CriteriaSet();
        criteriaSet.add(roleDescriptorCriterion);
        try {
            metadataCredentialResolver.initialize();
        } catch (ComponentInitializationException e) {
            this.log.error("Could not initialize the SAML metadata credential resolver, cannot resolve JWKSet", e);
        }
        try {
            return metadataCredentialResolver.resolve(criteriaSet);
        } catch (ResolverException e2) {
            this.log.warn("Could not resolve credentials", e2);
            return Collections.emptySet();
        }
    }

    @Nullable
    protected JWKSet parseJwkSet(@Nonnull Iterable<Credential> iterable, @Nonnull String str) {
        ArrayList arrayList = new ArrayList();
        Iterator<Credential> it = iterable.iterator();
        while (it.hasNext()) {
            JWK credentialToKey = CredentialConversionUtil.credentialToKey(it.next());
            if (credentialToKey == null) {
                this.log.debug("Could not parse credential of {} to a JWK", str);
            } else {
                this.log.trace("Successfully parsed a JWK to client {}: {}", str, credentialToKey.toJSONString());
                arrayList.add(credentialToKey);
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return new JWKSet(arrayList);
    }

    @Nullable
    protected URI parseJwkUri(@Nonnull Iterable<Credential> iterable, @Nonnull String str) {
        Iterator<Credential> it = iterable.iterator();
        while (it.hasNext()) {
            JWKReferenceCredential jWKReferenceCredential = (Credential) it.next();
            if (jWKReferenceCredential instanceof JWKReferenceCredential) {
                this.log.trace("Successfully located a JWKS URI for client {}: {}", str, jWKReferenceCredential.getReferenceURI());
                return jWKReferenceCredential.getReferenceURI();
            }
        }
        return null;
    }

    @Nullable
    protected ClientAuthenticationMethod parseClientAuthenticationMethod(@Nonnull OAuthRPExtensions oAuthRPExtensions) {
        String trimOrNull = StringSupport.trimOrNull(oAuthRPExtensions.getTokenEndpointAuthMethod());
        if (trimOrNull == null) {
            return null;
        }
        return ClientAuthenticationMethod.parse(trimOrNull);
    }

    @Nonnull
    protected ApplicationType parseApplicationType(@Nonnull OAuthRPExtensions oAuthRPExtensions) {
        return ApplicationType.NATIVE.toString().equalsIgnoreCase(StringSupport.trimOrNull(oAuthRPExtensions.getApplicationType())) ? ApplicationType.NATIVE : ApplicationType.WEB;
    }

    @Nonnull
    protected SubjectType parseSubjectType(@Nonnull SPSSODescriptor sPSSODescriptor) {
        List<NameIDFormat> nameIDFormats = sPSSODescriptor.getNameIDFormats();
        if (nameIDFormats == null || nameIDFormats.isEmpty()) {
            this.log.warn("No NameIDFormat defined, using 'public'");
            return SubjectType.PUBLIC;
        }
        if (nameIDFormats.size() > 1) {
            this.log.warn("Multiple NameIDFormats defined, using first one with a known value");
        }
        for (NameIDFormat nameIDFormat : nameIDFormats) {
            if (nameIDFormat != null) {
                if ("urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:public".equals(nameIDFormat.getURI())) {
                    return SubjectType.PUBLIC;
                }
                if ("urn:mace:shibboleth:metadata:oidc:1.0:nameid-format:pairwise".equals(nameIDFormat.getURI())) {
                    return SubjectType.PAIRWISE;
                }
            }
        }
        this.log.warn("No known NameIDFormats defined, using 'public'");
        return SubjectType.PUBLIC;
    }

    @Nonnull
    protected List<ACR> parseDefaultAcrValues(@Nonnull OAuthRPExtensions oAuthRPExtensions) {
        ArrayList arrayList = new ArrayList();
        Iterator it = oAuthRPExtensions.getDefaultAcrValues().iterator();
        while (it.hasNext()) {
            String trimOrNull = StringSupport.trimOrNull(((DefaultAcrValue) it.next()).getValue());
            if (trimOrNull != null) {
                arrayList.add(new ACR(trimOrNull));
            }
        }
        return arrayList;
    }

    @Nonnull
    protected Set<GrantType> parseGrantTypes(@Nonnull OAuthRPExtensions oAuthRPExtensions) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = getListValues(oAuthRPExtensions.getGrantTypes()).iterator();
        while (it.hasNext()) {
            hashSet.add(new GrantType(it.next()));
        }
        return hashSet;
    }

    @Nonnull
    protected Set<ResponseType> parseResponseTypes(@Nonnull OAuthRPExtensions oAuthRPExtensions) {
        HashSet hashSet = new HashSet();
        Iterator<String> it = getListValues(oAuthRPExtensions.getResponseTypes()).iterator();
        while (it.hasNext()) {
            hashSet.add(new ResponseType(new String[]{it.next()}));
        }
        return hashSet;
    }

    @Nonnull
    protected Scope parseScopes(@Nonnull OAuthRPExtensions oAuthRPExtensions) {
        Scope scope = new Scope();
        Iterator<String> it = getListValues(oAuthRPExtensions.getScopes()).iterator();
        while (it.hasNext()) {
            scope.add(it.next());
        }
        return scope;
    }

    @Nullable
    protected JWEAlgorithm parseJweAlgorithm(@Nullable String str) {
        if (str != null) {
            return new JWEAlgorithm(str);
        }
        return null;
    }

    @Nullable
    protected JWSAlgorithm parseJwsAlgorithm(@Nullable String str) {
        if (str != null) {
            return new JWSAlgorithm(str);
        }
        return null;
    }

    @Nullable
    protected EncryptionMethod parseEncryptionMethod(@Nullable String str) {
        if (str != null) {
            return new EncryptionMethod(str);
        }
        return null;
    }

    @Nonnull
    protected Set<URI> parseRedirectUris(@Nonnull SPSSODescriptor sPSSODescriptor) {
        URI singleURIValue;
        HashSet hashSet = new HashSet();
        for (AssertionConsumerService assertionConsumerService : sPSSODescriptor.getAssertionConsumerServices()) {
            if (BINDING_ID_REDIRECT_URI.equals(assertionConsumerService.getBinding()) && (singleURIValue = getSingleURIValue(assertionConsumerService.getLocation())) != null) {
                hashSet.add(singleURIValue);
            }
        }
        return hashSet;
    }

    @Nonnull
    protected Set<URI> parseUris(@Nonnull List<? extends MetadataValueSAMLObject> list) {
        HashSet hashSet = new HashSet();
        Iterator<? extends MetadataValueSAMLObject> it = list.iterator();
        while (it.hasNext()) {
            URI singleURIValue = getSingleURIValue(it.next());
            if (singleURIValue != null) {
                hashSet.add(singleURIValue);
            }
        }
        return hashSet;
    }

    @NonnullElements
    @Nonnull
    protected Collection<String> getListValues(@Nullable String str) {
        return str != null ? StringSupport.stringToList(str, " \t\n\r") : Collections.emptyList();
    }

    @Nullable
    protected URI getSingleURIValue(@Nonnull MetadataValueSAMLObject metadataValueSAMLObject) {
        return getSingleURIValue(metadataValueSAMLObject.getValue());
    }

    @Nullable
    protected URI getSingleURIValue(@Nullable String str) {
        if (str == null) {
            return null;
        }
        try {
            return new URI(str);
        } catch (URISyntaxException e) {
            this.log.warn("Could not parse {} into an URI", str, e);
            return null;
        }
    }
}
