package org.geant.idpextension.oidc.profile.impl;

import com.nimbusds.oauth2.sdk.ResponseType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import java.util.Iterator;
import java.util.function.Function;
import javax.annotation.Nonnull;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.geant.idpextension.oidc.messaging.context.OIDCAuthenticationResponseContext;
import org.geant.idpextension.oidc.messaging.context.OIDCMetadataContext;
import org.geant.idpextension.oidc.profile.context.navigate.DefaultRequestResponseTypeLookupFunction;
import org.geant.idpextension.oidc.profile.context.navigate.DefaultRequestedScopeLookupFunction;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/geant/idpextension/oidc/profile/impl/ValidateScope.class */
public class ValidateScope extends AbstractOIDCAuthenticationResponseAction {

    @Nonnull
    private Logger log = LoggerFactory.getLogger(ValidateScope.class);

    @Nonnull
    private Function<ProfileRequestContext, Scope> scopeLookupStrategy = new DefaultRequestedScopeLookupFunction();

    public void setScopeLookupStrategy(@Nonnull Function<ProfileRequestContext, Scope> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.scopeLookupStrategy = (Function) Constraint.isNotNull(function, "ScopeLookupStrategy lookup strategy cannot be null");
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext) {
        ResponseType responseType;
        Scope scope = getMetadataContext().getClientInformation().getMetadata().getScope();
        if (scope == null || scope.isEmpty()) {
            this.log.debug("{} No registered scopes for client {}, nothing to do", getLogPrefix(), getMetadataContext().getClientInformation().getID());
            return;
        }
        Scope apply = this.scopeLookupStrategy.apply(profileRequestContext);
        Iterator it = apply.iterator();
        while (it.hasNext()) {
            Scope.Value value = (Scope.Value) it.next();
            if (!scope.contains(value)) {
                this.log.warn("{} removing requested scope {} for rp {} as it is not a registered one", new Object[]{getLogPrefix(), value.getValue(), getMetadataContext().getClientInformation().getID()});
                it.remove();
            }
        }
        if (apply.contains(OIDCScopeValue.OFFLINE_ACCESS) && (responseType = (ResponseType) new DefaultRequestResponseTypeLookupFunction().apply(profileRequestContext)) != null && !responseType.contains(ResponseType.Value.CODE)) {
            apply.remove(OIDCScopeValue.OFFLINE_ACCESS);
        }
        getOidcResponseContext().setScope(apply);
    }

    @Override // org.geant.idpextension.oidc.profile.impl.AbstractOIDCAuthenticationResponseAction
    public /* bridge */ /* synthetic */ OIDCMetadataContext getMetadataContext() {
        return super.getMetadataContext();
    }

    @Override // org.geant.idpextension.oidc.profile.impl.AbstractOIDCAuthenticationResponseAction
    @Nonnull
    public /* bridge */ /* synthetic */ OIDCAuthenticationResponseContext getOidcResponseContext() {
        return super.getOidcResponseContext();
    }
}
