package org.apereo.cas.oidc.jwks.rotation;

import java.nio.charset.StandardCharsets;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.io.IOUtils;
import org.apereo.cas.configuration.model.support.oidc.OidcProperties;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyUsage;
import org.apereo.cas.oidc.jwks.generator.OidcJsonWebKeystoreGeneratorService;
import org.apereo.cas.oidc.jwks.rotation.OidcJsonWebKeystoreRotationService;
import org.jooq.lambda.Unchecked;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/jwks/rotation/OidcDefaultJsonWebKeystoreRotationService.class */
public class OidcDefaultJsonWebKeystoreRotationService implements OidcJsonWebKeystoreRotationService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcDefaultJsonWebKeystoreRotationService.class);
    private final OidcProperties oidcProperties;
    private final OidcJsonWebKeystoreGeneratorService generatorService;

    @Override // org.apereo.cas.oidc.jwks.rotation.OidcJsonWebKeystoreRotationService
    public JsonWebKeySet rotate() throws Exception {
        return (JsonWebKeySet) whenKeystoreResourceExists().map(Unchecked.function(resource -> {
            LOGGER.trace("Rotating keys found in [{}]", resource);
            JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(IOUtils.toString(resource.getInputStream(), StandardCharsets.UTF_8));
            jsonWebKeySet.getJsonWebKeys().forEach(jsonWebKey -> {
                LOGGER.debug("Processing key [{}] to determine rotation eligibility", jsonWebKey.getKeyId());
                OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates jsonWebKeyState = OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.getJsonWebKeyState(jsonWebKey);
                if (jsonWebKeyState == OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.CURRENT) {
                    OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.setJsonWebKeyState(jsonWebKey, OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.PREVIOUS);
                    LOGGER.trace("Rotating state for current key [{}] to previous", jsonWebKey.getKeyId());
                }
                if (jsonWebKeyState == OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.FUTURE) {
                    OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.setJsonWebKeyState(jsonWebKey, OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.CURRENT);
                    LOGGER.trace("Rotating state for future key [{}] to current", jsonWebKey.getKeyId());
                }
            });
            generateFutureKeys(jsonWebKeySet);
            generateCurrentKeys(jsonWebKeySet);
            return this.generatorService.store(jsonWebKeySet);
        })).orElse(null);
    }

    private void generateCurrentKeys(JsonWebKeySet jsonWebKeySet) {
        if (jsonWebKeySet.getJsonWebKeys().stream().anyMatch(jsonWebKey -> {
            return OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.getJsonWebKeyState(jsonWebKey).isCurrent();
        })) {
            return;
        }
        JsonWebKey generateJsonWebKey = OidcJsonWebKeystoreGeneratorService.generateJsonWebKey(this.oidcProperties, OidcJsonWebKeyUsage.SIGNING);
        OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.setJsonWebKeyState(generateJsonWebKey, OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.CURRENT);
        LOGGER.trace("Generated current signing key with id [{}]", generateJsonWebKey.getKeyId());
        jsonWebKeySet.addJsonWebKey(generateJsonWebKey);
        JsonWebKey generateJsonWebKey2 = OidcJsonWebKeystoreGeneratorService.generateJsonWebKey(this.oidcProperties, OidcJsonWebKeyUsage.ENCRYPTION);
        OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.setJsonWebKeyState(generateJsonWebKey2, OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.CURRENT);
        LOGGER.trace("Generated current encryption key with id [{}]", generateJsonWebKey2.getKeyId());
        jsonWebKeySet.addJsonWebKey(generateJsonWebKey2);
    }

    private void generateFutureKeys(JsonWebKeySet jsonWebKeySet) {
        JsonWebKey generateJsonWebKey = OidcJsonWebKeystoreGeneratorService.generateJsonWebKey(this.oidcProperties, OidcJsonWebKeyUsage.SIGNING);
        OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.setJsonWebKeyState(generateJsonWebKey, OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.FUTURE);
        LOGGER.trace("Generated future signing key with id [{}]", generateJsonWebKey.getKeyId());
        jsonWebKeySet.addJsonWebKey(generateJsonWebKey);
        JsonWebKey generateJsonWebKey2 = OidcJsonWebKeystoreGeneratorService.generateJsonWebKey(this.oidcProperties, OidcJsonWebKeyUsage.ENCRYPTION);
        OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.setJsonWebKeyState(generateJsonWebKey2, OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.FUTURE);
        LOGGER.trace("Generated future encryption key with id [{}]", generateJsonWebKey2.getKeyId());
        jsonWebKeySet.addJsonWebKey(generateJsonWebKey2);
    }

    @Override // org.apereo.cas.oidc.jwks.rotation.OidcJsonWebKeystoreRotationService
    public JsonWebKeySet revoke() throws Exception {
        return (JsonWebKeySet) whenKeystoreResourceExists().map(Unchecked.function(resource -> {
            LOGGER.trace("Revoking previous keys found in [{}]", resource);
            JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(IOUtils.toString(resource.getInputStream(), StandardCharsets.UTF_8));
            jsonWebKeySet.getJsonWebKeys().removeIf(jsonWebKey -> {
                LOGGER.debug("Processing key [{}] to determine revocation eligibility", jsonWebKey.getKeyId());
                return OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.getJsonWebKeyState(jsonWebKey) == OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.PREVIOUS;
            });
            return this.generatorService.store(jsonWebKeySet);
        })).orElse(null);
    }

    private Optional<Resource> whenKeystoreResourceExists() throws Exception {
        return this.generatorService.find();
    }

    @Generated
    public OidcDefaultJsonWebKeystoreRotationService(OidcProperties oidcProperties, OidcJsonWebKeystoreGeneratorService oidcJsonWebKeystoreGeneratorService) {
        this.oidcProperties = oidcProperties;
        this.generatorService = oidcJsonWebKeystoreGeneratorService;
    }
}
