package org.apereo.cas.oidc.token;

import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.model.support.mfa.MultifactorAuthenticationProperties;
import org.apereo.cas.configuration.model.support.oidc.OidcProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder;
import org.apereo.cas.ticket.AuthenticatedServicesAwareTicketGrantingTicket;
import org.apereo.cas.ticket.BaseIdTokenGeneratorService;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/token/OidcIdTokenGeneratorService.class */
public class OidcIdTokenGeneratorService extends BaseIdTokenGeneratorService<OidcConfigurationContext> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcIdTokenGeneratorService.class);

    public OidcIdTokenGeneratorService(ObjectProvider<OidcConfigurationContext> objectProvider) {
        super(objectProvider);
    }

    private static void setClaim(JwtClaims jwtClaims, String str, Object obj) {
        if (obj == null || !StringUtils.isNotBlank(obj.toString())) {
            return;
        }
        jwtClaims.setClaim(str, obj);
    }

    @Override // org.apereo.cas.ticket.IdTokenGeneratorService
    public String generate(OAuth20AccessToken oAuth20AccessToken, UserProfile userProfile, OAuth20ResponseTypes oAuth20ResponseTypes, OAuth20GrantTypes oAuth20GrantTypes, OAuthRegisteredService oAuthRegisteredService) throws Exception {
        Long timeToLive = getConfigurationContext().getIdTokenExpirationPolicy().buildTicketExpirationPolicy().getTimeToLive();
        Assert.isAssignable((Class<?>) OidcRegisteredService.class, oAuthRegisteredService.getClass(), "Registered service instance is not an OIDC service");
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) oAuthRegisteredService;
        LOGGER.trace("Attempting to produce claims for the id token [{}]", oAuth20AccessToken);
        return encodeAndFinalizeToken(buildJwtClaims(oAuth20AccessToken, timeToLive.longValue(), oidcRegisteredService, oAuth20ResponseTypes, oAuth20GrantTypes), oidcRegisteredService, oAuth20AccessToken);
    }

    protected JwtClaims buildJwtClaims(OAuth20AccessToken oAuth20AccessToken, long j, OidcRegisteredService oidcRegisteredService, OAuth20ResponseTypes oAuth20ResponseTypes, OAuth20GrantTypes oAuth20GrantTypes) {
        Authentication authentication = oAuth20AccessToken.getAuthentication();
        Principal filter = getConfigurationContext().getProfileScopeToAttributesFilter().filter(oAuth20AccessToken.getService(), authentication.getPrincipal(), oidcRegisteredService, oAuth20AccessToken);
        LOGGER.debug("Principal to use to build the ID token is [{}]", filter);
        OidcProperties oidc = getConfigurationContext().getCasProperties().getAuthn().getOidc();
        JwtClaims jwtClaims = new JwtClaims();
        TicketGrantingTicket ticketGrantingTicket = oAuth20AccessToken.getTicketGrantingTicket();
        String jwtId = getJwtId(ticketGrantingTicket);
        LOGGER.debug("Calculated ID token jti claim to be [{}]", jwtId);
        jwtClaims.setJwtId(jwtId);
        jwtClaims.setClaim("sid", DigestUtils.sha(jwtId));
        jwtClaims.setIssuer(getConfigurationContext().getIssuerService().determineIssuer(Optional.ofNullable(oidcRegisteredService)));
        jwtClaims.setAudience(oAuth20AccessToken.getClientId());
        NumericDate now = NumericDate.now();
        now.addSeconds(j);
        jwtClaims.setExpirationTime(now);
        LOGGER.debug("Calculated ID token expiration claim to be [{}]", now);
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBeforeMinutesInThePast((float) Beans.newDuration(oidc.getCore().getSkew()).toMinutes());
        LOGGER.debug("Calculated ID token subject claim to be [{}]", oidcRegisteredService.getUsernameAttributeProvider().resolveUsername(filter, oAuth20AccessToken.getService(), oidcRegisteredService));
        jwtClaims.setSubject(filter.getId());
        MultifactorAuthenticationProperties mfa = getConfigurationContext().getCasProperties().getAuthn().getMfa();
        Map<String, List<Object>> attributes = authentication.getAttributes();
        if (attributes.containsKey(mfa.getCore().getAuthenticationContextAttribute())) {
            Set<Object> collection = CollectionUtils.toCollection(attributes.get(mfa.getCore().getAuthenticationContextAttribute()));
            Map<String, String> convertDirectedListToMap = CollectionUtils.convertDirectedListToMap(oidc.getCore().getAuthenticationContextReferenceMappings());
            String str = (String) collection.stream().map(obj -> {
                Optional findFirst = convertDirectedListToMap.entrySet().stream().filter(entry -> {
                    return ((String) entry.getValue()).equalsIgnoreCase(obj.toString());
                }).map((v0) -> {
                    return v0.getKey();
                }).findFirst();
                Objects.requireNonNull(obj);
                return (String) findFirst.orElseGet(obj::toString);
            }).collect(Collectors.joining(" "));
            LOGGER.debug("ID token acr claim calculated as [{}]", str);
            jwtClaims.setStringClaim("acr", str);
        }
        if (attributes.containsKey("successfulAuthenticationHandlers")) {
            Set<Object> collection2 = CollectionUtils.toCollection(attributes.get("successfulAuthenticationHandlers"));
            LOGGER.debug("ID token amr claim calculated as [{}]", collection2);
            jwtClaims.setStringListClaim("amr", (String[]) collection2.toArray(ArrayUtils.EMPTY_STRING_ARRAY));
        }
        jwtClaims.setStringClaim("client_id", oidcRegisteredService.getClientId());
        jwtClaims.setClaim("auth_time", Long.valueOf(ticketGrantingTicket.getAuthentication().getAuthenticationDate().toEpochSecond()));
        if (attributes.containsKey("state")) {
            setClaim(jwtClaims, "state", attributes.get("state").get(0));
        }
        if (attributes.containsKey("nonce")) {
            setClaim(jwtClaims, "nonce", attributes.get("nonce").get(0));
        }
        generateAccessTokenHash(oAuth20AccessToken, oidcRegisteredService, jwtClaims);
        if (((oAuth20ResponseTypes == OAuth20ResponseTypes.CODE || oAuth20GrantTypes == OAuth20GrantTypes.AUTHORIZATION_CODE) ? false : true) || oidc.getIdToken().isIncludeIdTokenClaims()) {
            FunctionUtils.doIf(oidc.getIdToken().isIncludeIdTokenClaims(), obj2 -> {
                LOGGER.warn("Individual claims requested by OpenID scopes are forced to be included in the ID token. This is a violation of the OpenID Connect specification and a workaround via dedicated CAS configuration. Claims should be requested from the userinfo/profile endpoints in exchange for an access token.");
            }).accept(jwtClaims);
            collectIdTokenClaims(filter, oidcRegisteredService, jwtClaims);
        } else {
            LOGGER.debug("Per OpenID Connect specification, individual claims requested by OpenID scopes such as profile, email, address, etc. are only put into the OpenID Connect ID token when the response type is set to id_token.");
        }
        return jwtClaims;
    }

    protected void collectIdTokenClaims(Principal principal, RegisteredService registeredService, JwtClaims jwtClaims) {
        OidcProperties oidc = getConfigurationContext().getCasProperties().getAuthn().getOidc();
        LOGGER.trace("Comparing principal attributes [{}] with supported claims [{}]", principal.getAttributes(), oidc.getDiscovery().getClaims());
        principal.getAttributes().entrySet().stream().filter(entry -> {
            if (oidc.getDiscovery().getClaims().contains(entry.getKey())) {
                LOGGER.trace("Found supported claim [{}]", entry.getKey());
                return true;
            }
            LOGGER.debug("Claim [{}] is not defined as a supported claim among [{}]. Skipping...", entry.getKey(), oidc.getDiscovery().getClaims());
            return false;
        }).forEach(entry2 -> {
            handleMappedClaimOrDefault((String) entry2.getKey(), registeredService, principal, jwtClaims, entry2.getValue());
        });
        if (jwtClaims.hasClaim("preferred_username")) {
            return;
        }
        handleMappedClaimOrDefault("preferred_username", registeredService, principal, jwtClaims, principal.getId());
    }

    protected void handleMappedClaimOrDefault(String str, RegisteredService registeredService, Principal principal, JwtClaims jwtClaims, Object obj) {
        getConfigurationContext().getIdTokenClaimCollector().collect(jwtClaims, str, getConfigurationContext().getAttributeToScopeClaimMapper().mapClaim(str, registeredService, principal, obj));
    }

    protected String getJwtId(TicketGrantingTicket ticketGrantingTicket) {
        String str = getConfigurationContext().getCasProperties().getServer().getPrefix() + "/oauth2.0/callbackAuthorize.*";
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (ticketGrantingTicket instanceof AuthenticatedServicesAwareTicketGrantingTicket) {
            linkedHashMap.putAll(((AuthenticatedServicesAwareTicketGrantingTicket) ticketGrantingTicket).getServices());
        }
        linkedHashMap.putAll(ticketGrantingTicket.getProxyGrantingTickets());
        Optional findFirst = linkedHashMap.entrySet().stream().filter(entry -> {
            RegisteredService findServiceBy = getConfigurationContext().getServicesManager().findServiceBy((Service) entry.getValue());
            return findServiceBy != null && findServiceBy.getServiceId().equals(str);
        }).findFirst();
        if (!findFirst.isEmpty()) {
            return (String) ((Map.Entry) findFirst.get()).getKey();
        }
        LOGGER.trace("Cannot find ticket issued to [{}] as part of the authentication context", str);
        return ticketGrantingTicket.getId();
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder$OAuth20JwtAccessTokenEncoderBuilder] */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.apereo.cas.support.oauth.web.response.accesstoken.OAuth20AccessTokenAtHashGenerator$OAuth20AccessTokenAtHashGeneratorBuilder] */
    protected void generateAccessTokenHash(OAuth20AccessToken oAuth20AccessToken, OidcRegisteredService oidcRegisteredService, JwtClaims jwtClaims) {
        String encode = OAuth20JwtAccessTokenEncoder.builder().accessToken(oAuth20AccessToken).registeredService(oidcRegisteredService).service(oAuth20AccessToken.getService()).accessTokenJwtBuilder(getConfigurationContext().getAccessTokenJwtBuilder()).casProperties(getConfigurationContext().getCasProperties()).issuer(getConfigurationContext().getIssuerService().determineIssuer(Optional.of(oidcRegisteredService))).build().encode(oAuth20AccessToken.getId());
        jwtClaims.setClaim("at_hash", OAuth20AccessTokenAtHashGenerator.builder().encodedAccessToken(encode).algorithm(getConfigurationContext().getIdTokenSigningAndEncryptionService().getJsonWebKeySigningAlgorithm(oidcRegisteredService)).registeredService(oidcRegisteredService).build().generate());
    }
}
