package org.apereo.cas.ticket;

import com.nimbusds.jwt.JWTClaimsSet;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.jwt.JsonWebTokenSigner;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.6.15.jar:org/apereo/cas/ticket/BaseTokenSigningAndEncryptionService.class */
public abstract class BaseTokenSigningAndEncryptionService implements OAuth20TokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) BaseTokenSigningAndEncryptionService.class);

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public JwtClaims decode(String str, Optional<OAuthRegisteredService> optional) {
        return (JwtClaims) FunctionUtils.doUnchecked(() -> {
            PublicJsonWebKey jsonWebKeySigningKey = getJsonWebKeySigningKey(optional);
            FunctionUtils.throwIf(jsonWebKeySigningKey.getPublicKey() == null, () -> {
                return new IllegalArgumentException("JSON web key to validate the id token signature has no public key");
            });
            JWTClaimsSet parse = JwtBuilder.parse(new String((byte[]) Objects.requireNonNull(verifySignature(str, jsonWebKeySigningKey), "Unable to verify signature of the token using the JSON web key public key"), StandardCharsets.UTF_8));
            FunctionUtils.throwIf(StringUtils.isBlank(parse.getIssuer()), () -> {
                return new IllegalArgumentException("Claims do not contain an issuer");
            });
            validateIssuerClaim(parse, optional);
            FunctionUtils.throwIf(StringUtils.isBlank(parse.getStringClaim("client_id")), () -> {
                return new IllegalArgumentException("Claims do not contain a client id claim");
            });
            return JwtClaims.parse(parse.toString());
        });
    }

    public abstract Set<String> getAllowedSigningAlgorithms(OAuthRegisteredService oAuthRegisteredService);

    protected void validateIssuerClaim(JWTClaimsSet jWTClaimsSet, Optional<OAuthRegisteredService> optional) {
        LOGGER.debug("Validating claims as [{}] with issuer [{}]", jWTClaimsSet, jWTClaimsSet.getIssuer());
        String resolveIssuer = resolveIssuer(optional);
        Objects.requireNonNull(resolveIssuer, "Issuer cannot be null or undefined");
        FunctionUtils.throwIf(!jWTClaimsSet.getIssuer().equalsIgnoreCase(resolveIssuer), () -> {
            return new IllegalArgumentException("Issuer assigned to claims " + jWTClaimsSet.getIssuer() + " does not match " + resolveIssuer);
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Type inference failed for: r0v2, types: [org.apereo.cas.util.jwt.JsonWebTokenSigner$JsonWebTokenSignerBuilder] */
    public String signToken(OAuthRegisteredService oAuthRegisteredService, JwtClaims jwtClaims, PublicJsonWebKey publicJsonWebKey) {
        LOGGER.debug("Service [{}] is set to sign id tokens", oAuthRegisteredService.getServiceId());
        return JsonWebTokenSigner.builder().key((Key) Optional.ofNullable(publicJsonWebKey).map((v0) -> {
            return v0.getPrivateKey();
        }).orElse(null)).keyId((String) Optional.ofNullable(publicJsonWebKey).map((v0) -> {
            return v0.getKeyId();
        }).orElseGet(() -> {
            return UUID.randomUUID().toString();
        })).algorithm(getJsonWebKeySigningAlgorithm(oAuthRegisteredService)).allowedAlgorithms(new LinkedHashSet(getAllowedSigningAlgorithms(oAuthRegisteredService))).build().sign(jwtClaims);
    }

    protected byte[] verifySignature(String str, PublicJsonWebKey publicJsonWebKey) {
        return EncodingUtils.verifyJwsSignature(publicJsonWebKey.getPublicKey(), str);
    }

    protected abstract PublicJsonWebKey getJsonWebKeySigningKey(Optional<OAuthRegisteredService> optional);

    @Generated
    public BaseTokenSigningAndEncryptionService() {
    }
}
