package org.apereo.cas.oidc.token;

import com.github.benmanes.caffeine.cache.LoadingCache;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTParser;
import java.util.Comparator;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyUsage;
import org.apereo.cas.oidc.jwks.rotation.OidcJsonWebKeystoreRotationService;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.BaseTokenSigningAndEncryptionService;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/token/BaseOidcJsonWebKeyTokenSigningAndEncryptionService.class */
public abstract class BaseOidcJsonWebKeyTokenSigningAndEncryptionService extends BaseTokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) BaseOidcJsonWebKeyTokenSigningAndEncryptionService.class);
    protected final LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> defaultJsonWebKeystoreCache;
    protected final LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> serviceJsonWebKeystoreCache;
    protected final OidcIssuerService issuerService;

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public String encode(OAuthRegisteredService oAuthRegisteredService, JwtClaims jwtClaims) {
        return (String) FunctionUtils.doUnchecked(() -> {
            LOGGER.trace("Attempting to produce token generated for service [{}] with claims [{}]", oAuthRegisteredService, jwtClaims.toJson());
            String signTokenIfNecessary = signTokenIfNecessary(jwtClaims, oAuthRegisteredService);
            if (shouldEncryptToken(oAuthRegisteredService)) {
                signTokenIfNecessary = encryptToken(oAuthRegisteredService, signTokenIfNecessary);
            }
            return signTokenIfNecessary;
        });
    }

    @Override // org.apereo.cas.ticket.BaseTokenSigningAndEncryptionService, org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public JwtClaims decode(String str, Optional<OAuthRegisteredService> optional) {
        return (JwtClaims) Unchecked.supplier(() -> {
            return (optional.isPresent() && (JWTParser.parse(str) instanceof EncryptedJWT)) ? super.decode(EncodingUtils.decryptJwtValue(getJsonWebKeyForEncryption((OAuthRegisteredService) optional.get()).getPrivateKey(), str), optional) : super.decode(str, optional);
        }, th -> {
            throw new IllegalArgumentException(th);
        }).get();
    }

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public String resolveIssuer(Optional<OAuthRegisteredService> optional) {
        Optional<OAuthRegisteredService> filter = optional.filter(oAuthRegisteredService -> {
            return oAuthRegisteredService instanceof OidcRegisteredService;
        });
        Class<OidcRegisteredService> cls = OidcRegisteredService.class;
        Objects.requireNonNull(OidcRegisteredService.class);
        return this.issuerService.determineIssuer(filter.map((v1) -> {
            return r1.cast(v1);
        }).stream().findFirst());
    }

    protected abstract String encryptToken(OAuthRegisteredService oAuthRegisteredService, String str);

    @Override // org.apereo.cas.ticket.BaseTokenSigningAndEncryptionService
    protected PublicJsonWebKey getJsonWebKeySigningKey(Optional<OAuthRegisteredService> optional) {
        Optional<OAuthRegisteredService> filter = optional.filter(oAuthRegisteredService -> {
            return oAuthRegisteredService instanceof OidcRegisteredService;
        });
        Class<OidcRegisteredService> cls = OidcRegisteredService.class;
        Objects.requireNonNull(OidcRegisteredService.class);
        Optional<OidcRegisteredService> findFirst = filter.map((v1) -> {
            return r1.cast(v1);
        }).stream().findFirst();
        String determineIssuer = this.issuerService.determineIssuer(findFirst);
        LOGGER.trace("Using issuer [{}] to locate JWK signing key", determineIssuer);
        Optional<JsonWebKeySet> optional2 = this.defaultJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(determineIssuer, OidcJsonWebKeyUsage.SIGNING));
        if (((Optional) Objects.requireNonNull(optional2)).isEmpty()) {
            throw new IllegalArgumentException("No signing key could be found for issuer " + determineIssuer);
        }
        PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) findFirst.filter(oidcRegisteredService -> {
            return StringUtils.isNotBlank(oidcRegisteredService.getJwksKeyId());
        }).map(oidcRegisteredService2 -> {
            return (PublicJsonWebKey) ((JsonWebKeySet) optional2.get()).getJsonWebKeys().stream().filter(jsonWebKey -> {
                return StringUtils.equalsIgnoreCase(jsonWebKey.getKeyId(), oidcRegisteredService2.getJwksKeyId());
            }).map(jsonWebKey2 -> {
                return (PublicJsonWebKey) jsonWebKey2;
            }).findFirst().orElseGet(() -> {
                return (PublicJsonWebKey) ((JsonWebKeySet) optional2.get()).getJsonWebKeys().get(0);
            });
        }).orElseGet(() -> {
            return (PublicJsonWebKey) ((JsonWebKeySet) optional2.get()).getJsonWebKeys().get(0);
        });
        LOGGER.debug("Located signing key [{}] for issuer [{}] and service [{}]", publicJsonWebKey, determineIssuer, optional);
        return publicJsonWebKey;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PublicJsonWebKey getJsonWebKeyForEncryption(OAuthRegisteredService oAuthRegisteredService) {
        LOGGER.debug("Service [{}] is set to encrypt tokens", oAuthRegisteredService);
        Optional<JsonWebKeySet> optional = this.serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(oAuthRegisteredService, OidcJsonWebKeyUsage.ENCRYPTION));
        if (((Optional) Objects.requireNonNull(optional)).isEmpty()) {
            throw new IllegalArgumentException("Service " + oAuthRegisteredService.getServiceId() + " with client id " + oAuthRegisteredService.getClientId() + " is configured to encrypt tokens, yet no JSON web key is available to handle encryption");
        }
        JsonWebKey orElseThrow = optional.get().getJsonWebKeys().stream().filter(jsonWebKey -> {
            return OidcJsonWebKeystoreRotationService.JsonWebKeyLifecycleStates.getJsonWebKeyState(jsonWebKey).isCurrent();
        }).min(Comparator.comparing((v0) -> {
            return v0.getKeyId();
        })).orElseThrow(() -> {
            return new IllegalArgumentException("Cannot locate current JSON web key for encryption");
        });
        LOGGER.debug("Found JSON web key to encrypt the token: [{}]", orElseThrow);
        Objects.requireNonNull(orElseThrow.getKey(), "JSON web key used to encrypt the token has no associated public key");
        return (PublicJsonWebKey) orElseThrow;
    }

    private String signTokenIfNecessary(JwtClaims jwtClaims, OAuthRegisteredService oAuthRegisteredService) {
        if (!shouldSignToken(oAuthRegisteredService)) {
            return JwtBuilder.buildPlain(JwtBuilder.parse(jwtClaims.toJson()), Optional.of(oAuthRegisteredService));
        }
        LOGGER.debug("Fetching JSON web key to sign the token for : [{}]", oAuthRegisteredService.getClientId());
        PublicJsonWebKey jsonWebKeySigningKey = getJsonWebKeySigningKey(Optional.of(oAuthRegisteredService));
        LOGGER.debug("Found JSON web key to sign the token: [{}]", jsonWebKeySigningKey);
        Objects.requireNonNull(jsonWebKeySigningKey.getPrivateKey(), "JSON web key used to sign the token has no associated private key");
        return signToken(oAuthRegisteredService, jwtClaims, jsonWebKeySigningKey);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Generated
    public BaseOidcJsonWebKeyTokenSigningAndEncryptionService(LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache, LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache2, OidcIssuerService oidcIssuerService) {
        this.defaultJsonWebKeystoreCache = loadingCache;
        this.serviceJsonWebKeystoreCache = loadingCache2;
        this.issuerService = oidcIssuerService;
    }
}
