package org.apereo.cas.token;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.PlainHeader;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.io.Serializable;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apereo.cas.CentralAuthenticationService;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.function.FunctionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-7.3.0-RC2.jar:org/apereo/cas/token/JwtBuilder.class */
public class JwtBuilder {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JwtBuilder.class);
    public static final String TICKET_JWT_BUILDER_BEAN_NAME = "tokenTicketJwtBuilder";
    public static final String ACCESS_TOKEN_JWT_BUILDER_BEAN_NAME = "accessTokenJwtBuilder";
    private final CipherExecutor<Serializable, String> defaultTokenCipherExecutor;
    private final ApplicationContext applicationContext;
    private final ServicesManager servicesManager;
    private final PrincipalResolver principalResolver;
    private final RegisteredServiceCipherExecutor registeredServiceCipherExecutor;
    private final ServiceFactory webApplicationServiceFactory;
    private final CasConfigurationProperties casProperties;

    /* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-7.3.0-RC2.jar:org/apereo/cas/token/JwtBuilder$JwtRequest.class */
    public static class JwtRequest {
        private final String jwtId;
        private final Set<String> serviceAudience;
        private final Date issueDate;
        private final String subject;
        private final Date validUntilDate;
        private final String issuer;
        private boolean resolveSubject;
        private final Map<String, List<Object>> attributes;
        private Optional<RegisteredService> registeredService;
        private Optional<Service> service;

        @Generated
        /* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-7.3.0-RC2.jar:org/apereo/cas/token/JwtBuilder$JwtRequest$JwtRequestBuilder.class */
        public static abstract class JwtRequestBuilder<C extends JwtRequest, B extends JwtRequestBuilder<C, B>> {

            @Generated
            private String jwtId;

            @Generated
            private Set<String> serviceAudience;

            @Generated
            private boolean issueDate$set;

            @Generated
            private Date issueDate$value;

            @Generated
            private String subject;

            @Generated
            private Date validUntilDate;

            @Generated
            private String issuer;

            @Generated
            private boolean resolveSubject;

            @Generated
            private boolean attributes$set;

            @Generated
            private Map<String, List<Object>> attributes$value;

            @Generated
            private boolean registeredService$set;

            @Generated
            private Optional<RegisteredService> registeredService$value;

            @Generated
            private boolean service$set;

            @Generated
            private Optional<Service> service$value;

            @Generated
            public B jwtId(String str) {
                this.jwtId = str;
                return self();
            }

            @Generated
            public B serviceAudience(Set<String> set) {
                this.serviceAudience = set;
                return self();
            }

            @Generated
            public B issueDate(Date date) {
                this.issueDate$value = date;
                this.issueDate$set = true;
                return self();
            }

            @Generated
            public B subject(String str) {
                this.subject = str;
                return self();
            }

            @Generated
            public B validUntilDate(Date date) {
                this.validUntilDate = date;
                return self();
            }

            @Generated
            public B issuer(String str) {
                this.issuer = str;
                return self();
            }

            @Generated
            public B resolveSubject(boolean z) {
                this.resolveSubject = z;
                return self();
            }

            @Generated
            public B attributes(Map<String, List<Object>> map) {
                this.attributes$value = map;
                this.attributes$set = true;
                return self();
            }

            @Generated
            public B registeredService(Optional<RegisteredService> optional) {
                this.registeredService$value = optional;
                this.registeredService$set = true;
                return self();
            }

            @Generated
            public B service(Optional<Service> optional) {
                this.service$value = optional;
                this.service$set = true;
                return self();
            }

            @Generated
            protected abstract B self();

            @Generated
            public abstract C build();

            @Generated
            public String toString() {
                return "JwtBuilder.JwtRequest.JwtRequestBuilder(jwtId=" + this.jwtId + ", serviceAudience=" + String.valueOf(this.serviceAudience) + ", issueDate$value=" + String.valueOf(this.issueDate$value) + ", subject=" + this.subject + ", validUntilDate=" + String.valueOf(this.validUntilDate) + ", issuer=" + this.issuer + ", resolveSubject=" + this.resolveSubject + ", attributes$value=" + String.valueOf(this.attributes$value) + ", registeredService$value=" + String.valueOf(this.registeredService$value) + ", service$value=" + String.valueOf(this.service$value) + ")";
            }
        }

        @Generated
        /* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-7.3.0-RC2.jar:org/apereo/cas/token/JwtBuilder$JwtRequest$JwtRequestBuilderImpl.class */
        private static final class JwtRequestBuilderImpl extends JwtRequestBuilder<JwtRequest, JwtRequestBuilderImpl> {
            @Generated
            private JwtRequestBuilderImpl() {
            }

            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.apereo.cas.token.JwtBuilder.JwtRequest.JwtRequestBuilder
            @Generated
            public JwtRequestBuilderImpl self() {
                return this;
            }

            @Override // org.apereo.cas.token.JwtBuilder.JwtRequest.JwtRequestBuilder
            @Generated
            public JwtRequest build() {
                return new JwtRequest(this);
            }
        }

        @Generated
        private static Date $default$issueDate() {
            return new Date();
        }

        @Generated
        private static Map<String, List<Object>> $default$attributes() {
            return new LinkedHashMap();
        }

        @Generated
        private static Optional<RegisteredService> $default$registeredService() {
            return Optional.empty();
        }

        @Generated
        private static Optional<Service> $default$service() {
            return Optional.empty();
        }

        @Generated
        protected JwtRequest(JwtRequestBuilder<?, ?> jwtRequestBuilder) {
            this.jwtId = ((JwtRequestBuilder) jwtRequestBuilder).jwtId;
            this.serviceAudience = ((JwtRequestBuilder) jwtRequestBuilder).serviceAudience;
            if (((JwtRequestBuilder) jwtRequestBuilder).issueDate$set) {
                this.issueDate = ((JwtRequestBuilder) jwtRequestBuilder).issueDate$value;
            } else {
                this.issueDate = $default$issueDate();
            }
            this.subject = ((JwtRequestBuilder) jwtRequestBuilder).subject;
            this.validUntilDate = ((JwtRequestBuilder) jwtRequestBuilder).validUntilDate;
            this.issuer = ((JwtRequestBuilder) jwtRequestBuilder).issuer;
            this.resolveSubject = ((JwtRequestBuilder) jwtRequestBuilder).resolveSubject;
            if (((JwtRequestBuilder) jwtRequestBuilder).attributes$set) {
                this.attributes = ((JwtRequestBuilder) jwtRequestBuilder).attributes$value;
            } else {
                this.attributes = $default$attributes();
            }
            if (((JwtRequestBuilder) jwtRequestBuilder).registeredService$set) {
                this.registeredService = ((JwtRequestBuilder) jwtRequestBuilder).registeredService$value;
            } else {
                this.registeredService = $default$registeredService();
            }
            if (((JwtRequestBuilder) jwtRequestBuilder).service$set) {
                this.service = ((JwtRequestBuilder) jwtRequestBuilder).service$value;
            } else {
                this.service = $default$service();
            }
        }

        @Generated
        public static JwtRequestBuilder<?, ?> builder() {
            return new JwtRequestBuilderImpl();
        }

        @Generated
        public String getJwtId() {
            return this.jwtId;
        }

        @Generated
        public Set<String> getServiceAudience() {
            return this.serviceAudience;
        }

        @Generated
        public Date getIssueDate() {
            return this.issueDate;
        }

        @Generated
        public String getSubject() {
            return this.subject;
        }

        @Generated
        public Date getValidUntilDate() {
            return this.validUntilDate;
        }

        @Generated
        public String getIssuer() {
            return this.issuer;
        }

        @Generated
        public boolean isResolveSubject() {
            return this.resolveSubject;
        }

        @Generated
        public Map<String, List<Object>> getAttributes() {
            return this.attributes;
        }

        @Generated
        public Optional<RegisteredService> getRegisteredService() {
            return this.registeredService;
        }

        @Generated
        public Optional<Service> getService() {
            return this.service;
        }

        @Generated
        public String toString() {
            return "JwtBuilder.JwtRequest(jwtId=" + this.jwtId + ", serviceAudience=" + String.valueOf(this.serviceAudience) + ", issueDate=" + String.valueOf(this.issueDate) + ", subject=" + this.subject + ", validUntilDate=" + String.valueOf(this.validUntilDate) + ", issuer=" + this.issuer + ", resolveSubject=" + this.resolveSubject + ", attributes=" + String.valueOf(this.attributes) + ", registeredService=" + String.valueOf(this.registeredService) + ", service=" + String.valueOf(this.service) + ")";
        }

        @Generated
        public JwtRequest(String str, Set<String> set, Date date, String str2, Date date2, String str3, boolean z, Map<String, List<Object>> map, Optional<RegisteredService> optional, Optional<Service> optional2) {
            this.jwtId = str;
            this.serviceAudience = set;
            this.issueDate = date;
            this.subject = str2;
            this.validUntilDate = date2;
            this.issuer = str3;
            this.resolveSubject = z;
            this.attributes = map;
            this.registeredService = optional;
            this.service = optional2;
        }

        @Generated
        public JwtRequest withJwtId(String str) {
            return this.jwtId == str ? this : new JwtRequest(str, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, this.issuer, this.resolveSubject, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withServiceAudience(Set<String> set) {
            return this.serviceAudience == set ? this : new JwtRequest(this.jwtId, set, this.issueDate, this.subject, this.validUntilDate, this.issuer, this.resolveSubject, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withIssueDate(Date date) {
            return this.issueDate == date ? this : new JwtRequest(this.jwtId, this.serviceAudience, date, this.subject, this.validUntilDate, this.issuer, this.resolveSubject, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withSubject(String str) {
            return this.subject == str ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, str, this.validUntilDate, this.issuer, this.resolveSubject, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withValidUntilDate(Date date) {
            return this.validUntilDate == date ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, date, this.issuer, this.resolveSubject, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withIssuer(String str) {
            return this.issuer == str ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, str, this.resolveSubject, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withResolveSubject(boolean z) {
            return this.resolveSubject == z ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, this.issuer, z, this.attributes, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withAttributes(Map<String, List<Object>> map) {
            return this.attributes == map ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, this.issuer, this.resolveSubject, map, this.registeredService, this.service);
        }

        @Generated
        public JwtRequest withRegisteredService(Optional<RegisteredService> optional) {
            return this.registeredService == optional ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, this.issuer, this.resolveSubject, this.attributes, optional, this.service);
        }

        @Generated
        public JwtRequest withService(Optional<Service> optional) {
            return this.service == optional ? this : new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, this.issuer, this.resolveSubject, this.attributes, this.registeredService, optional);
        }
    }

    public JwtBuilder(CipherExecutor<Serializable, String> cipherExecutor, ApplicationContext applicationContext, ServicesManager servicesManager, PrincipalResolver principalResolver, CasConfigurationProperties casConfigurationProperties, ServiceFactory serviceFactory) {
        this(cipherExecutor, applicationContext, servicesManager, principalResolver, RegisteredServiceCipherExecutor.noOp(), serviceFactory, casConfigurationProperties);
    }

    public static JWTClaimsSet parse(String str) {
        try {
            return JWTParser.parse(str).getJWTClaimsSet();
        } catch (Exception e) {
            LOGGER.trace("Unable to parse [{}] JWT; trying JWT claim set...", str);
            try {
                return JWTClaimsSet.parse(str);
            } catch (Exception e2) {
                LoggingUtils.error(LOGGER, e2);
                throw new IllegalArgumentException("Unable to parse JWT");
            }
        }
    }

    public static Header parseHeader(String str) throws Exception {
        try {
            return SignedJWT.parse(str).getHeader();
        } catch (Exception e) {
            return EncryptedJWT.parse(str).getHeader();
        }
    }

    public static String buildPlain(JWTClaimsSet jWTClaimsSet, Optional<RegisteredService> optional) {
        PlainHeader.Builder type = new PlainHeader.Builder().type(JOSEObjectType.JWT);
        optional.ifPresent(registeredService -> {
            type.customParam(RegisteredServiceCipherExecutor.CUSTOM_HEADER_REGISTERED_SERVICE_ID, Long.valueOf(registeredService.getId()));
        });
        return new PlainJWT(type.build(), jWTClaimsSet).serialize();
    }

    public JWTClaimsSet unpack(String str) {
        return unpack(Optional.empty(), str);
    }

    public JWTClaimsSet unpack(Optional<RegisteredService> optional, String str) {
        return (JWTClaimsSet) FunctionUtils.doUnchecked(() -> {
            optional.ifPresent(registeredService -> {
                LOGGER.trace("Located service [{}] in service registry", registeredService);
                RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
            });
            JWT parse = JWTParser.parse(str);
            if (!(parse instanceof SignedJWT) && !(parse instanceof EncryptedJWT)) {
                return parse(str);
            }
            if (optional.isPresent()) {
                RegisteredService registeredService2 = (RegisteredService) optional.get();
                LOGGER.trace("Locating service signing and encryption keys for [{}]", registeredService2.getServiceId());
                if (this.registeredServiceCipherExecutor.supports(registeredService2)) {
                    LOGGER.trace("Decoding JWT based on keys provided by service [{}]", registeredService2.getServiceId());
                    return parse(this.registeredServiceCipherExecutor.decode(str, Optional.of(registeredService2)));
                }
            }
            return (JWTClaimsSet) FunctionUtils.doIf(this.defaultTokenCipherExecutor.isEnabled(), () -> {
                LOGGER.trace("Decoding JWT based on default global keys");
                return parse(this.defaultTokenCipherExecutor.decode(str));
            }, () -> {
                throw new IllegalArgumentException("Unable to validate JWT signature");
            }).get();
        });
    }

    public String build(JwtRequest jwtRequest) throws Throwable {
        Set<String> serviceAudience = jwtRequest.getServiceAudience();
        Objects.requireNonNull(jwtRequest.getIssuer(), "Issuer cannot be undefined");
        Objects.requireNonNull(serviceAudience, "Audience cannot be undefined");
        JWTClaimsSet.Builder subject = new JWTClaimsSet.Builder().audience(new ArrayList(serviceAudience)).issuer(jwtRequest.getIssuer()).jwtID(jwtRequest.getJwtId()).issueTime(jwtRequest.getIssueDate()).subject(jwtRequest.getSubject());
        collectClaims(jwtRequest).entrySet().stream().filter(entry -> {
            return !((String) entry.getKey()).startsWith(CentralAuthenticationService.NAMESPACE);
        }).filter(entry2 -> {
            return !((List) entry2.getValue()).isEmpty();
        }).forEach(entry3 -> {
            List list = (List) entry3.getValue();
            Object orElseThrow = list.size() == 1 ? CollectionUtils.firstElement(list).orElseThrow() : list;
            if (orElseThrow instanceof ZonedDateTime) {
                orElseThrow = orElseThrow.toString();
            }
            subject.claim((String) entry3.getKey(), orElseThrow);
        });
        subject.expirationTime(jwtRequest.getValidUntilDate());
        JWTClaimsSet finalizeClaims = finalizeClaims(subject.build(), jwtRequest);
        LOGGER.trace("Locating service [{}] in service registry", serviceAudience);
        return build(jwtRequest.getRegisteredService().orElseGet(() -> {
            return (RegisteredService) serviceAudience.stream().map(this::locateRegisteredService).filter((v0) -> {
                return Objects.nonNull(v0);
            }).findFirst().orElseThrow(() -> {
                return UnauthorizedServiceException.denied("There is no application record registered with the CAS service registry that would match %s. Review the applications registered with the CAS service registry and make sure a matching record exists for %s.".formatted(serviceAudience, serviceAudience));
            });
        }), finalizeClaims);
    }

    public String build(RegisteredService registeredService, JWTClaimsSet jWTClaimsSet) {
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
        String jWTClaimsSet2 = jWTClaimsSet.toString();
        LOGGER.debug("Generated JWT [{}]", jWTClaimsSet2);
        LOGGER.trace("Locating service specific signing and encryption keys for service [{}]", registeredService.getName());
        if (this.registeredServiceCipherExecutor.supports(registeredService)) {
            LOGGER.trace("Encoding JWT based on keys provided by service [{}]", registeredService.getServiceId());
            return this.registeredServiceCipherExecutor.encode(jWTClaimsSet2, Optional.of(registeredService));
        }
        if (this.defaultTokenCipherExecutor.isEnabled()) {
            LOGGER.trace("Encoding JWT based on default global keys for service [{}]", registeredService.getName());
            return this.defaultTokenCipherExecutor.encode(jWTClaimsSet2);
        }
        String buildPlain = buildPlain(jWTClaimsSet, Optional.of(registeredService));
        LOGGER.trace("Generating plain JWT as the ticket: [{}]", buildPlain);
        return buildPlain;
    }

    protected RegisteredService locateRegisteredService(String str) {
        return this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(str));
    }

    protected JWTClaimsSet finalizeClaims(JWTClaimsSet jWTClaimsSet, JwtRequest jwtRequest) throws Exception {
        return jWTClaimsSet;
    }

    protected Map<String, List<Object>> collectClaims(JwtRequest jwtRequest) throws Throwable {
        return jwtRequest.getAttributes();
    }

    @Generated
    public JwtBuilder(CipherExecutor<Serializable, String> cipherExecutor, ApplicationContext applicationContext, ServicesManager servicesManager, PrincipalResolver principalResolver, RegisteredServiceCipherExecutor registeredServiceCipherExecutor, ServiceFactory serviceFactory, CasConfigurationProperties casConfigurationProperties) {
        this.defaultTokenCipherExecutor = cipherExecutor;
        this.applicationContext = applicationContext;
        this.servicesManager = servicesManager;
        this.principalResolver = principalResolver;
        this.registeredServiceCipherExecutor = registeredServiceCipherExecutor;
        this.webApplicationServiceFactory = serviceFactory;
        this.casProperties = casConfigurationProperties;
    }

    @Generated
    public CipherExecutor<Serializable, String> getDefaultTokenCipherExecutor() {
        return this.defaultTokenCipherExecutor;
    }

    @Generated
    public ApplicationContext getApplicationContext() {
        return this.applicationContext;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public PrincipalResolver getPrincipalResolver() {
        return this.principalResolver;
    }

    @Generated
    public RegisteredServiceCipherExecutor getRegisteredServiceCipherExecutor() {
        return this.registeredServiceCipherExecutor;
    }

    @Generated
    public ServiceFactory getWebApplicationServiceFactory() {
        return this.webApplicationServiceFactory;
    }

    @Generated
    public CasConfigurationProperties getCasProperties() {
        return this.casProperties;
    }
}
