package org.cloudfoundry.identity.uaa.oauth.openid;

import com.google.common.collect.Lists;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.oauth.TokenEndpointBuilder;
import org.cloudfoundry.identity.uaa.oauth.TokenValidityResolver;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.util.TimeService;
import org.cloudfoundry.identity.uaa.util.UaaTokenUtils;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.provider.ClientDetails;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.25.0.jar:org/cloudfoundry/identity/uaa/oauth/openid/IdTokenCreator.class */
public class IdTokenCreator {
    private final String ROLES_SCOPE = ClaimConstants.ROLES;
    private final Log logger = LogFactory.getLog(getClass());
    private TokenEndpointBuilder tokenEndpointBuilder;
    private TimeService timeService;
    private TokenValidityResolver tokenValidityResolver;
    private UaaUserDatabase uaaUserDatabase;
    private ClientServicesExtension clientServicesExtension;
    private Set<String> excludedClaims;

    public IdTokenCreator(TokenEndpointBuilder tokenEndpointBuilder, TimeService timeService, TokenValidityResolver tokenValidityResolver, UaaUserDatabase uaaUserDatabase, ClientServicesExtension clientServicesExtension, Set<String> set) {
        this.timeService = timeService;
        this.tokenValidityResolver = tokenValidityResolver;
        this.uaaUserDatabase = uaaUserDatabase;
        this.clientServicesExtension = clientServicesExtension;
        this.excludedClaims = set;
        this.tokenEndpointBuilder = tokenEndpointBuilder;
    }

    public IdToken create(String str, String str2, UserAuthenticationData userAuthenticationData) throws IdTokenCreationException {
        Date resolve = this.tokenValidityResolver.resolve(str);
        Date currentDate = this.timeService.getCurrentDate();
        try {
            UaaUser retrieveUserById = this.uaaUserDatabase.retrieveUserById(str2);
            String ifScopeContainsProfile = getIfScopeContainsProfile(retrieveUserById.getGivenName(), userAuthenticationData.scopes);
            String ifScopeContainsProfile2 = getIfScopeContainsProfile(retrieveUserById.getFamilyName(), userAuthenticationData.scopes);
            String ifScopeContainsProfile3 = getIfScopeContainsProfile(retrieveUserById.getPhoneNumber(), userAuthenticationData.scopes);
            String tokenEndpoint = this.tokenEndpointBuilder.getTokenEndpoint();
            String id = IdentityZoneHolder.get().getId();
            Map<String, List<String>> buildUserAttributes = buildUserAttributes(userAuthenticationData, retrieveUserById);
            Set<String> buildRoles = buildRoles(userAuthenticationData, retrieveUserById);
            ClientDetails loadClientByClientId = this.clientServicesExtension.loadClientByClientId(str, id);
            return new IdToken((String) getIfNotExcluded(str2, "user_id"), (List) getIfNotExcluded(Lists.newArrayList(str), "aud"), (String) getIfNotExcluded(tokenEndpoint, ClaimConstants.ISS), (Date) getIfNotExcluded(resolve, "exp"), (Date) getIfNotExcluded(currentDate, ClaimConstants.IAT), (Date) getIfNotExcluded(userAuthenticationData.authTime, ClaimConstants.AUTH_TIME), (Set) getIfNotExcluded(userAuthenticationData.authenticationMethods, ClaimConstants.AMR), (Set) getIfNotExcluded(userAuthenticationData.contextClassRef, "acr"), (String) getIfNotExcluded(str, ClaimConstants.AZP), (String) getIfNotExcluded(ifScopeContainsProfile, "given_name"), (String) getIfNotExcluded(ifScopeContainsProfile2, "family_name"), (Long) getIfNotExcluded(retrieveUserById.getPreviousLogonTime(), ClaimConstants.PREVIOUS_LOGON_TIME), (String) getIfNotExcluded(ifScopeContainsProfile3, "phone_number"), (Set) getIfNotExcluded(buildRoles, ClaimConstants.ROLES), (Map) getIfNotExcluded(buildUserAttributes, ClaimConstants.USER_ATTRIBUTES), (Boolean) getIfNotExcluded(Boolean.valueOf(retrieveUserById.isVerified()), "email_verified"), (String) getIfNotExcluded(userAuthenticationData.nonce, ClaimConstants.NONCE), (String) getIfNotExcluded(retrieveUserById.getEmail(), "email"), (String) getIfNotExcluded(str, ClaimConstants.CID), (String) getIfNotExcluded(userAuthenticationData.grantType, "grant_type"), (String) getIfNotExcluded(retrieveUserById.getUsername(), "user_name"), (String) getIfNotExcluded(id, ClaimConstants.ZONE_ID), (String) getIfNotExcluded(retrieveUserById.getOrigin(), "origin"), (String) getIfNotExcluded(userAuthenticationData.jti, "jti"), (String) getIfNotExcluded(UaaTokenUtils.getRevocableTokenSignature(retrieveUserById, (String) loadClientByClientId.getAdditionalInformation().get(ClientConstants.TOKEN_SALT), str, loadClientByClientId.getClientSecret()), ClaimConstants.REVOCATION_SIGNATURE));
        } catch (UsernameNotFoundException e) {
            this.logger.error("Could not create ID token for unknown user " + str2, e);
            throw new IdTokenCreationException();
        }
    }

    private String getIfScopeContainsProfile(String str, Set<String> set) {
        if (set.contains("profile")) {
            return str;
        }
        return null;
    }

    private <T> T getIfNotExcluded(T t, String str) {
        if (this.excludedClaims.contains(str)) {
            return null;
        }
        return t;
    }

    private Map<String, List<String>> buildUserAttributes(UserAuthenticationData userAuthenticationData, UaaUser uaaUser) {
        Map<String, List<String>> map = null;
        boolean contains = userAuthenticationData.scopes.contains(ClaimConstants.USER_ATTRIBUTES);
        if (contains) {
            map = userAuthenticationData.userAttributes;
        }
        if (contains && map == null) {
            this.logger.debug(String.format("Requested id_token containing %s, but no saved attributes available for user with id:%s. Ensure storeCustomAttributes is enabled for origin:%s in zone:%s.", ClaimConstants.USER_ATTRIBUTES, uaaUser.getId(), uaaUser.getOrigin(), IdentityZoneHolder.get().getId()));
        }
        return map;
    }

    private Set<String> buildRoles(UserAuthenticationData userAuthenticationData, UaaUser uaaUser) {
        boolean contains = userAuthenticationData.scopes.contains(ClaimConstants.ROLES);
        Set<String> set = null;
        if (contains && userAuthenticationData.roles != null && !userAuthenticationData.roles.isEmpty()) {
            set = userAuthenticationData.roles;
        }
        if (contains && set == null) {
            this.logger.debug(String.format("Requested id_token containing user roles, but no saved roles available for user with id:%s. Ensure storeCustomAttributes is enabled for origin:%s in zone:%s.", uaaUser.getId(), uaaUser.getOrigin(), IdentityZoneHolder.get().getId()));
        }
        return set;
    }

    public void setTimeService(TimeService timeService) {
        this.timeService = timeService;
    }
}
