package org.apereo.cas.acct;

import java.io.Serializable;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.acct.provision.AccountRegistrationProvisioner;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.account.AccountManagementRegistrationCoreProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.inspektr.audit.annotation.Audit;
import org.apereo.inspektr.common.web.ClientInfo;
import org.apereo.inspektr.common.web.ClientInfoHolder;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/acct/DefaultAccountRegistrationService.class */
public class DefaultAccountRegistrationService implements AccountRegistrationService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultAccountRegistrationService.class);
    private final AccountRegistrationPropertyLoader accountRegistrationPropertyLoader;
    private final CasConfigurationProperties casProperties;
    private final CipherExecutor<Serializable, String> cipherExecutor;
    private final AccountRegistrationUsernameBuilder accountRegistrationUsernameBuilder;
    private final AccountRegistrationProvisioner accountRegistrationProvisioner;

    @Audit(action = "ACCOUNT_REGISTRATION", actionResolverName = "ACCOUNT_REGISTRATION_TOKEN_VALIDATION_ACTION_RESOLVER", resourceResolverName = "ACCOUNT_REGISTRATION_TOKEN_VALIDATION_RESOURCE_RESOLVER")
    public AccountRegistrationRequest validateToken(String str) throws Exception {
        JwtClaims parse = JwtClaims.parse((String) this.cipherExecutor.decode(str));
        String prefix = this.casProperties.getServer().getPrefix();
        if (!parse.getIssuer().equals(prefix)) {
            LOGGER.error("Token issuer [{}] does not match CAS' [{}]", parse.getIssuer(), prefix);
            return null;
        }
        if (parse.getAudience().isEmpty() || !((String) parse.getAudience().get(0)).equals(prefix)) {
            LOGGER.error("Token audience does not match CAS");
            return null;
        }
        if (StringUtils.isBlank(parse.getSubject())) {
            LOGGER.error("Token has no subject identifier");
            return null;
        }
        AccountManagementRegistrationCoreProperties core = this.casProperties.getAccountRegistration().getCore();
        ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
        if (core.isIncludeServerIpAddress() && !parse.getStringClaimValue("origin").equals(clientInfo.getServerIpAddress())) {
            LOGGER.error("Token origin server IP address does not match CAS");
            return null;
        }
        if (core.isIncludeClientIpAddress() && !parse.getStringClaimValue("client").equals(clientInfo.getClientIpAddress())) {
            LOGGER.error("Token client IP address does not match CAS");
            return null;
        }
        NumericDate expirationTime = parse.getExpirationTime();
        if (!expirationTime.isBefore(NumericDate.now())) {
            return new AccountRegistrationRequest(parse.getClaimsMap());
        }
        LOGGER.error("Token has expired with expiration time of [{}].", expirationTime);
        return null;
    }

    @Audit(action = "ACCOUNT_REGISTRATION", actionResolverName = "ACCOUNT_REGISTRATION_TOKEN_CREATION_ACTION_RESOLVER", resourceResolverName = "ACCOUNT_REGISTRATION_TOKEN_CREATION_RESOURCE_RESOLVER")
    public String createToken(AccountRegistrationRequest accountRegistrationRequest) {
        String uuid = UUID.randomUUID().toString();
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setJwtId(uuid);
        jwtClaims.setIssuer(this.casProperties.getServer().getPrefix());
        jwtClaims.setAudience(this.casProperties.getServer().getPrefix());
        AccountManagementRegistrationCoreProperties core = this.casProperties.getAccountRegistration().getCore();
        jwtClaims.setExpirationTimeMinutesInTheFuture((float) Beans.newDuration(core.getExpiration()).toMinutes());
        jwtClaims.setIssuedAtToNow();
        ClientInfo clientInfo = ClientInfoHolder.getClientInfo();
        if (clientInfo != null) {
            if (core.isIncludeServerIpAddress()) {
                jwtClaims.setStringClaim("origin", clientInfo.getServerIpAddress());
            }
            if (core.isIncludeClientIpAddress()) {
                jwtClaims.setStringClaim("client", clientInfo.getClientIpAddress());
            }
        }
        String build = this.accountRegistrationUsernameBuilder.build(accountRegistrationRequest);
        jwtClaims.setSubject(build);
        Map properties = accountRegistrationRequest.getProperties();
        Objects.requireNonNull(jwtClaims);
        properties.forEach(jwtClaims::setClaim);
        LOGGER.debug("Creating account registration token for [{}]", build);
        String json = jwtClaims.toJson();
        LOGGER.debug("Encoding the generated JSON token...");
        return (String) this.cipherExecutor.encode(json);
    }

    @Generated
    public DefaultAccountRegistrationService(AccountRegistrationPropertyLoader accountRegistrationPropertyLoader, CasConfigurationProperties casConfigurationProperties, CipherExecutor<Serializable, String> cipherExecutor, AccountRegistrationUsernameBuilder accountRegistrationUsernameBuilder, AccountRegistrationProvisioner accountRegistrationProvisioner) {
        this.accountRegistrationPropertyLoader = accountRegistrationPropertyLoader;
        this.casProperties = casConfigurationProperties;
        this.cipherExecutor = cipherExecutor;
        this.accountRegistrationUsernameBuilder = accountRegistrationUsernameBuilder;
        this.accountRegistrationProvisioner = accountRegistrationProvisioner;
    }

    @Generated
    public AccountRegistrationPropertyLoader getAccountRegistrationPropertyLoader() {
        return this.accountRegistrationPropertyLoader;
    }

    @Generated
    public CasConfigurationProperties getCasProperties() {
        return this.casProperties;
    }

    @Generated
    public CipherExecutor<Serializable, String> getCipherExecutor() {
        return this.cipherExecutor;
    }

    @Generated
    public AccountRegistrationUsernameBuilder getAccountRegistrationUsernameBuilder() {
        return this.accountRegistrationUsernameBuilder;
    }

    @Generated
    public AccountRegistrationProvisioner getAccountRegistrationProvisioner() {
        return this.accountRegistrationProvisioner;
    }
}
