package org.apereo.cas.support.oauth.web.response.accesstoken.response;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation;
import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
import java.text.ParseException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalFactoryUtils;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.support.oauth.profile.OAuth20ProfileScopeToAttributesFilter;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.validation.AuthenticationAttributeReleasePolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder.class */
public class OAuth20JwtAccessTokenEncoder implements CipherExecutor<String, String> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20JwtAccessTokenEncoder.class);
    private final JwtBuilder accessTokenJwtBuilder;
    private final OAuth20AccessToken accessToken;
    private final RegisteredService registeredService;
    private final Service service;
    private final CasConfigurationProperties casProperties;
    private final String issuer;
    private final OAuth20ProfileScopeToAttributesFilter profileScopeToAttributesFilter;
    private final AuthenticationAttributeReleasePolicy authenticationAttributeReleasePolicy;

    @Generated
    /* loaded from: input_file:org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder$OAuth20JwtAccessTokenEncoderBuilder.class */
    public static abstract class OAuth20JwtAccessTokenEncoderBuilder<C extends OAuth20JwtAccessTokenEncoder, B extends OAuth20JwtAccessTokenEncoderBuilder<C, B>> {

        @Generated
        private JwtBuilder accessTokenJwtBuilder;

        @Generated
        private OAuth20AccessToken accessToken;

        @Generated
        private RegisteredService registeredService;

        @Generated
        private Service service;

        @Generated
        private CasConfigurationProperties casProperties;

        @Generated
        private String issuer;

        @Generated
        private OAuth20ProfileScopeToAttributesFilter profileScopeToAttributesFilter;

        @Generated
        private AuthenticationAttributeReleasePolicy authenticationAttributeReleasePolicy;

        @Generated
        public B accessTokenJwtBuilder(JwtBuilder jwtBuilder) {
            this.accessTokenJwtBuilder = jwtBuilder;
            return self();
        }

        @Generated
        public B accessToken(OAuth20AccessToken oAuth20AccessToken) {
            this.accessToken = oAuth20AccessToken;
            return self();
        }

        @Generated
        public B registeredService(RegisteredService registeredService) {
            this.registeredService = registeredService;
            return self();
        }

        @Generated
        public B service(Service service) {
            this.service = service;
            return self();
        }

        @Generated
        public B casProperties(CasConfigurationProperties casConfigurationProperties) {
            this.casProperties = casConfigurationProperties;
            return self();
        }

        @Generated
        public B issuer(String str) {
            this.issuer = str;
            return self();
        }

        @Generated
        public B profileScopeToAttributesFilter(OAuth20ProfileScopeToAttributesFilter oAuth20ProfileScopeToAttributesFilter) {
            this.profileScopeToAttributesFilter = oAuth20ProfileScopeToAttributesFilter;
            return self();
        }

        @Generated
        public B authenticationAttributeReleasePolicy(AuthenticationAttributeReleasePolicy authenticationAttributeReleasePolicy) {
            this.authenticationAttributeReleasePolicy = authenticationAttributeReleasePolicy;
            return self();
        }

        @Generated
        protected abstract B self();

        @Generated
        public abstract C build();

        @Generated
        public String toString() {
            return "OAuth20JwtAccessTokenEncoder.OAuth20JwtAccessTokenEncoderBuilder(accessTokenJwtBuilder=" + String.valueOf(this.accessTokenJwtBuilder) + ", accessToken=" + String.valueOf(this.accessToken) + ", registeredService=" + String.valueOf(this.registeredService) + ", service=" + String.valueOf(this.service) + ", casProperties=" + String.valueOf(this.casProperties) + ", issuer=" + this.issuer + ", profileScopeToAttributesFilter=" + String.valueOf(this.profileScopeToAttributesFilter) + ", authenticationAttributeReleasePolicy=" + String.valueOf(this.authenticationAttributeReleasePolicy) + ")";
        }
    }

    @Generated
    /* loaded from: input_file:org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncoder$OAuth20JwtAccessTokenEncoderBuilderImpl.class */
    private static final class OAuth20JwtAccessTokenEncoderBuilderImpl extends OAuth20JwtAccessTokenEncoderBuilder<OAuth20JwtAccessTokenEncoder, OAuth20JwtAccessTokenEncoderBuilderImpl> {
        @Generated
        private OAuth20JwtAccessTokenEncoderBuilderImpl() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder.OAuth20JwtAccessTokenEncoderBuilder
        @Generated
        public OAuth20JwtAccessTokenEncoderBuilderImpl self() {
            return this;
        }

        @Override // org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20JwtAccessTokenEncoder.OAuth20JwtAccessTokenEncoderBuilder
        @Generated
        public OAuth20JwtAccessTokenEncoder build() {
            return new OAuth20JwtAccessTokenEncoder(this);
        }
    }

    public String decode(String str, Object[] objArr) {
        if (StringUtils.isBlank(str)) {
            LOGGER.debug("No access token is provided to decode");
            return str;
        }
        try {
            return this.accessTokenJwtBuilder.unpack(Optional.ofNullable(resolveRegisteredService(JWTParser.parse(str).getHeader())), str).getJWTID();
        } catch (ParseException e) {
            LOGGER.trace("Token is not valid JWT, returning it as-is: [{}]", str);
            return str;
        }
    }

    public String encode(String str, Object[] objArr) {
        RegisteredService registeredService = this.registeredService;
        if (registeredService instanceof OAuthRegisteredService) {
            OAuthRegisteredService oAuthRegisteredService = (OAuthRegisteredService) registeredService;
            if (shouldEncodeAsJwt(oAuthRegisteredService, this.accessToken)) {
                return (String) FunctionUtils.doUnchecked(() -> {
                    return this.accessTokenJwtBuilder.build(getJwtRequestBuilder(oAuthRegisteredService, this.accessToken));
                });
            }
        }
        return this.accessToken.getId();
    }

    protected JwtBuilder.JwtRequest getJwtRequestBuilder(OAuthRegisteredService oAuthRegisteredService, OAuth20AccessToken oAuth20AccessToken) throws Throwable {
        Map attributes = this.profileScopeToAttributesFilter.filter(oAuth20AccessToken.getService(), buildPrincipalForAttributeFilter(oAuth20AccessToken, oAuthRegisteredService), oAuthRegisteredService, oAuth20AccessToken).getAttributes();
        if (attributes.containsKey("DPoPConfirmation")) {
            CollectionUtils.firstElement(attributes.get("DPoPConfirmation")).ifPresent(obj -> {
                Map.Entry jWTClaim = new JWKThumbprintConfirmation(new Base64URL(obj.toString())).toJWTClaim();
                attributes.put((String) jWTClaim.getKey(), List.of(jWTClaim.getValue()));
            });
        }
        if (attributes.containsKey("x509_digest")) {
            CollectionUtils.firstElement(attributes.get("x509_digest")).ifPresent(obj2 -> {
                Map.Entry jWTClaim = new X509CertificateConfirmation(new Base64URL(obj2.toString())).toJWTClaim();
                attributes.put((String) jWTClaim.getKey(), List.of(jWTClaim.getValue()));
            });
        }
        Authentication authentication = oAuth20AccessToken.getAuthentication();
        return JwtBuilder.JwtRequest.builder().serviceAudience(oAuthRegisteredService.getAudience().isEmpty() ? Set.of(oAuth20AccessToken.getClientId()) : oAuthRegisteredService.getAudience()).issueDate(DateTimeUtils.dateOf(authentication.getAuthenticationDate())).jwtId(oAuth20AccessToken.getId()).subject(authentication.getPrincipal().getId()).validUntilDate(DateTimeUtils.dateOf(authentication.getAuthenticationDate().plusSeconds(oAuth20AccessToken.getExpirationPolicy().getTimeToLive().longValue()))).attributes(attributes).registeredService(Optional.of(oAuthRegisteredService)).issuer((String) StringUtils.defaultIfBlank(this.issuer, this.casProperties.getServer().getPrefix())).build();
    }

    protected boolean shouldEncodeAsJwt(OAuthRegisteredService oAuthRegisteredService, OAuth20AccessToken oAuth20AccessToken) {
        return this.casProperties.getAuthn().getOauth().getAccessToken().isCreateAsJwt() || (oAuthRegisteredService != null && oAuthRegisteredService.isJwtAccessToken()) || oAuth20AccessToken.getAuthentication().containsAttribute("DPoP");
    }

    protected RegisteredService resolveRegisteredService(Header header) {
        Object customParam;
        OAuthRegisteredService oAuthRegisteredService = this.registeredService;
        if (oAuthRegisteredService == null && (customParam = header.getCustomParam(RegisteredServiceCipherExecutor.CUSTOM_HEADER_REGISTERED_SERVICE_ID)) != null) {
            oAuthRegisteredService = this.accessTokenJwtBuilder.getServicesManager().findServiceBy(Long.parseLong(customParam.toString()), OAuthRegisteredService.class);
        }
        return oAuthRegisteredService;
    }

    private Principal buildPrincipalForAttributeFilter(OAuth20AccessToken oAuth20AccessToken, RegisteredService registeredService) throws Throwable {
        Authentication authentication = oAuth20AccessToken.getAuthentication();
        HashMap hashMap = new HashMap(authentication.getPrincipal().getAttributes());
        hashMap.putAll(this.authenticationAttributeReleasePolicy.getAuthenticationAttributesForRelease(authentication, registeredService));
        return PrincipalFactoryUtils.newPrincipalFactory().createPrincipal(authentication.getPrincipal().getId(), hashMap);
    }

    @Generated
    protected OAuth20JwtAccessTokenEncoder(OAuth20JwtAccessTokenEncoderBuilder<?, ?> oAuth20JwtAccessTokenEncoderBuilder) {
        this.accessTokenJwtBuilder = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).accessTokenJwtBuilder;
        this.accessToken = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).accessToken;
        this.registeredService = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).registeredService;
        this.service = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).service;
        this.casProperties = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).casProperties;
        this.issuer = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).issuer;
        this.profileScopeToAttributesFilter = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).profileScopeToAttributesFilter;
        this.authenticationAttributeReleasePolicy = ((OAuth20JwtAccessTokenEncoderBuilder) oAuth20JwtAccessTokenEncoderBuilder).authenticationAttributeReleasePolicy;
    }

    @Generated
    public static OAuth20JwtAccessTokenEncoderBuilder<?, ?> builder() {
        return new OAuth20JwtAccessTokenEncoderBuilderImpl();
    }

    @Generated
    public JwtBuilder getAccessTokenJwtBuilder() {
        return this.accessTokenJwtBuilder;
    }

    @Generated
    public OAuth20AccessToken getAccessToken() {
        return this.accessToken;
    }

    @Generated
    public RegisteredService getRegisteredService() {
        return this.registeredService;
    }

    @Generated
    public Service getService() {
        return this.service;
    }

    @Generated
    public CasConfigurationProperties getCasProperties() {
        return this.casProperties;
    }

    @Generated
    public String getIssuer() {
        return this.issuer;
    }

    @Generated
    public OAuth20ProfileScopeToAttributesFilter getProfileScopeToAttributesFilter() {
        return this.profileScopeToAttributesFilter;
    }

    @Generated
    public AuthenticationAttributeReleasePolicy getAuthenticationAttributeReleasePolicy() {
        return this.authenticationAttributeReleasePolicy;
    }
}
