package org.apereo.cas.token.authentication;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.Base64;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.handler.PrincipalNameTransformer;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractTokenWrapperAuthenticationHandler;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration;
import org.pac4j.jwt.config.signature.SecretSignatureConfiguration;
import org.pac4j.jwt.credentials.authenticator.JwtAuthenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/token/authentication/TokenAuthenticationHandler.class */
public class TokenAuthenticationHandler extends AbstractTokenWrapperAuthenticationHandler {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenAuthenticationHandler.class);

    public TokenAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, PrincipalNameTransformer principalNameTransformer, SessionStore sessionStore) {
        super(str, servicesManager, principalFactory, (Integer) null, principalNameTransformer, sessionStore);
    }

    private static <T extends Algorithm> T findAlgorithmFamily(Set<Algorithm> set, String str, Class<T> cls) {
        Optional<Algorithm> findFirst = set.stream().filter(algorithm -> {
            return algorithm.getName().equalsIgnoreCase(str);
        }).findFirst();
        if (!findFirst.isPresent()) {
            throw new IllegalArgumentException("Unable to find algorithm " + str);
        }
        T t = (T) findFirst.get();
        if (cls.isAssignableFrom(t.getClass())) {
            return t;
        }
        throw new ClassCastException("Result [" + t + " is of type " + t.getClass() + " when we were expecting " + cls);
    }

    private static byte[] getSecretBytes(String str, boolean z) {
        return z ? new Base64(str).decode() : str.getBytes(StandardCharsets.UTF_8);
    }

    public AuthenticationHandlerExecutionResult postAuthenticate(Credential credential, AuthenticationHandlerExecutionResult authenticationHandlerExecutionResult) {
        ((TokenCredential) credential).setId(authenticationHandlerExecutionResult.getPrincipal().getId());
        return super.postAuthenticate(credential, authenticationHandlerExecutionResult);
    }

    protected Authenticator getAuthenticator(Credential credential) {
        TokenCredential tokenCredential = (TokenCredential) credential;
        LOGGER.debug("Locating token secret for service [{}]", tokenCredential.getService());
        RegisteredService findServiceBy = getServicesManager().findServiceBy(tokenCredential.getService());
        if (StringUtils.isNotBlank(getRegisteredServiceJwtSigningSecret(findServiceBy))) {
            return buildJwtAuthenticatorFor(findServiceBy);
        }
        LOGGER.warn("No token signing secret is defined for service [{}]. Ensure [{}] property is defined for service", findServiceBy.getServiceId(), RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING.getPropertyName());
        return null;
    }

    protected JwtAuthenticator buildJwtAuthenticatorFor(RegisteredService registeredService) {
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator();
        jwtAuthenticator.setSignatureConfiguration(getSecretSignatureConfiguration(registeredService));
        if (StringUtils.isNotBlank(getRegisteredServiceJwtEncryptionSecret(registeredService))) {
            jwtAuthenticator.setEncryptionConfiguration(getSecretEncryptionConfiguration(registeredService));
        } else {
            LOGGER.info("No token encryption secret is defined for service [{}]. You may want to use the [{}] property", registeredService.getServiceId(), RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION.getPropertyName());
        }
        return jwtAuthenticator;
    }

    protected String getRegisteredServiceJwtProperty(RegisteredService registeredService, RegisteredServiceProperty.RegisteredServiceProperties registeredServiceProperties) {
        if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.debug("Service is not defined/found or its access is disabled in the registry");
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        if (registeredServiceProperties.isAssignedTo(registeredService)) {
            return registeredServiceProperties.getPropertyValue(registeredService).value();
        }
        LOGGER.trace("Service [{}] does not define a property [{}] in the registry", registeredService.getServiceId(), registeredServiceProperties);
        return null;
    }

    protected SecretSignatureConfiguration getSecretSignatureConfiguration(RegisteredService registeredService) {
        String registeredServiceJwtSigningSecret = getRegisteredServiceJwtSigningSecret(registeredService);
        String registeredServiceJwtProperty = getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING_ALG);
        HashSet hashSet = new HashSet(0);
        hashSet.addAll(JWSAlgorithm.Family.EC);
        hashSet.addAll(JWSAlgorithm.Family.HMAC_SHA);
        hashSet.addAll(JWSAlgorithm.Family.RSA);
        hashSet.addAll(JWSAlgorithm.Family.SIGNATURE);
        return new SecretSignatureConfiguration(getSecretBytes(registeredServiceJwtSigningSecret, areSecretsBase64Encoded(registeredService)), findAlgorithmFamily(hashSet, StringUtils.defaultString(registeredServiceJwtProperty, JWSAlgorithm.HS256.getName()), JWSAlgorithm.class));
    }

    protected SecretEncryptionConfiguration getSecretEncryptionConfiguration(RegisteredService registeredService) {
        String registeredServiceJwtEncryptionSecret = getRegisteredServiceJwtEncryptionSecret(registeredService);
        HashSet hashSet = new HashSet(0);
        hashSet.addAll(JWEAlgorithm.Family.AES_GCM_KW);
        hashSet.addAll(JWEAlgorithm.Family.AES_KW);
        hashSet.addAll(JWEAlgorithm.Family.ASYMMETRIC);
        hashSet.addAll(JWEAlgorithm.Family.ECDH_ES);
        hashSet.addAll(JWEAlgorithm.Family.PBES2);
        hashSet.addAll(JWEAlgorithm.Family.RSA);
        hashSet.addAll(JWEAlgorithm.Family.SYMMETRIC);
        JWEAlgorithm findAlgorithmFamily = findAlgorithmFamily(hashSet, StringUtils.defaultString(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION_ALG), JWEAlgorithm.DIR.getName()), JWEAlgorithm.class);
        hashSet.clear();
        hashSet.addAll(EncryptionMethod.Family.AES_CBC_HMAC_SHA);
        hashSet.addAll(EncryptionMethod.Family.AES_GCM);
        return new SecretEncryptionConfiguration(getSecretBytes(registeredServiceJwtEncryptionSecret, areSecretsBase64Encoded(registeredService)), findAlgorithmFamily, findAlgorithmFamily(hashSet, StringUtils.defaultString(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION_METHOD), EncryptionMethod.A192CBC_HS384.getName()), EncryptionMethod.class));
    }

    private String getRegisteredServiceJwtEncryptionSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION);
    }

    private String getRegisteredServiceJwtSigningSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING);
    }

    private boolean areSecretsBase64Encoded(RegisteredService registeredService) {
        return BooleanUtils.toBoolean(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRETS_ARE_BASE64_ENCODED));
    }
}
