package de.gematik.idp.authentication;

import de.gematik.idp.IdpConstants;
import de.gematik.idp.crypto.CryptoLoader;
import de.gematik.idp.crypto.Nonce;
import de.gematik.idp.crypto.X509ClaimExtraction;
import de.gematik.idp.exceptions.IdpJoseException;
import de.gematik.idp.field.ClaimName;
import de.gematik.idp.token.IdpJwe;
import de.gematik.idp.token.JsonWebToken;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;

/* loaded from: input_file:de/gematik/idp/authentication/AuthenticationTokenBuilder.class */
public class AuthenticationTokenBuilder {
    private final IdpJwtProcessor jwtProcessor;
    private final Key encryptionKey;
    private final AuthenticationChallengeVerifier authenticationChallengeVerifier;
    private final String issuerUrl;

    @Generated
    /* loaded from: input_file:de/gematik/idp/authentication/AuthenticationTokenBuilder$AuthenticationTokenBuilderBuilder.class */
    public static class AuthenticationTokenBuilderBuilder {

        @Generated
        private IdpJwtProcessor jwtProcessor;

        @Generated
        private Key encryptionKey;

        @Generated
        private AuthenticationChallengeVerifier authenticationChallengeVerifier;

        @Generated
        private String issuerUrl;

        @Generated
        AuthenticationTokenBuilderBuilder() {
        }

        @Generated
        public AuthenticationTokenBuilderBuilder jwtProcessor(IdpJwtProcessor idpJwtProcessor) {
            this.jwtProcessor = idpJwtProcessor;
            return this;
        }

        @Generated
        public AuthenticationTokenBuilderBuilder encryptionKey(Key key) {
            this.encryptionKey = key;
            return this;
        }

        @Generated
        public AuthenticationTokenBuilderBuilder authenticationChallengeVerifier(AuthenticationChallengeVerifier authenticationChallengeVerifier) {
            this.authenticationChallengeVerifier = authenticationChallengeVerifier;
            return this;
        }

        @Generated
        public AuthenticationTokenBuilderBuilder issuerUrl(String str) {
            this.issuerUrl = str;
            return this;
        }

        @Generated
        public AuthenticationTokenBuilder build() {
            return new AuthenticationTokenBuilder(this.jwtProcessor, this.encryptionKey, this.authenticationChallengeVerifier, this.issuerUrl);
        }

        @Generated
        public String toString() {
            return "AuthenticationTokenBuilder.AuthenticationTokenBuilderBuilder(jwtProcessor=" + this.jwtProcessor + ", encryptionKey=" + this.encryptionKey + ", authenticationChallengeVerifier=" + this.authenticationChallengeVerifier + ", issuerUrl=" + this.issuerUrl + ")";
        }
    }

    public IdpJwe buildAuthenticationToken(X509Certificate x509Certificate, Map<String, Object> map, ZonedDateTime zonedDateTime) {
        Map<String, Object> extractClaimsFromCertificate = extractClaimsFromCertificate(x509Certificate);
        extractClaimsFromCertificate.put(ClaimName.CLIENT_ID.getJoseName(), map.get(ClaimName.CLIENT_ID.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.REDIRECT_URI.getJoseName(), map.get(ClaimName.REDIRECT_URI.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.NONCE.getJoseName(), map.get(ClaimName.NONCE.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.CODE_CHALLENGE.getJoseName(), map.get(ClaimName.CODE_CHALLENGE.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.CODE_CHALLENGE_METHOD.getJoseName(), map.get(ClaimName.CODE_CHALLENGE_METHOD.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.ISSUER.getJoseName(), map.get(ClaimName.ISSUER.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.RESPONSE_TYPE.getJoseName(), map.get(ClaimName.RESPONSE_TYPE.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.STATE.getJoseName(), map.get(ClaimName.STATE.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.SCOPE.getJoseName(), map.get(ClaimName.SCOPE.getJoseName()));
        extractClaimsFromCertificate.put(ClaimName.ISSUED_AT.getJoseName(), Long.valueOf(zonedDateTime.toEpochSecond()));
        extractClaimsFromCertificate.put(ClaimName.TOKEN_TYPE.getJoseName(), "code");
        extractClaimsFromCertificate.put(ClaimName.AUTH_TIME.getJoseName(), Long.valueOf(zonedDateTime.toEpochSecond()));
        extractClaimsFromCertificate.put(ClaimName.SERVER_NONCE.getJoseName(), Nonce.getNonceAsBase64UrlEncodedString(24));
        extractClaimsFromCertificate.put(ClaimName.JWT_ID.getJoseName(), Nonce.getNonceAsHex(16));
        extractClaimsFromCertificate.put(ClaimName.AUTHENTICATION_METHODS_REFERENCE.getJoseName(), map.getOrDefault(ClaimName.AUTHENTICATION_METHODS_REFERENCE.getJoseName(), List.of(IdpConstants.AMR_FAST_TRACK, "sc", "pin")));
        HashMap hashMap = new HashMap();
        hashMap.put(ClaimName.TYPE.getJoseName(), "JWT");
        return this.jwtProcessor.buildJwt(new JwtBuilder().addAllBodyClaims(extractClaimsFromCertificate).addAllHeaderClaims(hashMap).expiresAt(zonedDateTime.plusMinutes(1L))).encrypt(this.encryptionKey);
    }

    private Map<String, Object> extractClaimsFromCertificate(X509Certificate x509Certificate) {
        try {
            return X509ClaimExtraction.extractClaimsFromCertificate(x509Certificate);
        } catch (RuntimeException e) {
            throw new IdpJoseException("2020", e);
        }
    }

    public IdpJwe buildAuthenticationTokenFromSsoToken(JsonWebToken jsonWebToken, JsonWebToken jsonWebToken2, ZonedDateTime zonedDateTime) {
        HashMap hashMap = new HashMap();
        if (jsonWebToken.getBodyClaims().containsKey(ClaimName.CONFIRMATION.getJoseName())) {
            hashMap.putAll(extractClaimsFromCertificate(extractConfirmationCertificate(jsonWebToken)));
        } else {
            hashMap.put(ClaimName.GIVEN_NAME.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.GIVEN_NAME));
            hashMap.put(ClaimName.FAMILY_NAME.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.FAMILY_NAME));
            hashMap.put(ClaimName.ID_NUMBER.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.ID_NUMBER));
            hashMap.put(ClaimName.ORGANIZATION_NAME.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.ORGANIZATION_NAME));
            hashMap.put(ClaimName.PROFESSION_OID.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.PROFESSION_OID));
        }
        hashMap.put(ClaimName.CODE_CHALLENGE.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.CODE_CHALLENGE));
        hashMap.put(ClaimName.CODE_CHALLENGE_METHOD.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.CODE_CHALLENGE_METHOD));
        hashMap.put(ClaimName.NONCE.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.NONCE));
        hashMap.put(ClaimName.CLIENT_ID.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.CLIENT_ID));
        hashMap.put(ClaimName.REDIRECT_URI.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.REDIRECT_URI));
        hashMap.put(ClaimName.SCOPE.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.SCOPE));
        hashMap.put(ClaimName.ISSUED_AT.getJoseName(), Long.valueOf(zonedDateTime.toEpochSecond()));
        hashMap.put(ClaimName.STATE.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.STATE));
        hashMap.put(ClaimName.RESPONSE_TYPE.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.RESPONSE_TYPE));
        hashMap.put(ClaimName.TOKEN_TYPE.getJoseName(), "code");
        hashMap.put(ClaimName.AUTH_TIME.getJoseName(), Long.valueOf(ZonedDateTime.now().toEpochSecond()));
        hashMap.put(ClaimName.SERVER_NONCE.getJoseName(), Nonce.getNonceAsBase64UrlEncodedString(24));
        hashMap.put(ClaimName.ISSUER.getJoseName(), extractClaimFromChallengeToken(jsonWebToken2, ClaimName.ISSUER));
        hashMap.put(ClaimName.JWT_ID.getJoseName(), Nonce.getNonceAsHex(16));
        HashMap hashMap2 = new HashMap(jsonWebToken.getHeaderClaims());
        hashMap2.put(ClaimName.TYPE.getJoseName(), "JWT");
        return this.jwtProcessor.buildJwt(new JwtBuilder().replaceAllHeaderClaims(hashMap2).replaceAllBodyClaims(hashMap).expiresAt(ZonedDateTime.now().plusHours(1L))).encrypt(this.encryptionKey);
    }

    public IdpJwe buildAuthenticationTokenFromSektoralIdToken(JsonWebToken jsonWebToken, ZonedDateTime zonedDateTime, Map<String, String> map) {
        HashMap hashMap = new HashMap();
        hashMap.put(ClaimName.GIVEN_NAME.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.GIVEN_NAME));
        hashMap.put(ClaimName.FAMILY_NAME.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.FAMILY_NAME));
        hashMap.put(ClaimName.ID_NUMBER.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.ID_NUMBER));
        hashMap.put(ClaimName.PROFESSION_OID.getJoseName(), extractClaimFromChallengeToken(jsonWebToken, ClaimName.PROFESSION_OID));
        hashMap.put(ClaimName.CODE_CHALLENGE.getJoseName(), map.get(ClaimName.CODE_CHALLENGE.getJoseName()));
        hashMap.put(ClaimName.CODE_CHALLENGE_METHOD.getJoseName(), map.get(ClaimName.CODE_CHALLENGE_METHOD.getJoseName()));
        if (map.get(ClaimName.NONCE.getJoseName()) != null) {
            hashMap.put(ClaimName.NONCE.getJoseName(), map.get(ClaimName.NONCE.getJoseName()));
        }
        hashMap.put(ClaimName.CLIENT_ID.getJoseName(), map.get(ClaimName.CLIENT_ID.getJoseName()));
        hashMap.put(ClaimName.REDIRECT_URI.getJoseName(), map.get(ClaimName.REDIRECT_URI.getJoseName()));
        hashMap.put(ClaimName.SCOPE.getJoseName(), "openid e-rezept");
        hashMap.put(ClaimName.ISSUED_AT.getJoseName(), Long.valueOf(zonedDateTime.toEpochSecond()));
        hashMap.put(ClaimName.STATE.getJoseName(), map.get(ClaimName.STATE.getJoseName()));
        hashMap.put(ClaimName.RESPONSE_TYPE.getJoseName(), map.get(ClaimName.RESPONSE_TYPE.getJoseName()));
        hashMap.put(ClaimName.TOKEN_TYPE.getJoseName(), "code");
        hashMap.put(ClaimName.AUTH_TIME.getJoseName(), Long.valueOf(ZonedDateTime.now().toEpochSecond()));
        hashMap.put(ClaimName.SERVER_NONCE.getJoseName(), Nonce.getNonceAsBase64UrlEncodedString(24));
        hashMap.put(ClaimName.ISSUER.getJoseName(), this.issuerUrl);
        hashMap.put(ClaimName.JWT_ID.getJoseName(), Nonce.getNonceAsHex(16));
        hashMap.put(ClaimName.AUTHENTICATION_METHODS_REFERENCE.getJoseName(), List.of(IdpConstants.AMR_FAST_TRACK));
        HashMap hashMap2 = new HashMap();
        hashMap2.put(ClaimName.TYPE.getJoseName(), "JWT");
        return this.jwtProcessor.buildJwt(new JwtBuilder().addAllHeaderClaims(hashMap2).addAllBodyClaims(hashMap).expiresAt(ZonedDateTime.now().plusHours(1L))).encrypt(this.encryptionKey);
    }

    private Object extractClaimFromChallengeToken(JsonWebToken jsonWebToken, ClaimName claimName) {
        return jsonWebToken.getBodyClaim(claimName).orElseThrow(() -> {
            return new IdpJoseException("Unexpected structure in Challenge-Token");
        });
    }

    private X509Certificate extractConfirmationCertificate(JsonWebToken jsonWebToken) {
        Optional<Object> bodyClaim = jsonWebToken.getBodyClaim(ClaimName.CONFIRMATION);
        Class<Map> cls = Map.class;
        Objects.requireNonNull(Map.class);
        Optional<Object> filter = bodyClaim.filter(cls::isInstance);
        Class<Map> cls2 = Map.class;
        Objects.requireNonNull(Map.class);
        Optional map = filter.map(cls2::cast).map(map2 -> {
            return map2.get(ClaimName.X509_CERTIFICATE_CHAIN.getJoseName());
        });
        Class<List> cls3 = List.class;
        Objects.requireNonNull(List.class);
        Optional filter2 = map.filter(cls3::isInstance);
        Class<List> cls4 = List.class;
        Objects.requireNonNull(List.class);
        return CryptoLoader.getCertificateFromPem(Base64.getDecoder().decode((String) filter2.map(cls4::cast).filter(list -> {
            return !list.isEmpty();
        }).map(list2 -> {
            return list2.get(0);
        }).map((v0) -> {
            return v0.toString();
        }).orElseThrow(() -> {
            return new IdpJoseException("Unsupported cnf-Structure found: Could not extract confirmed Certificate!");
        })));
    }

    @Generated
    public static AuthenticationTokenBuilderBuilder builder() {
        return new AuthenticationTokenBuilderBuilder();
    }

    @Generated
    public IdpJwtProcessor getJwtProcessor() {
        return this.jwtProcessor;
    }

    @Generated
    public Key getEncryptionKey() {
        return this.encryptionKey;
    }

    @Generated
    public AuthenticationChallengeVerifier getAuthenticationChallengeVerifier() {
        return this.authenticationChallengeVerifier;
    }

    @Generated
    public String getIssuerUrl() {
        return this.issuerUrl;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof AuthenticationTokenBuilder)) {
            return false;
        }
        AuthenticationTokenBuilder authenticationTokenBuilder = (AuthenticationTokenBuilder) obj;
        if (!authenticationTokenBuilder.canEqual(this)) {
            return false;
        }
        IdpJwtProcessor jwtProcessor = getJwtProcessor();
        IdpJwtProcessor jwtProcessor2 = authenticationTokenBuilder.getJwtProcessor();
        if (jwtProcessor == null) {
            if (jwtProcessor2 != null) {
                return false;
            }
        } else if (!jwtProcessor.equals(jwtProcessor2)) {
            return false;
        }
        Key encryptionKey = getEncryptionKey();
        Key encryptionKey2 = authenticationTokenBuilder.getEncryptionKey();
        if (encryptionKey == null) {
            if (encryptionKey2 != null) {
                return false;
            }
        } else if (!encryptionKey.equals(encryptionKey2)) {
            return false;
        }
        AuthenticationChallengeVerifier authenticationChallengeVerifier = getAuthenticationChallengeVerifier();
        AuthenticationChallengeVerifier authenticationChallengeVerifier2 = authenticationTokenBuilder.getAuthenticationChallengeVerifier();
        if (authenticationChallengeVerifier == null) {
            if (authenticationChallengeVerifier2 != null) {
                return false;
            }
        } else if (!authenticationChallengeVerifier.equals(authenticationChallengeVerifier2)) {
            return false;
        }
        String issuerUrl = getIssuerUrl();
        String issuerUrl2 = authenticationTokenBuilder.getIssuerUrl();
        return issuerUrl == null ? issuerUrl2 == null : issuerUrl.equals(issuerUrl2);
    }

    @Generated
    protected boolean canEqual(Object obj) {
        return obj instanceof AuthenticationTokenBuilder;
    }

    @Generated
    public int hashCode() {
        IdpJwtProcessor jwtProcessor = getJwtProcessor();
        int hashCode = (1 * 59) + (jwtProcessor == null ? 43 : jwtProcessor.hashCode());
        Key encryptionKey = getEncryptionKey();
        int hashCode2 = (hashCode * 59) + (encryptionKey == null ? 43 : encryptionKey.hashCode());
        AuthenticationChallengeVerifier authenticationChallengeVerifier = getAuthenticationChallengeVerifier();
        int hashCode3 = (hashCode2 * 59) + (authenticationChallengeVerifier == null ? 43 : authenticationChallengeVerifier.hashCode());
        String issuerUrl = getIssuerUrl();
        return (hashCode3 * 59) + (issuerUrl == null ? 43 : issuerUrl.hashCode());
    }

    @Generated
    public String toString() {
        return "AuthenticationTokenBuilder(jwtProcessor=" + getJwtProcessor() + ", encryptionKey=" + getEncryptionKey() + ", authenticationChallengeVerifier=" + getAuthenticationChallengeVerifier() + ", issuerUrl=" + getIssuerUrl() + ")";
    }

    @Generated
    public AuthenticationTokenBuilder(IdpJwtProcessor idpJwtProcessor, Key key, AuthenticationChallengeVerifier authenticationChallengeVerifier, String str) {
        this.jwtProcessor = idpJwtProcessor;
        this.encryptionKey = key;
        this.authenticationChallengeVerifier = authenticationChallengeVerifier;
        this.issuerUrl = str;
    }
}
