package de.gematik.idp.token;

import de.gematik.idp.IdpConstants;
import de.gematik.idp.authentication.IdpJwtProcessor;
import de.gematik.idp.authentication.JwtBuilder;
import de.gematik.idp.crypto.Nonce;
import de.gematik.idp.exceptions.IdpRuntimeException;
import de.gematik.idp.exceptions.RequiredClaimException;
import de.gematik.idp.field.ClaimName;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import lombok.Generated;
import org.apache.commons.lang3.tuple.Pair;
import org.jose4j.jwt.NumericDate;

/* loaded from: input_file:de/gematik/idp/token/AccessTokenBuilder.class */
public class AccessTokenBuilder {
    private static final List<ClaimName> CLAIMS_TO_TAKE_FROM_AUTHENTICATION_TOKEN = List.of(ClaimName.PROFESSION_OID, ClaimName.GIVEN_NAME, ClaimName.FAMILY_NAME, ClaimName.ORGANIZATION_NAME, ClaimName.ID_NUMBER, ClaimName.CLIENT_ID, ClaimName.SCOPE, ClaimName.AUTH_TIME);
    private final IdpJwtProcessor jwtProcessor;
    private final String issuerUrl;
    private final String serverSubjectSalt;
    private final Map<String, String> scopeToAudienceUrl;
    private final ClaimName[] nonPairingClaims = {ClaimName.PROFESSION_OID, ClaimName.GIVEN_NAME, ClaimName.FAMILY_NAME, ClaimName.ORGANIZATION_NAME};

    public JsonWebToken buildAccessToken(JsonWebToken jsonWebToken) {
        ZonedDateTime now = ZonedDateTime.now();
        HashMap hashMap = new HashMap();
        String obj = jsonWebToken.getBodyClaim(ClaimName.CLIENT_ID).orElseThrow(() -> {
            return new RequiredClaimException("Unable to obtain " + ClaimName.CLIENT_ID.getJoseName() + "!");
        }).toString();
        CLAIMS_TO_TAKE_FROM_AUTHENTICATION_TOKEN.stream().map(claimName -> {
            return Pair.of(claimName, jsonWebToken.getBodyClaim(claimName));
        }).forEach(pair -> {
            hashMap.put(((ClaimName) pair.getKey()).getJoseName(), ((Optional) pair.getValue()).isPresent() ? ((Optional) pair.getValue()).get() : null);
        });
        if (jsonWebToken.getScopesBodyClaim().contains(IdpConstants.PAIRING)) {
            Arrays.stream(this.nonPairingClaims).forEach(claimName2 -> {
                hashMap.remove(claimName2.getJoseName());
            });
        }
        hashMap.put(ClaimName.ISSUED_AT.getJoseName(), Long.valueOf(now.toEpochSecond()));
        hashMap.put(ClaimName.ISSUER.getJoseName(), this.issuerUrl);
        hashMap.put(ClaimName.AUTHENTICATION_CLASS_REFERENCE.getJoseName(), IdpConstants.EIDAS_LOA_HIGH);
        hashMap.put(ClaimName.AUDIENCE.getJoseName(), determineAudienceBasedOnScope(jsonWebToken.getScopesBodyClaim()));
        hashMap.put(ClaimName.SUBJECT.getJoseName(), TokenBuilderUtil.buildSubjectClaim(obj, jsonWebToken.getStringBodyClaim(ClaimName.ID_NUMBER).orElseThrow(() -> {
            return new RequiredClaimException("Missing '" + ClaimName.ID_NUMBER.getJoseName() + "' claim!");
        }), this.serverSubjectSalt));
        hashMap.put(ClaimName.AUTHORIZED_PARTY.getJoseName(), obj);
        hashMap.put(ClaimName.JWT_ID.getJoseName(), Nonce.getNonceAsHex(16));
        hashMap.put(ClaimName.AUTHENTICATION_METHODS_REFERENCE.getJoseName(), jsonWebToken.getBodyClaim(ClaimName.AUTHENTICATION_METHODS_REFERENCE).orElse(getAmrString()));
        hashMap.put(ClaimName.EXPIRES_AT.getJoseName(), Long.valueOf(NumericDate.fromSeconds(now.plusMinutes(5L).toEpochSecond()).getValue()));
        HashMap hashMap2 = new HashMap();
        hashMap2.put(ClaimName.TYPE.getJoseName(), "at+JWT");
        return this.jwtProcessor.buildJwt(new JwtBuilder().replaceAllBodyClaims(hashMap).replaceAllHeaderClaims(hashMap2));
    }

    private String determineAudienceBasedOnScope(Set<String> set) {
        Stream<String> filter = set.stream().filter(str -> {
            return !str.equals(IdpConstants.OPENID);
        });
        Map<String, String> map = this.scopeToAudienceUrl;
        Objects.requireNonNull(map);
        Stream<String> filter2 = filter.filter((v1) -> {
            return r1.containsKey(v1);
        });
        Map<String, String> map2 = this.scopeToAudienceUrl;
        Objects.requireNonNull(map2);
        List list = filter2.map((v1) -> {
            return r1.get(v1);
        }).toList();
        if (list.size() == 1) {
            return (String) list.get(0);
        }
        throw new IdpRuntimeException("Could not determine Audience for scopes '" + set + "'");
    }

    private String[] getAmrString() {
        return new String[]{IdpConstants.AMR_FAST_TRACK, "sc", "pin"};
    }

    @Generated
    public AccessTokenBuilder(IdpJwtProcessor idpJwtProcessor, String str, String str2, Map<String, String> map) {
        this.jwtProcessor = idpJwtProcessor;
        this.issuerUrl = str;
        this.serverSubjectSalt = str2;
        this.scopeToAudienceUrl = map;
    }

    @Generated
    public IdpJwtProcessor getJwtProcessor() {
        return this.jwtProcessor;
    }

    @Generated
    public String getIssuerUrl() {
        return this.issuerUrl;
    }

    @Generated
    public String getServerSubjectSalt() {
        return this.serverSubjectSalt;
    }

    @Generated
    public Map<String, String> getScopeToAudienceUrl() {
        return this.scopeToAudienceUrl;
    }

    @Generated
    public ClaimName[] getNonPairingClaims() {
        return this.nonPairingClaims;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof AccessTokenBuilder)) {
            return false;
        }
        AccessTokenBuilder accessTokenBuilder = (AccessTokenBuilder) obj;
        if (!accessTokenBuilder.canEqual(this)) {
            return false;
        }
        IdpJwtProcessor jwtProcessor = getJwtProcessor();
        IdpJwtProcessor jwtProcessor2 = accessTokenBuilder.getJwtProcessor();
        if (jwtProcessor == null) {
            if (jwtProcessor2 != null) {
                return false;
            }
        } else if (!jwtProcessor.equals(jwtProcessor2)) {
            return false;
        }
        String issuerUrl = getIssuerUrl();
        String issuerUrl2 = accessTokenBuilder.getIssuerUrl();
        if (issuerUrl == null) {
            if (issuerUrl2 != null) {
                return false;
            }
        } else if (!issuerUrl.equals(issuerUrl2)) {
            return false;
        }
        String serverSubjectSalt = getServerSubjectSalt();
        String serverSubjectSalt2 = accessTokenBuilder.getServerSubjectSalt();
        if (serverSubjectSalt == null) {
            if (serverSubjectSalt2 != null) {
                return false;
            }
        } else if (!serverSubjectSalt.equals(serverSubjectSalt2)) {
            return false;
        }
        Map<String, String> scopeToAudienceUrl = getScopeToAudienceUrl();
        Map<String, String> scopeToAudienceUrl2 = accessTokenBuilder.getScopeToAudienceUrl();
        if (scopeToAudienceUrl == null) {
            if (scopeToAudienceUrl2 != null) {
                return false;
            }
        } else if (!scopeToAudienceUrl.equals(scopeToAudienceUrl2)) {
            return false;
        }
        return Arrays.deepEquals(getNonPairingClaims(), accessTokenBuilder.getNonPairingClaims());
    }

    @Generated
    protected boolean canEqual(Object obj) {
        return obj instanceof AccessTokenBuilder;
    }

    @Generated
    public int hashCode() {
        IdpJwtProcessor jwtProcessor = getJwtProcessor();
        int hashCode = (1 * 59) + (jwtProcessor == null ? 43 : jwtProcessor.hashCode());
        String issuerUrl = getIssuerUrl();
        int hashCode2 = (hashCode * 59) + (issuerUrl == null ? 43 : issuerUrl.hashCode());
        String serverSubjectSalt = getServerSubjectSalt();
        int hashCode3 = (hashCode2 * 59) + (serverSubjectSalt == null ? 43 : serverSubjectSalt.hashCode());
        Map<String, String> scopeToAudienceUrl = getScopeToAudienceUrl();
        return (((hashCode3 * 59) + (scopeToAudienceUrl == null ? 43 : scopeToAudienceUrl.hashCode())) * 59) + Arrays.deepHashCode(getNonPairingClaims());
    }

    @Generated
    public String toString() {
        return "AccessTokenBuilder(jwtProcessor=" + getJwtProcessor() + ", issuerUrl=" + getIssuerUrl() + ", serverSubjectSalt=" + getServerSubjectSalt() + ", scopeToAudienceUrl=" + getScopeToAudienceUrl() + ", nonPairingClaims=" + Arrays.deepToString(getNonPairingClaims()) + ")";
    }
}
