package org.apereo.cas.token;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.PlainHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import java.io.Serializable;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.RegisteredServiceCipherExecutor;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.hjson.JsonValue;
import org.hjson.Stringify;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-6.2.2.jar:org/apereo/cas/token/JwtBuilder.class */
public class JwtBuilder {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JwtBuilder.class);
    private static final int MAP_SIZE = 8;
    private final String casSeverPrefix;
    private final CipherExecutor<Serializable, String> defaultTokenCipherExecutor;
    private final ServicesManager servicesManager;
    private final RegisteredServiceCipherExecutor registeredServiceCipherExecutor;

    /* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-6.2.2.jar:org/apereo/cas/token/JwtBuilder$JwtRequest.class */
    public static class JwtRequest {
        private final String jwtId;
        private final String serviceAudience;
        private final Date issueDate;
        private final String subject;
        private final Date validUntilDate;
        private final Map<String, List<Object>> attributes;
        private Optional<RegisteredService> registeredService;

        @Generated
        /* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-6.2.2.jar:org/apereo/cas/token/JwtBuilder$JwtRequest$JwtRequestBuilder.class */
        public static class JwtRequestBuilder {

            @Generated
            private String jwtId;

            @Generated
            private String serviceAudience;

            @Generated
            private Date issueDate;

            @Generated
            private String subject;

            @Generated
            private Date validUntilDate;

            @Generated
            private boolean attributes$set;

            @Generated
            private Map<String, List<Object>> attributes$value;

            @Generated
            private boolean registeredService$set;

            @Generated
            private Optional<RegisteredService> registeredService$value;

            @Generated
            JwtRequestBuilder() {
            }

            @Generated
            public JwtRequestBuilder jwtId(String str) {
                this.jwtId = str;
                return this;
            }

            @Generated
            public JwtRequestBuilder serviceAudience(String str) {
                this.serviceAudience = str;
                return this;
            }

            @Generated
            public JwtRequestBuilder issueDate(Date date) {
                this.issueDate = date;
                return this;
            }

            @Generated
            public JwtRequestBuilder subject(String str) {
                this.subject = str;
                return this;
            }

            @Generated
            public JwtRequestBuilder validUntilDate(Date date) {
                this.validUntilDate = date;
                return this;
            }

            @Generated
            public JwtRequestBuilder attributes(Map<String, List<Object>> map) {
                this.attributes$value = map;
                this.attributes$set = true;
                return this;
            }

            @Generated
            public JwtRequestBuilder registeredService(Optional<RegisteredService> optional) {
                this.registeredService$value = optional;
                this.registeredService$set = true;
                return this;
            }

            @Generated
            public JwtRequest build() {
                Map<String, List<Object>> map = this.attributes$value;
                if (!this.attributes$set) {
                    map = JwtRequest.$default$attributes();
                }
                Optional<RegisteredService> optional = this.registeredService$value;
                if (!this.registeredService$set) {
                    optional = JwtRequest.$default$registeredService();
                }
                return new JwtRequest(this.jwtId, this.serviceAudience, this.issueDate, this.subject, this.validUntilDate, map, optional);
            }

            @Generated
            public String toString() {
                return "JwtBuilder.JwtRequest.JwtRequestBuilder(jwtId=" + this.jwtId + ", serviceAudience=" + this.serviceAudience + ", issueDate=" + this.issueDate + ", subject=" + this.subject + ", validUntilDate=" + this.validUntilDate + ", attributes$value=" + this.attributes$value + ", registeredService$value=" + this.registeredService$value + ")";
            }
        }

        @Generated
        private static Map<String, List<Object>> $default$attributes() {
            return new LinkedHashMap(8);
        }

        @Generated
        private static Optional<RegisteredService> $default$registeredService() {
            return Optional.empty();
        }

        @Generated
        JwtRequest(String str, String str2, Date date, String str3, Date date2, Map<String, List<Object>> map, Optional<RegisteredService> optional) {
            this.jwtId = str;
            this.serviceAudience = str2;
            this.issueDate = date;
            this.subject = str3;
            this.validUntilDate = date2;
            this.attributes = map;
            this.registeredService = optional;
        }

        @Generated
        public static JwtRequestBuilder builder() {
            return new JwtRequestBuilder();
        }

        @Generated
        public String getJwtId() {
            return this.jwtId;
        }

        @Generated
        public String getServiceAudience() {
            return this.serviceAudience;
        }

        @Generated
        public Date getIssueDate() {
            return this.issueDate;
        }

        @Generated
        public String getSubject() {
            return this.subject;
        }

        @Generated
        public Date getValidUntilDate() {
            return this.validUntilDate;
        }

        @Generated
        public Map<String, List<Object>> getAttributes() {
            return this.attributes;
        }

        @Generated
        public Optional<RegisteredService> getRegisteredService() {
            return this.registeredService;
        }
    }

    public static JWTClaimsSet parse(String str) {
        try {
            return JWTParser.parse(str).getJWTClaimsSet();
        } catch (Exception e) {
            LOGGER.trace("Unable to parse [{}] JWT; trying JWT claim set...", str);
            try {
                return JWTClaimsSet.parse(str);
            } catch (Exception e2) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.error(e.getMessage(), (Throwable) e2);
                } else {
                    LOGGER.error(e2.getMessage());
                }
                throw new IllegalArgumentException("Unable to parse JWT");
            }
        }
    }

    public static String buildPlain(JWTClaimsSet jWTClaimsSet, Optional<RegisteredService> optional) {
        PlainHeader.Builder type = new PlainHeader.Builder().type(JOSEObjectType.JWT);
        optional.ifPresent(registeredService -> {
            type.customParam(RegisteredServiceCipherExecutor.CUSTOM_HEADER_REGISTERED_SERVICE_ID, Long.valueOf(registeredService.getId()));
        });
        return new PlainJWT(type.build(), jWTClaimsSet).serialize();
    }

    public JWTClaimsSet unpack(Optional<RegisteredService> optional, String str) {
        optional.ifPresent(registeredService -> {
            LOGGER.trace("Located service [{}] in service registry", registeredService);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredService);
        });
        if (optional.isPresent()) {
            RegisteredService registeredService2 = optional.get();
            LOGGER.trace("Locating service specific signing and encryption keys for [{}] in service registry", registeredService2);
            if (this.registeredServiceCipherExecutor.supports(registeredService2)) {
                LOGGER.trace("Decoding JWT based on keys provided by service [{}]", registeredService2.getServiceId());
                return parse(this.registeredServiceCipherExecutor.decode(str, Optional.of(registeredService2)));
            }
        }
        if (!this.defaultTokenCipherExecutor.isEnabled()) {
            return parse(str);
        }
        LOGGER.trace("Decoding JWT based on default global keys");
        return parse(this.defaultTokenCipherExecutor.decode(str));
    }

    public String build(JwtRequest jwtRequest) {
        String serviceAudience = jwtRequest.getServiceAudience();
        JWTClaimsSet.Builder subject = new JWTClaimsSet.Builder().audience(serviceAudience).issuer(this.casSeverPrefix).jwtID(jwtRequest.getJwtId()).issueTime(jwtRequest.getIssueDate()).subject(jwtRequest.getSubject());
        jwtRequest.getAttributes().forEach((str, list) -> {
            if (list.size() == 1) {
                subject.claim(str, CollectionUtils.firstElement(list).get());
            } else {
                subject.claim(str, list);
            }
        });
        subject.expirationTime(jwtRequest.getValidUntilDate());
        JWTClaimsSet build = subject.build();
        String jSONString = build.toJSONObject().toJSONString();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Generated JWT [{}]", JsonValue.readJSON(jSONString).toString(Stringify.FORMATTED));
        }
        LOGGER.trace("Locating service [{}] in service registry", serviceAudience);
        RegisteredService locateRegisteredService = jwtRequest.getRegisteredService().isEmpty() ? locateRegisteredService(serviceAudience) : jwtRequest.getRegisteredService().get();
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(locateRegisteredService);
        LOGGER.trace("Locating service specific signing and encryption keys for [{}] in service registry", serviceAudience);
        if (this.registeredServiceCipherExecutor.supports(locateRegisteredService)) {
            LOGGER.trace("Encoding JWT based on keys provided by service [{}]", locateRegisteredService.getServiceId());
            return this.registeredServiceCipherExecutor.encode(jSONString, Optional.of(locateRegisteredService));
        }
        if (this.defaultTokenCipherExecutor.isEnabled()) {
            LOGGER.trace("Encoding JWT based on default global keys for [{}]", serviceAudience);
            return this.defaultTokenCipherExecutor.encode(jSONString);
        }
        String buildPlain = buildPlain(build, Optional.of(locateRegisteredService));
        LOGGER.trace("Generating plain JWT as the ticket: [{}]", buildPlain);
        return buildPlain;
    }

    protected RegisteredService locateRegisteredService(String str) {
        return this.servicesManager.findServiceBy(str);
    }

    @Generated
    public JwtBuilder(String str, CipherExecutor<Serializable, String> cipherExecutor, ServicesManager servicesManager, RegisteredServiceCipherExecutor registeredServiceCipherExecutor) {
        this.casSeverPrefix = str;
        this.defaultTokenCipherExecutor = cipherExecutor;
        this.servicesManager = servicesManager;
        this.registeredServiceCipherExecutor = registeredServiceCipherExecutor;
    }

    @Generated
    public String getCasSeverPrefix() {
        return this.casSeverPrefix;
    }

    @Generated
    public CipherExecutor<Serializable, String> getDefaultTokenCipherExecutor() {
        return this.defaultTokenCipherExecutor;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public RegisteredServiceCipherExecutor getRegisteredServiceCipherExecutor() {
        return this.registeredServiceCipherExecutor;
    }
}
