package org.apereo.cas.oidc.authn;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWTParser;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyStoreUtils;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyUsage;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.LoggingUtils;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationContext;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/authn/OidcJwtAuthenticator.class */
public class OidcJwtAuthenticator implements Authenticator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcJwtAuthenticator.class);
    protected final OidcIssuerService issuerService;
    protected final ServicesManager servicesManager;
    protected final AuditableExecution registeredServiceAccessStrategyEnforcer;
    protected final TicketRegistry ticketRegistry;
    protected final ServiceFactory<WebApplicationService> webApplicationServiceServiceFactory;
    protected final CasConfigurationProperties casProperties;
    protected final ApplicationContext applicationContext;

    /* JADX WARN: Type inference failed for: r0v33, types: [org.apereo.cas.audit.AuditableContext$AuditableContextBuilder] */
    protected OidcRegisteredService verifyCredentials(UsernamePasswordCredentials usernamePasswordCredentials, WebContext webContext) {
        if (!StringUtils.equalsIgnoreCase("urn:ietf:params:oauth:client-assertion-type:jwt-bearer", usernamePasswordCredentials.getUsername())) {
            LOGGER.debug("client assertion type is not set to [{}]", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
            return null;
        }
        if (StringUtils.isBlank(usernamePasswordCredentials.getPassword())) {
            LOGGER.debug("No assertion is available in the provided credentials");
            return null;
        }
        try {
            if (!validateJwtAlgorithm(JWTParser.parse(usernamePasswordCredentials.getPassword()).getHeader().getAlgorithm())) {
                LOGGER.debug("No assertion is available in the provided credentials");
                return null;
            }
            String str = (String) webContext.getRequestParameter("code").map((v0) -> {
                return String.valueOf(v0);
            }).orElse("");
            OAuth20Code oAuth20Code = (OAuth20Code) FunctionUtils.doAndHandle(() -> {
                OAuth20Code oAuth20Code2 = (OAuth20Code) this.ticketRegistry.getTicket(str, OAuth20Code.class);
                if (oAuth20Code2 == null || oAuth20Code2.isExpired()) {
                    return null;
                }
                return oAuth20Code2;
            });
            OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, oAuth20Code == null ? webContext.getRequestParameter("client_id").get() : oAuth20Code.getClientId());
            if (this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().registeredService(oidcRegisteredService).build()).isExecutionFailure()) {
                return null;
            }
            return oidcRegisteredService;
        } catch (Exception e) {
            LoggingUtils.error(LOGGER, e);
            return null;
        }
    }

    @Override // org.pac4j.core.credentials.authenticator.Authenticator
    public void validate(Credentials credentials, WebContext webContext, SessionStore sessionStore) {
        UsernamePasswordCredentials usernamePasswordCredentials = (UsernamePasswordCredentials) credentials;
        OidcRegisteredService verifyCredentials = verifyCredentials(usernamePasswordCredentials, webContext);
        if (verifyCredentials == null) {
            LOGGER.warn("Unable to verify credentials");
        } else {
            OidcJsonWebKeyStoreUtils.getJsonWebKeySet(verifyCredentials, this.applicationContext, Optional.of(OidcJsonWebKeyUsage.SIGNING)).ifPresent(Unchecked.consumer(jsonWebKeySet -> {
                jsonWebKeySet.getJsonWebKeys().forEach(Unchecked.consumer(jsonWebKey -> {
                    determineUserProfile(usernamePasswordCredentials, new JwtConsumerBuilder().setVerificationKey(jsonWebKey.getKey()).setRequireJwtId().setRequireExpirationTime().setRequireSubject().setExpectedIssuer(true, this.issuerService.determineIssuer(Optional.of(verifyCredentials))).setExpectedAudience(true, verifyCredentials.getClientId()).build());
                }));
            }));
        }
    }

    protected void determineUserProfile(UsernamePasswordCredentials usernamePasswordCredentials, JwtConsumer jwtConsumer) throws Exception {
        FunctionUtils.doAndHandle(obj -> {
            JwtClaims processToClaims = jwtConsumer.processToClaims(usernamePasswordCredentials.getPassword());
            CommonProfile commonProfile = new CommonProfile(true);
            commonProfile.setId(processToClaims.getSubject());
            commonProfile.addAttributes(processToClaims.getClaimsMap());
            usernamePasswordCredentials.setUserProfile(commonProfile);
        });
    }

    protected boolean validateJwtAlgorithm(Algorithm algorithm) {
        return JWSAlgorithm.Family.HMAC_SHA.contains(algorithm) || JWSAlgorithm.Family.RSA.contains(algorithm) || JWSAlgorithm.Family.EC.contains(algorithm);
    }

    @Generated
    public OidcJwtAuthenticator(OidcIssuerService oidcIssuerService, ServicesManager servicesManager, AuditableExecution auditableExecution, TicketRegistry ticketRegistry, ServiceFactory<WebApplicationService> serviceFactory, CasConfigurationProperties casConfigurationProperties, ApplicationContext applicationContext) {
        this.issuerService = oidcIssuerService;
        this.servicesManager = servicesManager;
        this.registeredServiceAccessStrategyEnforcer = auditableExecution;
        this.ticketRegistry = ticketRegistry;
        this.webApplicationServiceServiceFactory = serviceFactory;
        this.casProperties = casConfigurationProperties;
        this.applicationContext = applicationContext;
    }
}
