package org.apereo.cas.oidc.token;

import com.github.benmanes.caffeine.cache.LoadingCache;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.oidc.discovery.OidcServerDiscoverySettings;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.util.jwt.JsonWebTokenEncryptor;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionService.class */
public class OidcIdTokenSigningAndEncryptionService extends BaseOidcJsonWebKeyTokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcIdTokenSigningAndEncryptionService.class);
    private final OidcServerDiscoverySettings discoverySettings;

    public OidcIdTokenSigningAndEncryptionService(LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache, LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache2, OidcIssuerService oidcIssuerService, OidcServerDiscoverySettings oidcServerDiscoverySettings) {
        super(loadingCache, loadingCache2, oidcIssuerService);
        this.discoverySettings = oidcServerDiscoverySettings;
    }

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public String getJsonWebKeySigningAlgorithm(OAuthRegisteredService oAuthRegisteredService) {
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(oAuthRegisteredService);
        return StringUtils.isBlank(oidcRegisteredService.getIdTokenSigningAlg()) ? super.getJsonWebKeySigningAlgorithm(oAuthRegisteredService) : oidcRegisteredService.getIdTokenSigningAlg();
    }

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public boolean shouldSignToken(OAuthRegisteredService oAuthRegisteredService) {
        if (!(oAuthRegisteredService instanceof OidcRegisteredService)) {
            return false;
        }
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) oAuthRegisteredService;
        if (!oidcRegisteredService.isSignIdToken()) {
            LOGGER.trace("Service [{}] does not require ID token to be signed", oAuthRegisteredService.getServiceId());
            return false;
        }
        if (!oidcRegisteredService.isSignIdToken() || !"none".equalsIgnoreCase(oidcRegisteredService.getIdTokenSigningAlg())) {
            return oidcRegisteredService.isSignIdToken();
        }
        if (this.discoverySettings.getIdTokenSigningAlgValuesSupported().contains("none")) {
            LOGGER.error("Service [{}] has defined 'none' for ID token signing algorithm", oAuthRegisteredService.getServiceId());
            return false;
        }
        LOGGER.error("Service [{}] has defined 'none' for ID token signing algorithm, yet CAS is configured to support the following signing algorithms: [{}]. This is quite likely due to misconfiguration of the CAS server or the service definition", oAuthRegisteredService.getServiceId(), this.discoverySettings.getIdTokenSigningAlgValuesSupported());
        throw new IllegalArgumentException("Unable to use 'none' as ID token signing algorithm");
    }

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public boolean shouldEncryptToken(OAuthRegisteredService oAuthRegisteredService) {
        if (!(oAuthRegisteredService instanceof OidcRegisteredService)) {
            return false;
        }
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) oAuthRegisteredService;
        if (!oidcRegisteredService.isEncryptIdToken() || !"none".equalsIgnoreCase(oidcRegisteredService.getIdTokenEncryptionAlg())) {
            return oidcRegisteredService.isEncryptIdToken() && StringUtils.isNotBlank(oidcRegisteredService.getIdTokenEncryptionAlg()) && StringUtils.isNotBlank(oidcRegisteredService.getIdTokenEncryptionEncoding());
        }
        if (this.discoverySettings.getIdTokenSigningAlgValuesSupported().contains("none")) {
            LOGGER.error("Service [{}] has defined 'none' for ID token encryption algorithm", oAuthRegisteredService.getServiceId());
            return false;
        }
        LOGGER.error("Service [{}] has defined 'none' for ID token encryption algorithm, yet CAS is configured to support the following encryption algorithms: [{}]. This is quite likely due to misconfiguration of the CAS server or the service definition", oAuthRegisteredService.getServiceId(), this.discoverySettings.getIdTokenEncryptionAlgValuesSupported());
        throw new IllegalArgumentException("Unable to use 'none' as ID token encryption algorithm");
    }

    @Override // org.apereo.cas.ticket.BaseTokenSigningAndEncryptionService
    public Set<String> getAllowedSigningAlgorithms(OAuthRegisteredService oAuthRegisteredService) {
        return this.discoverySettings.getIdTokenSigningAlgValuesSupported();
    }

    /* JADX WARN: Type inference failed for: r0v9, types: [org.apereo.cas.util.jwt.JsonWebTokenEncryptor$JsonWebTokenEncryptorBuilder] */
    @Override // org.apereo.cas.oidc.token.BaseOidcJsonWebKeyTokenSigningAndEncryptionService
    protected String encryptToken(OAuthRegisteredService oAuthRegisteredService, String str) {
        if (!(oAuthRegisteredService instanceof OidcRegisteredService)) {
            return str;
        }
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(oAuthRegisteredService);
        PublicJsonWebKey jsonWebKeyForEncryption = getJsonWebKeyForEncryption(oidcRegisteredService);
        return JsonWebTokenEncryptor.builder().key(jsonWebKeyForEncryption.getPublicKey()).keyId(jsonWebKeyForEncryption.getKeyId()).algorithm(oidcRegisteredService.getIdTokenEncryptionAlg()).encryptionMethod(oidcRegisteredService.getIdTokenEncryptionEncoding()).allowedAlgorithms(this.discoverySettings.getIdTokenEncryptionAlgValuesSupported()).allowedContentEncryptionAlgorithms(this.discoverySettings.getIdTokenEncryptionEncodingValuesSupported()).build().encrypt(str);
    }
}
