package org.apereo.cas.oidc.token;

import com.github.benmanes.caffeine.cache.LoadingCache;
import java.io.Serializable;
import java.security.Key;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.oidc.issuer.OidcIssuerService;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyCacheKey;
import org.apereo.cas.oidc.jwks.OidcJsonWebKeyUsage;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20RegisteredServiceJwtAccessTokenCipherExecutor;
import org.apereo.cas.token.cipher.JwtTicketCipherExecutor;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.cipher.BaseStringCipherExecutor;
import org.jooq.lambda.Unchecked;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/token/OidcRegisteredServiceJwtAccessTokenCipherExecutor.class */
public class OidcRegisteredServiceJwtAccessTokenCipherExecutor extends OAuth20RegisteredServiceJwtAccessTokenCipherExecutor {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcRegisteredServiceJwtAccessTokenCipherExecutor.class);
    protected final LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> defaultJsonWebKeystoreCache;
    protected final LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> serviceJsonWebKeystoreCache;
    protected final OidcIssuerService oidcIssuerService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/token/OidcRegisteredServiceJwtAccessTokenCipherExecutor$InternalJwtAccessTokenCipherExecutor.class */
    public class InternalJwtAccessTokenCipherExecutor extends JwtTicketCipherExecutor {
        private JsonWebKey signingWebKey;
        private JsonWebKey encryptionWebKey;

        InternalJwtAccessTokenCipherExecutor(String str, String str2) {
            super(str, str2, StringUtils.isNotBlank(str), StringUtils.isNotBlank(str2), 0, 0);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apereo.cas.util.cipher.AbstractCipherExecutor
        public byte[] sign(byte[] bArr, Key key) {
            return (byte[]) Optional.ofNullable(this.signingWebKey).map(jsonWebKey -> {
                String keyId = jsonWebKey.getKeyId();
                if (StringUtils.isNotBlank(keyId)) {
                    getCustomHeaders().put("kid", keyId);
                }
                String str = (String) StringUtils.defaultIfBlank(jsonWebKey.getAlgorithm(), getSigningAlgorithmFor(jsonWebKey.getKey()));
                getCustomHeaders().put("alg", str);
                return super.signWith(bArr, str, key);
            }).orElseGet(() -> {
                return super.sign(bArr, key);
            });
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apereo.cas.util.cipher.BaseStringCipherExecutor
        public String decode(Serializable serializable, Object[] objArr, Key key, Key key2) {
            if (objArr.length <= 0) {
                return super.decode(serializable, objArr, key, key2);
            }
            return super.decode(serializable, objArr, OidcRegisteredServiceJwtAccessTokenCipherExecutor.this.getEncryptionKeyForDecryption((RegisteredService) objArr[0]), key2);
        }

        @Generated
        public void setSigningWebKey(JsonWebKey jsonWebKey) {
            this.signingWebKey = jsonWebKey;
        }

        @Generated
        public void setEncryptionWebKey(JsonWebKey jsonWebKey) {
            this.encryptionWebKey = jsonWebKey;
        }

        @Generated
        public JsonWebKey getSigningWebKey() {
            return this.signingWebKey;
        }

        @Generated
        public JsonWebKey getEncryptionWebKey() {
            return this.encryptionWebKey;
        }
    }

    private static PublicJsonWebKey toJsonWebKey(String str) throws Exception {
        return EncodingUtils.parseJsonWebKey(str).containsKey(JsonWebKeySet.JWK_SET_MEMBER_NAME) ? (PublicJsonWebKey) new JsonWebKeySet(str).getJsonWebKeys().get(0) : (PublicJsonWebKey) EncodingUtils.newJsonWebKey(str);
    }

    @Override // org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20RegisteredServiceJwtAccessTokenCipherExecutor, org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor
    public Optional<String> getSigningKey(RegisteredService registeredService) {
        if (!isSigningEnabledForRegisteredService(registeredService)) {
            return Optional.empty();
        }
        Optional<String> signingKey = super.getSigningKey(registeredService);
        if (signingKey.isPresent()) {
            return signingKey;
        }
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(registeredService);
        String determineIssuer = this.oidcIssuerService.determineIssuer(Optional.of(oidcRegisteredService));
        LOGGER.trace("Using issuer [{}] to determine JWKS from default keystore cache", determineIssuer);
        Optional optional = (Optional) Objects.requireNonNull(this.serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(oidcRegisteredService, OidcJsonWebKeyUsage.SIGNING)));
        if (optional.isPresent()) {
            JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) optional.get();
            LOGGER.debug("Found JSON web key to sign the token: [{}]", jsonWebKeySet);
            return Optional.of(new JsonWebKeySet((List<? extends JsonWebKey>) jsonWebKeySet.getJsonWebKeys().stream().filter(jsonWebKey -> {
                return jsonWebKey.getKey() != null;
            }).collect(Collectors.toList())).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE));
        }
        Optional optional2 = (Optional) Objects.requireNonNull(this.defaultJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(determineIssuer, OidcJsonWebKeyUsage.SIGNING)));
        if (!optional2.isEmpty()) {
            return Optional.of(((JsonWebKeySet) optional2.get()).toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE));
        }
        LOGGER.warn("No signing key could be found for issuer " + determineIssuer);
        return Optional.empty();
    }

    @Override // org.apereo.cas.support.oauth.web.response.accesstoken.response.OAuth20RegisteredServiceJwtAccessTokenCipherExecutor, org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor
    public Optional<String> getEncryptionKey(RegisteredService registeredService) {
        if (!isEncryptionEnabledForRegisteredService(registeredService)) {
            return Optional.empty();
        }
        OAuthRegisteredService oAuthRegisteredService = (OAuthRegisteredService) registeredService;
        Optional<String> encryptionKey = super.getEncryptionKey(registeredService);
        if (!encryptionKey.isPresent() && (oAuthRegisteredService instanceof OidcRegisteredService)) {
            Optional optional = (Optional) Objects.requireNonNull(this.serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(oAuthRegisteredService, OidcJsonWebKeyUsage.ENCRYPTION)));
            if (optional.isEmpty()) {
                LOGGER.warn("Service " + oAuthRegisteredService.getServiceId() + " with client id " + oAuthRegisteredService.getClientId() + " is configured to encrypt tokens, yet no JSON web key is available");
                return Optional.empty();
            }
            JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) optional.get();
            LOGGER.debug("Found JSON web key to encrypt the token: [{}]", jsonWebKeySet);
            List list = (List) jsonWebKeySet.getJsonWebKeys().stream().filter(jsonWebKey -> {
                return jsonWebKey.getKey() != null;
            }).collect(Collectors.toList());
            if (!list.isEmpty()) {
                return Optional.of(new JsonWebKeySet((List<? extends JsonWebKey>) list).toJson());
            }
            LOGGER.warn("No valid JSON web keys used to sign the token can be found");
            return Optional.empty();
        }
        return encryptionKey;
    }

    @Override // org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor
    protected JwtTicketCipherExecutor createCipherExecutorInstance(String str, String str2, RegisteredService registeredService, BaseStringCipherExecutor.CipherOperationsStrategyType cipherOperationsStrategyType) {
        InternalJwtAccessTokenCipherExecutor internalJwtAccessTokenCipherExecutor = new InternalJwtAccessTokenCipherExecutor(str, str2);
        Unchecked.consumer(obj -> {
            if (EncodingUtils.isJsonWebKey(str)) {
                JsonWebKey jsonWebKey = toJsonWebKey(str);
                internalJwtAccessTokenCipherExecutor.setEncryptionKey(jsonWebKey.getPublicKey());
                internalJwtAccessTokenCipherExecutor.setEncryptionWebKey(jsonWebKey);
            }
            if (EncodingUtils.isJsonWebKey(str2)) {
                PublicJsonWebKey jsonWebKey2 = toJsonWebKey(str2);
                internalJwtAccessTokenCipherExecutor.setSigningKey((Key) ObjectUtils.defaultIfNull(jsonWebKey2.getPrivateKey(), jsonWebKey2.getKey()));
                internalJwtAccessTokenCipherExecutor.setSigningWebKey(jsonWebKey2);
            }
        }).accept(internalJwtAccessTokenCipherExecutor);
        if (EncodingUtils.isJsonWebKey(str) || EncodingUtils.isJsonWebKey(str2)) {
            internalJwtAccessTokenCipherExecutor.setEncryptionAlgorithm(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
        }
        internalJwtAccessTokenCipherExecutor.setCustomHeaders(CollectionUtils.wrap(CUSTOM_HEADER_REGISTERED_SERVICE_ID, Long.valueOf(registeredService.getId())));
        internalJwtAccessTokenCipherExecutor.setStrategyType(cipherOperationsStrategyType);
        return internalJwtAccessTokenCipherExecutor;
    }

    private Key getEncryptionKeyForDecryption(RegisteredService registeredService) {
        OAuthRegisteredService oAuthRegisteredService = (OAuthRegisteredService) registeredService;
        if (!(oAuthRegisteredService instanceof OidcRegisteredService)) {
            return null;
        }
        Optional optional = (Optional) Objects.requireNonNull(this.serviceJsonWebKeystoreCache.get(new OidcJsonWebKeyCacheKey(oAuthRegisteredService, OidcJsonWebKeyUsage.ENCRYPTION)));
        if (optional.isEmpty()) {
            LOGGER.warn("Service " + oAuthRegisteredService.getServiceId() + " with client id " + oAuthRegisteredService.getClientId() + " is configured to encrypt tokens, yet no JSON web key is available");
            return null;
        }
        PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) ((JsonWebKeySet) optional.get()).getJsonWebKeys().get(0);
        LOGGER.debug("Found JSON web key to encrypt the token: [{}]", publicJsonWebKey);
        if (publicJsonWebKey.getPrivateKey() != null) {
            return publicJsonWebKey.getPrivateKey();
        }
        LOGGER.info("JSON web key used to encrypt the token has no associated private key, when operating on service [{}] with client id [{}]. Operations that deal with JWT encryption/decryption may not be functional, until a private key can be loaded for JSON web key [{}]", oAuthRegisteredService.getServiceId(), oAuthRegisteredService.getClientId(), publicJsonWebKey.getKeyId());
        return null;
    }

    @Generated
    public OidcRegisteredServiceJwtAccessTokenCipherExecutor(LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache, LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> loadingCache2, OidcIssuerService oidcIssuerService) {
        this.defaultJsonWebKeystoreCache = loadingCache;
        this.serviceJsonWebKeystoreCache = loadingCache2;
        this.oidcIssuerService = oidcIssuerService;
    }

    @Generated
    public LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> getDefaultJsonWebKeystoreCache() {
        return this.defaultJsonWebKeystoreCache;
    }

    @Generated
    public LoadingCache<OidcJsonWebKeyCacheKey, Optional<JsonWebKeySet>> getServiceJsonWebKeystoreCache() {
        return this.serviceJsonWebKeystoreCache;
    }

    @Generated
    public OidcIssuerService getOidcIssuerService() {
        return this.oidcIssuerService;
    }
}
