package org.apereo.cas.token;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import java.security.Key;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.RSAPublicKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.token.cipher.JwtTicketCipherExecutor;
import org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.web.BaseCasActuatorEndpoint;
import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
import org.springframework.lang.Nullable;

@Endpoint(id = "jwtTicketSigningPublicKey", enableByDefault = false)
/* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-6.6.15.jar:org/apereo/cas/token/JwtTokenCipherSigningPublicKeyEndpoint.class */
public class JwtTokenCipherSigningPublicKeyEndpoint extends BaseCasActuatorEndpoint {
    private final CipherExecutor tokenCipherExecutor;
    private final ServicesManager servicesManager;
    private final ServiceFactory<WebApplicationService> webApplicationServiceFactory;

    public JwtTokenCipherSigningPublicKeyEndpoint(CasConfigurationProperties casConfigurationProperties, CipherExecutor cipherExecutor, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory) {
        super(casConfigurationProperties);
        this.tokenCipherExecutor = cipherExecutor;
        this.servicesManager = servicesManager;
        this.webApplicationServiceFactory = serviceFactory;
    }

    @ReadOperation(produces = {"text/plain"})
    @Operation(summary = "Get public key for signing operations", parameters = {@Parameter(name = "service")})
    public String fetchPublicKey(@Nullable String str) throws Exception {
        Key signingKey = this.tokenCipherExecutor.getSigningKey();
        if (StringUtils.isNotBlank(str)) {
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(this.webApplicationServiceFactory.createService(str));
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(findServiceBy);
            RegisteredServiceJwtTicketCipherExecutor registeredServiceJwtTicketCipherExecutor = new RegisteredServiceJwtTicketCipherExecutor();
            if (registeredServiceJwtTicketCipherExecutor.supports(findServiceBy)) {
                JwtTicketCipherExecutor tokenTicketCipherExecutorForService = registeredServiceJwtTicketCipherExecutor.getTokenTicketCipherExecutorForService(findServiceBy);
                if (tokenTicketCipherExecutorForService.isEnabled()) {
                    signingKey = tokenTicketCipherExecutorForService.getSigningKey();
                }
            }
        }
        if (!(signingKey instanceof RSAPrivateCrtKey)) {
            return null;
        }
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) signingKey;
        return EncodingUtils.encodeBase64(KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent())).getEncoded());
    }
}
