package org.apereo.cas.oidc.token;

import com.github.benmanes.caffeine.cache.LoadingCache;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.services.OidcRegisteredService;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionService.class */
public class OidcIdTokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcIdTokenSigningAndEncryptionService.class);
    private final LoadingCache<String, Optional<RsaJsonWebKey>> defaultJsonWebKeystoreCache;
    private final LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> serviceJsonWebKeystoreCache;
    private final String issuer;

    public String encode(OidcRegisteredService oidcRegisteredService, JwtClaims jwtClaims) {
        LOGGER.debug("Attempting to produce id token generated for service [{}]", oidcRegisteredService);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        String json = jwtClaims.toJson();
        jsonWebSignature.setPayload(json);
        LOGGER.debug("Generated claims to put into id token are [{}]", json);
        jsonWebSignature.setAlgorithmHeaderValue("none");
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS);
        String signIdToken = oidcRegisteredService.isSignIdToken() ? signIdToken(oidcRegisteredService, jsonWebSignature) : jsonWebSignature.getCompactSerialization();
        if (oidcRegisteredService.isEncryptIdToken() && StringUtils.isNotBlank(oidcRegisteredService.getIdTokenEncryptionAlg()) && StringUtils.isNotBlank(oidcRegisteredService.getIdTokenEncryptionEncoding())) {
            signIdToken = encryptIdToken(oidcRegisteredService, jsonWebSignature, signIdToken);
        }
        return signIdToken;
    }

    private String encryptIdToken(OidcRegisteredService oidcRegisteredService, JsonWebSignature jsonWebSignature, String str) throws Exception {
        LOGGER.debug("Service [{}] is set to encrypt id tokens", oidcRegisteredService);
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmHeaderValue(oidcRegisteredService.getIdTokenEncryptionAlg());
        jsonWebEncryption.setEncryptionMethodHeaderParameter(oidcRegisteredService.getIdTokenEncryptionEncoding());
        Optional optional = (Optional) this.serviceJsonWebKeystoreCache.get(oidcRegisteredService);
        if (!optional.isPresent()) {
            throw new IllegalArgumentException("Service " + oidcRegisteredService.getServiceId() + " with client id " + oidcRegisteredService.getClientId() + " is configured to encrypt id tokens, yet no JSON web key is available");
        }
        RsaJsonWebKey rsaJsonWebKey = (RsaJsonWebKey) optional.get();
        LOGGER.debug("Found JSON web key to encrypt the id token: [{}]", rsaJsonWebKey);
        if (rsaJsonWebKey.getPublicKey() == null) {
            throw new IllegalArgumentException("JSON web key used to sign the id token has no associated public key");
        }
        jsonWebEncryption.setKey(rsaJsonWebKey.getPublicKey());
        jsonWebEncryption.setKeyIdHeaderValue(jsonWebSignature.getKeyIdHeaderValue());
        jsonWebEncryption.setContentTypeHeaderValue("JWT");
        jsonWebEncryption.setPayload(str);
        return jsonWebEncryption.getCompactSerialization();
    }

    private String signIdToken(OidcRegisteredService oidcRegisteredService, JsonWebSignature jsonWebSignature) throws Exception {
        Optional optional = (Optional) this.defaultJsonWebKeystoreCache.get(this.issuer);
        if (!optional.isPresent()) {
            throw new IllegalArgumentException("Service " + oidcRegisteredService.getServiceId() + " with client id " + oidcRegisteredService.getClientId() + " is configured to sign id tokens, yet no JSON web key is available");
        }
        RsaJsonWebKey rsaJsonWebKey = (RsaJsonWebKey) optional.get();
        LOGGER.debug("Found JSON web key to sign the id token: [{}]", rsaJsonWebKey);
        if (rsaJsonWebKey.getPrivateKey() == null) {
            throw new IllegalArgumentException("JSON web key used to sign the id token has no associated private key");
        }
        prepareJsonWebSignatureForIdTokenSigning(oidcRegisteredService, jsonWebSignature, rsaJsonWebKey);
        return jsonWebSignature.getCompactSerialization();
    }

    private void prepareJsonWebSignatureForIdTokenSigning(OidcRegisteredService oidcRegisteredService, JsonWebSignature jsonWebSignature, RsaJsonWebKey rsaJsonWebKey) {
        LOGGER.debug("Service [{}] is set to sign id tokens", oidcRegisteredService);
        jsonWebSignature.setKey(rsaJsonWebKey.getPrivateKey());
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE);
        if (StringUtils.isNotBlank(rsaJsonWebKey.getKeyId())) {
            jsonWebSignature.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
        }
        LOGGER.debug("Signing id token with key id header value [{}]", jsonWebSignature.getKeyIdHeaderValue());
        jsonWebSignature.setAlgorithmHeaderValue(getJsonWebKeySigningAlgorithm());
        LOGGER.debug("Signing id token with algorithm [{}]", jsonWebSignature.getAlgorithmHeaderValue());
    }

    public String getJsonWebKeySigningAlgorithm() {
        return "RS256";
    }

    @Generated
    public OidcIdTokenSigningAndEncryptionService(LoadingCache<String, Optional<RsaJsonWebKey>> loadingCache, LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> loadingCache2, String str) {
        this.defaultJsonWebKeystoreCache = loadingCache;
        this.serviceJsonWebKeystoreCache = loadingCache2;
        this.issuer = str;
    }
}
