package org.apereo.cas.token.authentication;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.Base64;
import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
import org.apereo.cas.authentication.Credential;
import org.apereo.cas.authentication.handler.PrincipalNameTransformer;
import org.apereo.cas.authentication.principal.PrincipalFactory;
import org.apereo.cas.integration.pac4j.authentication.handler.support.AbstractTokenWrapperAuthenticationHandler;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration;
import org.pac4j.jwt.config.signature.SecretSignatureConfiguration;
import org.pac4j.jwt.credentials.authenticator.JwtAuthenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/token/authentication/TokenAuthenticationHandler.class */
public class TokenAuthenticationHandler extends AbstractTokenWrapperAuthenticationHandler {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenAuthenticationHandler.class);

    public TokenAuthenticationHandler(String str, ServicesManager servicesManager, PrincipalFactory principalFactory, PrincipalNameTransformer principalNameTransformer) {
        super(str, servicesManager, principalFactory, (Integer) null, principalNameTransformer);
    }

    public AuthenticationHandlerExecutionResult postAuthenticate(Credential credential, AuthenticationHandlerExecutionResult authenticationHandlerExecutionResult) {
        ((TokenCredential) credential).setId(authenticationHandlerExecutionResult.getPrincipal().getId());
        return super.postAuthenticate(credential, authenticationHandlerExecutionResult);
    }

    protected Authenticator<TokenCredentials> getAuthenticator(Credential credential) {
        TokenCredential tokenCredential = (TokenCredential) credential;
        LOGGER.debug("Locating token secret for service [{}]", tokenCredential.getService());
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(tokenCredential.getService());
        String registeredServiceJwtSigningSecret = getRegisteredServiceJwtSigningSecret(findServiceBy);
        String registeredServiceJwtEncryptionSecret = getRegisteredServiceJwtEncryptionSecret(findServiceBy);
        String defaultString = StringUtils.defaultString(getRegisteredServiceJwtProperty(findServiceBy, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING_ALG), JWSAlgorithm.HS256.getName());
        String defaultString2 = StringUtils.defaultString(getRegisteredServiceJwtProperty(findServiceBy, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION_ALG), JWEAlgorithm.DIR.getName());
        String defaultString3 = StringUtils.defaultString(getRegisteredServiceJwtProperty(findServiceBy, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION_METHOD), EncryptionMethod.A192CBC_HS384.getName());
        boolean z = BooleanUtils.toBoolean(getRegisteredServiceJwtProperty(findServiceBy, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRETS_ARE_BASE64_ENCODED));
        if (!StringUtils.isNotBlank(registeredServiceJwtSigningSecret)) {
            LOGGER.warn("No token signing secret is defined for service [{}]. Ensure [{}] property is defined for service", findServiceBy.getServiceId(), RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING.getPropertyName());
            return null;
        }
        HashSet hashSet = new HashSet();
        hashSet.addAll(JWSAlgorithm.Family.EC);
        hashSet.addAll(JWSAlgorithm.Family.HMAC_SHA);
        hashSet.addAll(JWSAlgorithm.Family.RSA);
        hashSet.addAll(JWSAlgorithm.Family.SIGNATURE);
        JWSAlgorithm findAlgorithmFamily = findAlgorithmFamily(hashSet, defaultString, JWSAlgorithm.class);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator();
        jwtAuthenticator.setSignatureConfiguration(new SecretSignatureConfiguration(getSecretBytes(registeredServiceJwtSigningSecret, z), findAlgorithmFamily));
        if (StringUtils.isNotBlank(registeredServiceJwtEncryptionSecret)) {
            HashSet hashSet2 = new HashSet();
            hashSet2.addAll(JWEAlgorithm.Family.AES_GCM_KW);
            hashSet2.addAll(JWEAlgorithm.Family.AES_KW);
            hashSet2.addAll(JWEAlgorithm.Family.ASYMMETRIC);
            hashSet2.addAll(JWEAlgorithm.Family.ECDH_ES);
            hashSet2.addAll(JWEAlgorithm.Family.PBES2);
            hashSet2.addAll(JWEAlgorithm.Family.RSA);
            hashSet2.addAll(JWEAlgorithm.Family.SYMMETRIC);
            JWEAlgorithm findAlgorithmFamily2 = findAlgorithmFamily(hashSet2, defaultString2, JWEAlgorithm.class);
            HashSet hashSet3 = new HashSet();
            hashSet3.addAll(EncryptionMethod.Family.AES_CBC_HMAC_SHA);
            hashSet3.addAll(EncryptionMethod.Family.AES_GCM);
            jwtAuthenticator.setEncryptionConfiguration(new SecretEncryptionConfiguration(getSecretBytes(registeredServiceJwtEncryptionSecret, z), findAlgorithmFamily2, findAlgorithmFamily(hashSet3, defaultString3, EncryptionMethod.class)));
        } else {
            LOGGER.warn("JWT authentication is configured to share a single key for both signing/encryption");
        }
        return jwtAuthenticator;
    }

    private static <T extends Algorithm> T findAlgorithmFamily(Set<Algorithm> set, String str, Class<T> cls) {
        T t = (T) set.stream().filter(algorithm -> {
            return algorithm.getName().equalsIgnoreCase(str);
        }).findFirst().get();
        if (cls.isAssignableFrom(t.getClass())) {
            return t;
        }
        throw new ClassCastException("Result [" + t + " is of type " + t.getClass() + " when we were expecting " + cls);
    }

    private String getRegisteredServiceJwtEncryptionSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION);
    }

    private String getRegisteredServiceJwtSigningSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING);
    }

    protected String getRegisteredServiceJwtProperty(RegisteredService registeredService, RegisteredServiceProperty.RegisteredServiceProperties registeredServiceProperties) {
        if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed()) {
            LOGGER.debug("Service is not defined/found or its access is disabled in the registry");
            throw new UnauthorizedServiceException("screen.service.error.message");
        }
        if (registeredServiceProperties.isAssignedTo(registeredService)) {
            return registeredServiceProperties.getPropertyValue(registeredService).getValue();
        }
        LOGGER.warn("Service [{}] does not define a property [{}] in the registry", registeredService.getServiceId(), registeredServiceProperties);
        return null;
    }

    private byte[] getSecretBytes(String str, boolean z) {
        return z ? new Base64(str).decode() : str.getBytes(StandardCharsets.UTF_8);
    }
}
