package org.apereo.cas.token.authentication;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.Base64;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceProperty;
import org.apereo.cas.services.UnauthorizedServiceException;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.ResourceUtils;
import org.apereo.cas.util.crypto.PrivateKeyFactoryBean;
import org.apereo.cas.util.crypto.PublicKeyFactoryBean;
import org.apereo.cas.util.function.FunctionUtils;
import org.apereo.cas.util.spring.SpringExpressionLanguageValueResolver;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.jwt.config.encryption.EncryptionConfiguration;
import org.pac4j.jwt.config.encryption.RSAEncryptionConfiguration;
import org.pac4j.jwt.config.encryption.SecretEncryptionConfiguration;
import org.pac4j.jwt.config.signature.RSASignatureConfiguration;
import org.pac4j.jwt.config.signature.SecretSignatureConfiguration;
import org.pac4j.jwt.config.signature.SignatureConfiguration;
import org.pac4j.jwt.credentials.authenticator.JwtAuthenticator;
import org.pac4j.jwt.profile.JwtGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.AbstractResource;

/* loaded from: input_file:org/apereo/cas/token/authentication/TokenAuthenticationSecurity.class */
public class TokenAuthenticationSecurity {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenAuthenticationSecurity.class);
    private RegisteredServiceSecurityConfiguration securityConfiguration;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apereo/cas/token/authentication/TokenAuthenticationSecurity$RegisteredServiceSecurityConfiguration.class */
    public static final class RegisteredServiceSecurityConfiguration {
        private SignatureConfiguration signatureConfiguration;
        private EncryptionConfiguration encryptionConfiguration;

        @Generated
        public RegisteredServiceSecurityConfiguration() {
        }

        @Generated
        public SignatureConfiguration getSignatureConfiguration() {
            return this.signatureConfiguration;
        }

        @Generated
        public EncryptionConfiguration getEncryptionConfiguration() {
            return this.encryptionConfiguration;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof RegisteredServiceSecurityConfiguration)) {
                return false;
            }
            RegisteredServiceSecurityConfiguration registeredServiceSecurityConfiguration = (RegisteredServiceSecurityConfiguration) obj;
            SignatureConfiguration signatureConfiguration = this.signatureConfiguration;
            SignatureConfiguration signatureConfiguration2 = registeredServiceSecurityConfiguration.signatureConfiguration;
            if (signatureConfiguration == null) {
                if (signatureConfiguration2 != null) {
                    return false;
                }
            } else if (!signatureConfiguration.equals(signatureConfiguration2)) {
                return false;
            }
            EncryptionConfiguration encryptionConfiguration = this.encryptionConfiguration;
            EncryptionConfiguration encryptionConfiguration2 = registeredServiceSecurityConfiguration.encryptionConfiguration;
            return encryptionConfiguration == null ? encryptionConfiguration2 == null : encryptionConfiguration.equals(encryptionConfiguration2);
        }

        @Generated
        public int hashCode() {
            SignatureConfiguration signatureConfiguration = this.signatureConfiguration;
            int hashCode = (1 * 59) + (signatureConfiguration == null ? 43 : signatureConfiguration.hashCode());
            EncryptionConfiguration encryptionConfiguration = this.encryptionConfiguration;
            return (hashCode * 59) + (encryptionConfiguration == null ? 43 : encryptionConfiguration.hashCode());
        }

        @Generated
        public String toString() {
            return "TokenAuthenticationSecurity.RegisteredServiceSecurityConfiguration(signatureConfiguration=" + String.valueOf(this.signatureConfiguration) + ", encryptionConfiguration=" + String.valueOf(this.encryptionConfiguration) + ")";
        }

        @Generated
        public void setSignatureConfiguration(SignatureConfiguration signatureConfiguration) {
            this.signatureConfiguration = signatureConfiguration;
        }

        @Generated
        public void setEncryptionConfiguration(EncryptionConfiguration encryptionConfiguration) {
            this.encryptionConfiguration = encryptionConfiguration;
        }
    }

    public String generateTokenFor(Authentication authentication) {
        HashMap hashMap = new HashMap(authentication.getAttributes());
        hashMap.putAll(authentication.getPrincipal().getAttributes());
        hashMap.put("sub", authentication.getPrincipal().getId());
        return toGenerator().generate(CollectionUtils.toSingleValuedMap(hashMap, List.of("jti", "iss", "nbf", "iat", "exp")));
    }

    public UserProfile validateToken(String str) {
        return toAuthenticator().validateToken(str);
    }

    public static TokenAuthenticationSecurity forRegisteredService(RegisteredService registeredService) {
        RegisteredServiceSecurityConfiguration registeredServiceSecurityConfiguration = new RegisteredServiceSecurityConfiguration();
        SignatureConfiguration signatureConfiguration = getSignatureConfiguration(registeredService);
        registeredServiceSecurityConfiguration.setEncryptionConfiguration(getEncryptionConfiguration(registeredService));
        registeredServiceSecurityConfiguration.setSignatureConfiguration(signatureConfiguration);
        return new TokenAuthenticationSecurity(registeredServiceSecurityConfiguration);
    }

    public JwtGenerator toGenerator() {
        JwtGenerator jwtGenerator = new JwtGenerator();
        SignatureConfiguration signatureConfiguration = this.securityConfiguration.getSignatureConfiguration();
        Objects.requireNonNull(jwtGenerator);
        FunctionUtils.doIfNotNull(signatureConfiguration, jwtGenerator::setSignatureConfiguration);
        EncryptionConfiguration encryptionConfiguration = this.securityConfiguration.getEncryptionConfiguration();
        Objects.requireNonNull(jwtGenerator);
        FunctionUtils.doIfNotNull(encryptionConfiguration, jwtGenerator::setEncryptionConfiguration);
        return jwtGenerator;
    }

    public JwtAuthenticator toAuthenticator() {
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator();
        EncryptionConfiguration encryptionConfiguration = this.securityConfiguration.getEncryptionConfiguration();
        Objects.requireNonNull(jwtAuthenticator);
        FunctionUtils.doIfNotNull(encryptionConfiguration, jwtAuthenticator::setEncryptionConfiguration);
        SignatureConfiguration signatureConfiguration = this.securityConfiguration.getSignatureConfiguration();
        Objects.requireNonNull(jwtAuthenticator);
        FunctionUtils.doIfNotNull(signatureConfiguration, jwtAuthenticator::setSignatureConfiguration);
        return jwtAuthenticator;
    }

    private static String getRegisteredServiceJwtProperty(RegisteredService registeredService, RegisteredServiceProperty.RegisteredServiceProperties registeredServiceProperties) {
        if (registeredService == null || !registeredService.getAccessStrategy().isServiceAccessAllowed(registeredService, (Service) null)) {
            LOGGER.debug("Service is not defined/found or its access is disabled in the registry");
            throw UnauthorizedServiceException.denied("Denied");
        }
        if (registeredServiceProperties.isAssignedTo(registeredService)) {
            return SpringExpressionLanguageValueResolver.getInstance().resolve(registeredServiceProperties.getPropertyValue(registeredService).value());
        }
        LOGGER.trace("Service [{}] does not define a property [{}] in the registry", registeredService.getServiceId(), registeredServiceProperties);
        return null;
    }

    private static SignatureConfiguration getSignatureConfiguration(RegisteredService registeredService) {
        String registeredServiceJwtSigningSecret = getRegisteredServiceJwtSigningSecret(registeredService);
        if (!StringUtils.isNotBlank(registeredServiceJwtSigningSecret)) {
            return null;
        }
        JWSAlgorithm determineSigningAlgorithm = determineSigningAlgorithm(registeredService);
        if (JWSAlgorithm.Family.HMAC_SHA.contains(determineSigningAlgorithm)) {
            return new SecretSignatureConfiguration(getSecretBytes(registeredServiceJwtSigningSecret, areSecretsBase64Encoded(registeredService)), determineSigningAlgorithm);
        }
        if (!JWSAlgorithm.Family.RSA.contains(determineSigningAlgorithm)) {
            return null;
        }
        RSAPrivateKey rsaPrivateKey = getRsaPrivateKey(registeredServiceJwtSigningSecret);
        String registeredServiceJwtEncryptionSecret = getRegisteredServiceJwtEncryptionSecret(registeredService);
        RSAPublicKey rsaPublicKey = StringUtils.isNotBlank(registeredServiceJwtEncryptionSecret) ? getRsaPublicKey(registeredServiceJwtEncryptionSecret) : null;
        RSASignatureConfiguration rSASignatureConfiguration = new RSASignatureConfiguration();
        rSASignatureConfiguration.setAlgorithm(determineSigningAlgorithm);
        rSASignatureConfiguration.setPrivateKey(rsaPrivateKey);
        rSASignatureConfiguration.setPublicKey(rsaPublicKey);
        return rSASignatureConfiguration;
    }

    private static EncryptionConfiguration getEncryptionConfiguration(RegisteredService registeredService) {
        String registeredServiceJwtEncryptionSecret = getRegisteredServiceJwtEncryptionSecret(registeredService);
        if (!StringUtils.isNotBlank(registeredServiceJwtEncryptionSecret)) {
            return null;
        }
        JWEAlgorithm determineEncryptionAlgorithm = determineEncryptionAlgorithm(registeredService);
        EncryptionMethod determineEncryptionMethod = determineEncryptionMethod(registeredService);
        if (!JWEAlgorithm.Family.RSA.contains(determineEncryptionAlgorithm)) {
            return new SecretEncryptionConfiguration(getSecretBytes(registeredServiceJwtEncryptionSecret, areSecretsBase64Encoded(registeredService)), determineEncryptionAlgorithm, determineEncryptionMethod);
        }
        RSAPublicKey rsaPublicKey = getRsaPublicKey(registeredServiceJwtEncryptionSecret);
        String registeredServiceJwtSigningSecret = getRegisteredServiceJwtSigningSecret(registeredService);
        RSAPrivateKey rsaPrivateKey = StringUtils.isNotBlank(registeredServiceJwtSigningSecret) ? getRsaPrivateKey(registeredServiceJwtSigningSecret) : null;
        RSAEncryptionConfiguration rSAEncryptionConfiguration = new RSAEncryptionConfiguration();
        rSAEncryptionConfiguration.setAlgorithm(determineEncryptionAlgorithm);
        rSAEncryptionConfiguration.setMethod(determineEncryptionMethod);
        rSAEncryptionConfiguration.setPublicKey(rsaPublicKey);
        rSAEncryptionConfiguration.setPrivateKey(rsaPrivateKey);
        return rSAEncryptionConfiguration;
    }

    private static RSAPublicKey getRsaPublicKey(String str) {
        return (RSAPublicKey) FunctionUtils.doUnchecked(() -> {
            PublicKeyFactoryBean publicKeyFactoryBean = new PublicKeyFactoryBean(ResourceUtils.getResourceFrom(str), "RSA");
            publicKeyFactoryBean.setSingleton(false);
            return (RSAPublicKey) publicKeyFactoryBean.getObject();
        });
    }

    private static RSAPrivateKey getRsaPrivateKey(String str) {
        return (RSAPrivateKey) FunctionUtils.doUnchecked(() -> {
            AbstractResource resourceFrom = ResourceUtils.getResourceFrom(str);
            PrivateKeyFactoryBean privateKeyFactoryBean = new PrivateKeyFactoryBean();
            privateKeyFactoryBean.setAlgorithm("RSA");
            privateKeyFactoryBean.setLocation(resourceFrom);
            privateKeyFactoryBean.setSingleton(false);
            return (RSAPrivateKey) privateKeyFactoryBean.getObject();
        });
    }

    private static JWSAlgorithm determineSigningAlgorithm(RegisteredService registeredService) {
        String str = (String) StringUtils.defaultIfBlank(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING_ALG), JWSAlgorithm.HS256.getName());
        HashSet hashSet = new HashSet(0);
        hashSet.addAll(JWSAlgorithm.Family.EC);
        hashSet.addAll(JWSAlgorithm.Family.HMAC_SHA);
        hashSet.addAll(JWSAlgorithm.Family.RSA);
        hashSet.addAll(JWSAlgorithm.Family.SIGNATURE);
        return findAlgorithmFamily(hashSet, str, JWSAlgorithm.class);
    }

    private static EncryptionMethod determineEncryptionMethod(RegisteredService registeredService) {
        HashSet hashSet = new HashSet(0);
        hashSet.addAll(EncryptionMethod.Family.AES_CBC_HMAC_SHA);
        hashSet.addAll(EncryptionMethod.Family.AES_GCM);
        return findAlgorithmFamily(hashSet, (String) StringUtils.defaultIfBlank(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION_METHOD), EncryptionMethod.A192CBC_HS384.getName()), EncryptionMethod.class);
    }

    private static JWEAlgorithm determineEncryptionAlgorithm(RegisteredService registeredService) {
        HashSet hashSet = new HashSet(0);
        hashSet.addAll(JWEAlgorithm.Family.AES_GCM_KW);
        hashSet.addAll(JWEAlgorithm.Family.AES_KW);
        hashSet.addAll(JWEAlgorithm.Family.ASYMMETRIC);
        hashSet.addAll(JWEAlgorithm.Family.ECDH_ES);
        hashSet.addAll(JWEAlgorithm.Family.PBES2);
        hashSet.addAll(JWEAlgorithm.Family.RSA);
        hashSet.addAll(JWEAlgorithm.Family.SYMMETRIC);
        return findAlgorithmFamily(hashSet, (String) StringUtils.defaultIfBlank(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION_ALG), JWEAlgorithm.DIR.getName()), JWEAlgorithm.class);
    }

    private static String getRegisteredServiceJwtEncryptionSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_ENCRYPTION);
    }

    private static String getRegisteredServiceJwtSigningSecret(RegisteredService registeredService) {
        return getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRET_SIGNING);
    }

    private static boolean areSecretsBase64Encoded(RegisteredService registeredService) {
        return BooleanUtils.toBoolean(getRegisteredServiceJwtProperty(registeredService, RegisteredServiceProperty.RegisteredServiceProperties.TOKEN_SECRETS_ARE_BASE64_ENCODED));
    }

    private static <T extends Algorithm> T findAlgorithmFamily(Set<Algorithm> set, String str, Class<T> cls) {
        Optional<Algorithm> findFirst = set.stream().filter(algorithm -> {
            return algorithm.getName().equalsIgnoreCase(str);
        }).findFirst();
        if (!findFirst.isPresent()) {
            throw new IllegalArgumentException("Unable to find algorithm " + str);
        }
        T t = (T) findFirst.get();
        if (cls.isAssignableFrom(t.getClass())) {
            return t;
        }
        throw new ClassCastException("Result [%s is of type %s when we were expecting %s".formatted(t, t.getClass(), cls));
    }

    private static byte[] getSecretBytes(String str, boolean z) {
        return z ? new Base64(str).decode() : str.getBytes(StandardCharsets.UTF_8);
    }

    @Generated
    protected TokenAuthenticationSecurity(RegisteredServiceSecurityConfiguration registeredServiceSecurityConfiguration) {
        this.securityConfiguration = registeredServiceSecurityConfiguration;
    }
}
