package org.apereo.cas.support.oauth.web.response.accesstoken.response;

import com.google.common.collect.Lists;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.oauth2.sdk.auth.X509CertificateConfirmation;
import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.configuration.model.support.oauth.OAuthProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.ticket.OAuth20Token;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.refreshtoken.OAuth20RefreshToken;
import org.apereo.cas.token.JwtBuilder;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.DateTimeUtils;
import org.apereo.cas.util.crypto.EncodableCipher;
import org.apereo.cas.util.function.FunctionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:org/apereo/cas/support/oauth/web/response/accesstoken/response/OAuth20JwtAccessTokenEncodableCipher.class */
class OAuth20JwtAccessTokenEncodableCipher implements EncodableCipher<String, String> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20JwtAccessTokenEncodableCipher.class);
    private final OAuth20ConfigurationContext configurationContext;
    private final RegisteredService registeredService;
    private final OAuth20Token token;
    private final Service service;
    private final String issuer;
    private final boolean forceEncodeAsJwt;
    private String tokenAudience;

    public String encode(String str, Object[] objArr) {
        return ((this.registeredService instanceof OAuthRegisteredService) && shouldEncodeAsJwt()) ? (String) FunctionUtils.doUnchecked(() -> {
            return this.configurationContext.getAccessTokenJwtBuilder().build(getJwtRequestBuilder());
        }) : this.token.getId();
    }

    protected JwtBuilder.JwtRequest getJwtRequestBuilder() throws Throwable {
        Authentication authentication = this.token.getAuthentication();
        JwtBuilder.JwtRequest.JwtRequestBuilder builder = JwtBuilder.JwtRequest.builder();
        return builder.serviceAudience(determineServiceAudience()).issueDate(DateTimeUtils.dateOf(authentication.getAuthenticationDate())).jwtId(this.token.getId()).subject(authentication.getPrincipal().getId()).validUntilDate(determineValidUntilDate()).attributes(collectAttributes()).registeredService(Optional.of(this.registeredService)).issuer(determineIssuer()).service(Optional.ofNullable(this.service)).resolveSubject(this.token.isStateless()).build();
    }

    protected String determineIssuer() {
        return (String) StringUtils.defaultIfBlank(this.issuer, this.configurationContext.getCasProperties().getServer().getPrefix());
    }

    protected Map<String, List<Object>> collectAttributes() throws Throwable {
        return ((this.token instanceof OAuth20AccessToken) && this.configurationContext.getCasProperties().getAuthn().getOauth().getAccessToken().isIncludeClaimsInJwt()) ? collectClaimsForAccessToken() : new HashMap();
    }

    protected Map<String, List<Object>> collectClaimsForAccessToken() throws Throwable {
        Principal buildPrincipalForAttributeFilter = buildPrincipalForAttributeFilter(this.token, this.registeredService);
        HashMap hashMap = new HashMap(this.configurationContext.getProfileScopeToAttributesFilter().filter(this.service, buildPrincipalForAttributeFilter, this.registeredService, this.token).getAttributes());
        Map attributes = buildPrincipalForAttributeFilter.getAttributes();
        if (attributes.containsKey("DPoPConfirmation")) {
            CollectionUtils.firstElement(attributes.get("DPoPConfirmation")).ifPresent(obj -> {
                Map.Entry jWTClaim = new JWKThumbprintConfirmation(new Base64URL(obj.toString())).toJWTClaim();
                hashMap.put((String) jWTClaim.getKey(), List.of(jWTClaim.getValue()));
            });
            hashMap.put("DPoP", (List) attributes.get("DPoP"));
            hashMap.put("DPoPConfirmation", (List) attributes.get("DPoPConfirmation"));
        }
        if (attributes.containsKey("x509_digest")) {
            CollectionUtils.firstElement(attributes.get("x509_digest")).ifPresent(obj2 -> {
                Map.Entry jWTClaim = new X509CertificateConfirmation(new Base64URL(obj2.toString())).toJWTClaim();
                hashMap.put((String) jWTClaim.getKey(), List.of(jWTClaim.getValue()));
            });
            hashMap.put("x509_digest", (List) attributes.get("x509_digest"));
        }
        FunctionUtils.doIfNotNull(this.token.getGrantType(), oAuth20GrantTypes -> {
            hashMap.put("grant_type", List.of(oAuth20GrantTypes.getType()));
        });
        FunctionUtils.doIfNotNull(this.token.getResponseType(), oAuth20ResponseTypes -> {
            hashMap.put("response_type", List.of(oAuth20ResponseTypes.getType()));
        });
        hashMap.remove("password");
        return hashMap;
    }

    protected Date determineValidUntilDate() {
        return DateTimeUtils.dateOf(this.token.getAuthentication().getAuthenticationDate().plusSeconds(this.token.getExpirationPolicy().getTimeToLive().longValue()));
    }

    protected Set<String> determineServiceAudience() {
        OAuthRegisteredService oAuthRegisteredService = this.registeredService;
        return StringUtils.isNotBlank(this.tokenAudience) ? Set.of(this.tokenAudience) : oAuthRegisteredService.getAudience().isEmpty() ? Set.of(this.token.getClientId()) : oAuthRegisteredService.getAudience();
    }

    protected boolean shouldEncodeAsJwt() {
        OAuthRegisteredService oAuthRegisteredService = this.registeredService;
        OAuthProperties oauth = this.configurationContext.getCasProperties().getAuthn().getOauth();
        return this.forceEncodeAsJwt || ((this.token instanceof OAuth20AccessToken) && (oauth.getAccessToken().isCreateAsJwt() || oAuthRegisteredService.isJwtAccessToken())) || ((this.token instanceof OAuth20RefreshToken) && (oauth.getRefreshToken().isCreateAsJwt() || oAuthRegisteredService.isJwtRefreshToken())) || this.token.getAuthentication().containsAttribute("DPoP");
    }

    private Principal buildPrincipalForAttributeFilter(OAuth20Token oAuth20Token, RegisteredService registeredService) throws Throwable {
        Authentication authentication = oAuth20Token.getAuthentication();
        HashMap hashMap = new HashMap(authentication.getPrincipal().getAttributes());
        hashMap.putAll(this.configurationContext.getAuthenticationAttributeReleasePolicy().getAuthenticationAttributesForRelease(authentication, registeredService));
        String parameter = RequestContextHolder.currentRequestAttributes().getRequest().getParameter("positionId");
        if (StringUtils.isNotBlank(parameter)) {
            hashMap.put("positionId", Lists.newArrayList(new Object[]{parameter}));
        }
        return this.configurationContext.getPrincipalFactory().createPrincipal(authentication.getPrincipal().getId(), hashMap);
    }

    @Generated
    public OAuth20JwtAccessTokenEncodableCipher(OAuth20ConfigurationContext oAuth20ConfigurationContext, RegisteredService registeredService, OAuth20Token oAuth20Token, Service service, String str, boolean z) {
        this.configurationContext = oAuth20ConfigurationContext;
        this.registeredService = registeredService;
        this.token = oAuth20Token;
        this.service = service;
        this.issuer = str;
        this.forceEncodeAsJwt = z;
    }

    @Generated
    public OAuth20JwtAccessTokenEncodableCipher setTokenAudience(String str) {
        this.tokenAudience = str;
        return this;
    }

    @Generated
    public OAuth20ConfigurationContext getConfigurationContext() {
        return this.configurationContext;
    }

    @Generated
    public RegisteredService getRegisteredService() {
        return this.registeredService;
    }

    @Generated
    public OAuth20Token getToken() {
        return this.token;
    }

    @Generated
    public Service getService() {
        return this.service;
    }

    @Generated
    public String getIssuer() {
        return this.issuer;
    }

    @Generated
    public boolean isForceEncodeAsJwt() {
        return this.forceEncodeAsJwt;
    }

    @Generated
    public String getTokenAudience() {
        return this.tokenAudience;
    }
}
