package com.wso2.jwt.token.builder;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.security.Key;
import java.security.interfaces.RSAPrivateKey;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.Claim;
import org.wso2.carbon.identity.application.common.model.ClaimMapping;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:com/wso2/jwt/token/builder/JWTAccessTokenBuilder.class */
public class JWTAccessTokenBuilder extends OauthTokenIssuerImpl {
    private static final String NONE = "NONE";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String SHA384_WITH_RSA = "SHA384withRSA";
    private static final String SHA512_WITH_RSA = "SHA512withRSA";
    private static final String SHA256_WITH_HMAC = "SHA256withHMAC";
    private static final String SHA384_WITH_HMAC = "SHA384withHMAC";
    private static final String SHA512_WITH_HMAC = "SHA512withHMAC";
    private static final String SHA256_WITH_EC = "SHA256withEC";
    private static final String SHA384_WITH_EC = "SHA384withEC";
    private static final String SHA512_WITH_EC = "SHA512withEC";
    private static final Log log = LogFactory.getLog(JWTAccessTokenBuilder.class);
    private static Map<Integer, Key> privateKeys = new ConcurrentHashMap();
    private OAuthServerConfiguration config;
    private Algorithm signatureAlgorithm;

    public JWTAccessTokenBuilder() throws IdentityOAuth2Exception {
        this.config = null;
        this.signatureAlgorithm = null;
        if (log.isDebugEnabled()) {
            log.debug("JWT Access token builder is initiated");
        }
        this.config = OAuthServerConfiguration.getInstance();
        this.signatureAlgorithm = mapSignatureAlgorithm(this.config.getSignatureAlgorithm());
    }

    public String accessToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws OAuthSystemException {
        if (log.isDebugEnabled()) {
            log.debug("Access token request with token request message context. Authorized user " + oAuthTokenReqMessageContext.getAuthorizedUser().toString());
        }
        try {
            return buildIDToken(oAuthTokenReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while issuing jwt access token. Hence returning default token", e);
            }
            return super.accessToken(oAuthTokenReqMessageContext);
        }
    }

    public String accessToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws OAuthSystemException {
        if (log.isDebugEnabled()) {
            log.debug("Access token request with authorization request message context message context. Authorized user " + oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().toString());
        }
        try {
            return buildIDToken(oAuthAuthzReqMessageContext);
        } catch (IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while issuing jwt access token. Hence returning default token", e);
            }
            return super.accessToken(oAuthAuthzReqMessageContext);
        }
    }

    protected String buildIDToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String iDTokenIssuer = OAuth2Util.getIDTokenIssuer();
        long applicationAccessTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds() * 1000;
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        String authenticatedSubjectIdentifier = oAuthTokenReqMessageContext.getAuthorizedUser().getAuthenticatedSubjectIdentifier();
        if (!StringUtils.isNotBlank(authenticatedSubjectIdentifier)) {
            authenticatedSubjectIdentifier = oAuthTokenReqMessageContext.getAuthorizedUser().getUserName();
        }
        JWTClaimsSet jWTClaimsSet = new JWTClaimsSet();
        jWTClaimsSet.setIssuer(iDTokenIssuer);
        jWTClaimsSet.setSubject(authenticatedSubjectIdentifier);
        jWTClaimsSet.setAudience(Arrays.asList(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()));
        jWTClaimsSet.setClaim(Constants.AUTHORIZATION_PARTY, oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId());
        jWTClaimsSet.setExpirationTime(new Date(timeInMillis + applicationAccessTokenValidityPeriodInSeconds));
        jWTClaimsSet.setIssueTime(new Date(timeInMillis));
        addUserClaims(jWTClaimsSet, oAuthTokenReqMessageContext.getAuthorizedUser());
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName()) ? new PlainJWT(jWTClaimsSet).serialize() : signJWT(jWTClaimsSet, oAuthTokenReqMessageContext);
    }

    protected String buildIDToken(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        String iDTokenIssuer = OAuth2Util.getIDTokenIssuer();
        long applicationAccessTokenValidityPeriodInSeconds = OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds() * 1000;
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        String authenticatedSubjectIdentifier = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().getAuthenticatedSubjectIdentifier();
        if (!StringUtils.isNotBlank(authenticatedSubjectIdentifier)) {
            authenticatedSubjectIdentifier = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser().getUserName();
        }
        JWTClaimsSet jWTClaimsSet = new JWTClaimsSet();
        jWTClaimsSet.setIssuer(iDTokenIssuer);
        jWTClaimsSet.setSubject(authenticatedSubjectIdentifier);
        jWTClaimsSet.setAudience(Arrays.asList(oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey()));
        jWTClaimsSet.setClaim(Constants.AUTHORIZATION_PARTY, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getConsumerKey());
        jWTClaimsSet.setExpirationTime(new Date(timeInMillis + applicationAccessTokenValidityPeriodInSeconds));
        jWTClaimsSet.setIssueTime(new Date(timeInMillis));
        addUserClaims(jWTClaimsSet, oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getUser());
        return JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName()) ? new PlainJWT(jWTClaimsSet).serialize() : signJWT(jWTClaimsSet, oAuthAuthzReqMessageContext);
    }

    protected String signJWTWithRSA(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        Key key;
        try {
            String tenantDomain = oAuthTokenReqMessageContext.getAuthorizedUser().getTenantDomain();
            int tenantId = IdentityTenantUtil.getTenantId(tenantDomain);
            if (privateKeys.containsKey(Integer.valueOf(tenantId))) {
                key = privateKeys.get(Integer.valueOf(tenantId));
            } else {
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if (tenantDomain.equals("carbon.super")) {
                    try {
                        key = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        throw new IdentityOAuth2Exception("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    key = keyStoreManager.getPrivateKey(tenantDomain.trim().replace(".", "-") + Constants.KEY_STORE_EXTENSION, tenantDomain);
                }
                privateKeys.put(Integer.valueOf(tenantId), key);
            }
            RSASSASigner rSASSASigner = new RSASSASigner((RSAPrivateKey) key);
            if (!(this.signatureAlgorithm instanceof JWSAlgorithm)) {
                return null;
            }
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(this.signatureAlgorithm), jWTClaimsSet);
            signedJWT.sign(rSASSASigner);
            return signedJWT.serialize();
        } catch (JOSEException e2) {
            throw new IdentityOAuth2Exception("Error occurred while signing JWT", e2);
        }
    }

    protected String signJWTWithRSA(JWTClaimsSet jWTClaimsSet, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        Key key;
        try {
            int tenantId = IdentityTenantUtil.getTenantId("carbon.super");
            if (privateKeys.containsKey(Integer.valueOf(tenantId))) {
                key = privateKeys.get(Integer.valueOf(tenantId));
            } else {
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if ("carbon.super".equals("carbon.super")) {
                    try {
                        key = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        throw new IdentityOAuth2Exception("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    key = keyStoreManager.getPrivateKey("carbon.super".trim().replace(".", "-") + Constants.KEY_STORE_EXTENSION, "carbon.super");
                }
                privateKeys.put(Integer.valueOf(tenantId), key);
            }
            RSASSASigner rSASSASigner = new RSASSASigner((RSAPrivateKey) key);
            if (!(this.signatureAlgorithm instanceof JWSAlgorithm)) {
                return null;
            }
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(this.signatureAlgorithm), jWTClaimsSet);
            signedJWT.sign(rSASSASigner);
            return signedJWT.serialize();
        } catch (JOSEException e2) {
            throw new IdentityOAuth2Exception("Error occurred while signing JWT", e2);
        }
    }

    protected String signJWT(JWTClaimsSet jWTClaimsSet, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return (JWSAlgorithm.RS256.equals(this.signatureAlgorithm) || JWSAlgorithm.RS384.equals(this.signatureAlgorithm) || JWSAlgorithm.RS512.equals(this.signatureAlgorithm)) ? signJWTWithRSA(jWTClaimsSet, oAuthTokenReqMessageContext) : (JWSAlgorithm.HS256.equals(this.signatureAlgorithm) || JWSAlgorithm.HS384.equals(this.signatureAlgorithm) || JWSAlgorithm.HS512.equals(this.signatureAlgorithm)) ? null : null;
    }

    protected String signJWT(JWTClaimsSet jWTClaimsSet, OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) throws IdentityOAuth2Exception {
        return (JWSAlgorithm.RS256.equals(this.signatureAlgorithm) || JWSAlgorithm.RS384.equals(this.signatureAlgorithm) || JWSAlgorithm.RS512.equals(this.signatureAlgorithm)) ? signJWTWithRSA(jWTClaimsSet, oAuthAuthzReqMessageContext) : (JWSAlgorithm.HS256.equals(this.signatureAlgorithm) || JWSAlgorithm.HS384.equals(this.signatureAlgorithm) || JWSAlgorithm.HS512.equals(this.signatureAlgorithm)) ? null : null;
    }

    protected JWSAlgorithm mapSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        if (NONE.equals(str)) {
            return new JWSAlgorithm(JWSAlgorithm.NONE.getName());
        }
        if (SHA256_WITH_RSA.equals(str)) {
            return JWSAlgorithm.RS256;
        }
        if (SHA384_WITH_RSA.equals(str)) {
            return JWSAlgorithm.RS384;
        }
        if (SHA512_WITH_RSA.equals(str)) {
            return JWSAlgorithm.RS512;
        }
        if (SHA256_WITH_HMAC.equals(str)) {
            return JWSAlgorithm.HS256;
        }
        if (SHA384_WITH_HMAC.equals(str)) {
            return JWSAlgorithm.HS384;
        }
        if (SHA512_WITH_HMAC.equals(str)) {
            return JWSAlgorithm.HS512;
        }
        if (SHA256_WITH_EC.equals(str)) {
            return JWSAlgorithm.ES256;
        }
        if (SHA384_WITH_EC.equals(str)) {
            return JWSAlgorithm.ES384;
        }
        if (SHA512_WITH_EC.equals(str)) {
            return JWSAlgorithm.ES512;
        }
        throw new IdentityOAuth2Exception("Unsupported Signature Algorithm in identity.xml");
    }

    private void addUserClaims(JWTClaimsSet jWTClaimsSet, AuthenticatedUser authenticatedUser) {
        for (Map.Entry entry : authenticatedUser.getUserAttributes().entrySet()) {
            Claim localClaim = ((ClaimMapping) entry.getKey()).getLocalClaim();
            if (localClaim != null && Constants.CUSTOMER_ID_CLAIM_URI.equalsIgnoreCase(localClaim.getClaimUri())) {
                jWTClaimsSet.setClaim(Constants.CUSTOMER_ID_CLAIM_URI, entry.getValue());
            }
        }
    }
}
