package org.apereo.cas.web;

import com.fasterxml.jackson.core.JsonGenerator;
import com.google.common.collect.Sets;
import java.util.Optional;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.OidcConstants;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.ticket.accesstoken.AccessToken;
import org.apereo.cas.support.oauth.ticket.refreshtoken.RefreshToken;
import org.apereo.cas.support.oauth.web.OAuth20AccessTokenResponseGenerator;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.lang.JoseException;
import org.pac4j.core.context.J2EContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.springframework.core.io.Resource;

/* loaded from: input_file:org/apereo/cas/web/OidcAccessTokenResponseGenerator.class */
public class OidcAccessTokenResponseGenerator extends OAuth20AccessTokenResponseGenerator {
    private String issuer;
    private int skew;
    private Resource jwksFile;

    protected void generateJsonInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, JsonGenerator jsonGenerator, AccessToken accessToken, RefreshToken refreshToken, long j, Service service, OAuthRegisteredService oAuthRegisteredService) throws Exception {
        super.generateJsonInternal(httpServletRequest, httpServletResponse, jsonGenerator, accessToken, refreshToken, j, service, oAuthRegisteredService);
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) oAuthRegisteredService;
        J2EContext j2EContext = new J2EContext(httpServletRequest, httpServletResponse);
        jsonGenerator.writeStringField(OidcConstants.ID_TOKEN, signIdTokenClaim(oidcRegisteredService, buildJsonWebKeySet(oidcRegisteredService), produceIdTokenClaims(httpServletRequest, accessToken, j, oidcRegisteredService, (UserProfile) new ProfileManager(j2EContext).get(true).get(), j2EContext)));
    }

    protected JwtClaims produceIdTokenClaims(HttpServletRequest httpServletRequest, AccessToken accessToken, long j, OidcRegisteredService oidcRegisteredService, UserProfile userProfile, J2EContext j2EContext) {
        Authentication authentication = accessToken.getAuthentication();
        Principal principal = authentication.getPrincipal();
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setJwtId(UUID.randomUUID().toString());
        jwtClaims.setIssuer(this.issuer);
        jwtClaims.setAudience(oidcRegisteredService.getClientId());
        jwtClaims.setExpirationTimeMinutesInTheFuture((float) j);
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBeforeMinutesInThePast(this.skew);
        jwtClaims.setSubject(principal.getId());
        jwtClaims.setClaim("state", authentication.getAttributes().get("state"));
        jwtClaims.setClaim("nonce", authentication.getAttributes().get("nonce"));
        Sets.intersection(OidcConstants.CLAIMS, principal.getAttributes().keySet()).immutableCopy().stream().forEach(str -> {
            jwtClaims.setClaim(str, principal.getAttributes().get(str));
        });
        if (!jwtClaims.hasClaim(OidcConstants.CLAIM_PREFERRED_USERNAME)) {
            jwtClaims.setClaim(OidcConstants.CLAIM_PREFERRED_USERNAME, userProfile.getId());
        }
        return jwtClaims;
    }

    protected String signIdTokenClaim(OidcRegisteredService oidcRegisteredService, Optional<JsonWebKeySet> optional, JwtClaims jwtClaims) throws JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        String json = jwtClaims.toJson();
        jsonWebSignature.setPayload(json);
        this.logger.debug("Generated claims are {}", json);
        jsonWebSignature.setAlgorithmHeaderValue(OidcConstants.PROMPT_NONE);
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS);
        if (oidcRegisteredService.isSignIdToken() && optional.isPresent() && !optional.get().getJsonWebKeys().isEmpty()) {
            RsaJsonWebKey rsaJsonWebKey = (RsaJsonWebKey) optional.get().getJsonWebKeys().get(0);
            jsonWebSignature.setKey(rsaJsonWebKey.getPrivateKey());
            jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE);
            if (StringUtils.isBlank(rsaJsonWebKey.getKeyId())) {
                jsonWebSignature.setKeyIdHeaderValue(UUID.randomUUID().toString());
            } else {
                jsonWebSignature.setKeyIdHeaderValue(rsaJsonWebKey.getKeyId());
            }
            this.logger.debug("Signing id token with key id header value {}", jsonWebSignature.getKeyIdHeaderValue());
            jsonWebSignature.setAlgorithmHeaderValue("RS256");
        }
        this.logger.debug("Signing id token with algorithm {}", jsonWebSignature.getAlgorithmHeaderValue());
        return jsonWebSignature.getCompactSerialization();
    }

    protected Optional<JsonWebKeySet> buildJsonWebKeySet(OidcRegisteredService oidcRegisteredService) throws Exception {
        JsonWebKeySet jsonWebKeySet = null;
        try {
            try {
                if (StringUtils.isNotBlank(oidcRegisteredService.getJwks())) {
                    this.logger.debug("Loading JWKS from {}", oidcRegisteredService.getJwks());
                    jsonWebKeySet = new JsonWebKeySet(IOUtils.toString(this.resourceLoader.getResource(oidcRegisteredService.getJwks()).getInputStream(), "UTF-8"));
                }
                if (jsonWebKeySet == null) {
                    this.logger.debug("Loading default JWKS from {}", this.jwksFile);
                    if (this.jwksFile != null) {
                        jsonWebKeySet = new JsonWebKeySet(IOUtils.toString(this.jwksFile.getInputStream(), "UTF-8"));
                    }
                }
            } catch (Exception e) {
                this.logger.debug(e.getMessage(), e);
                if (jsonWebKeySet == null) {
                    this.logger.debug("Loading default JWKS from {}", this.jwksFile);
                    if (this.jwksFile != null) {
                        jsonWebKeySet = new JsonWebKeySet(IOUtils.toString(this.jwksFile.getInputStream(), "UTF-8"));
                    }
                }
            }
            return jsonWebKeySet != null ? Optional.of(jsonWebKeySet) : Optional.empty();
        } catch (Throwable th) {
            if (jsonWebKeySet == null) {
                this.logger.debug("Loading default JWKS from {}", this.jwksFile);
                if (this.jwksFile != null) {
                    new JsonWebKeySet(IOUtils.toString(this.jwksFile.getInputStream(), "UTF-8"));
                }
            }
            throw th;
        }
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    public void setSkew(int i) {
        this.skew = i;
    }

    public void setJwksFile(Resource resource) {
        this.jwksFile = resource;
    }
}
