package org.apereo.cas.oidc.token;

import com.github.benmanes.caffeine.cache.LoadingCache;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.ticket.BaseIdTokenSigningAndEncryptionService;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/oidc/token/OidcIdTokenSigningAndEncryptionService.class */
public class OidcIdTokenSigningAndEncryptionService extends BaseIdTokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcIdTokenSigningAndEncryptionService.class);
    private final LoadingCache<String, Optional<RsaJsonWebKey>> defaultJsonWebKeystoreCache;
    private final LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> serviceJsonWebKeystoreCache;

    public OidcIdTokenSigningAndEncryptionService(LoadingCache<String, Optional<RsaJsonWebKey>> loadingCache, LoadingCache<OidcRegisteredService, Optional<RsaJsonWebKey>> loadingCache2, String str) {
        super(str);
        this.defaultJsonWebKeystoreCache = loadingCache;
        this.serviceJsonWebKeystoreCache = loadingCache2;
    }

    public String encode(OAuthRegisteredService oAuthRegisteredService, JwtClaims jwtClaims) {
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(oAuthRegisteredService);
        LOGGER.debug("Attempting to produce id token generated for service [{}]", oidcRegisteredService);
        JsonWebSignature createJsonWebSignature = createJsonWebSignature(jwtClaims);
        LOGGER.debug("Generated claims to put into id token are [{}]", jwtClaims.toJson());
        String signIdToken = oidcRegisteredService.isSignIdToken() ? signIdToken(oidcRegisteredService, createJsonWebSignature) : createJsonWebSignature.getCompactSerialization();
        if (oidcRegisteredService.isEncryptIdToken() && StringUtils.isNotBlank(oidcRegisteredService.getIdTokenEncryptionAlg()) && StringUtils.isNotBlank(oidcRegisteredService.getIdTokenEncryptionEncoding())) {
            signIdToken = encryptIdToken(oidcRegisteredService, createJsonWebSignature, signIdToken);
        }
        return signIdToken;
    }

    private String encryptIdToken(OidcRegisteredService oidcRegisteredService, JsonWebSignature jsonWebSignature, String str) throws Exception {
        LOGGER.debug("Service [{}] is set to encrypt id tokens", oidcRegisteredService);
        Optional optional = (Optional) this.serviceJsonWebKeystoreCache.get(oidcRegisteredService);
        if (!optional.isPresent()) {
            throw new IllegalArgumentException("Service " + oidcRegisteredService.getServiceId() + " with client id " + oidcRegisteredService.getClientId() + " is configured to encrypt id tokens, yet no JSON web key is available");
        }
        RsaJsonWebKey rsaJsonWebKey = (RsaJsonWebKey) optional.get();
        LOGGER.debug("Found JSON web key to encrypt the id token: [{}]", rsaJsonWebKey);
        if (rsaJsonWebKey.getPublicKey() == null) {
            throw new IllegalArgumentException("JSON web key used to sign the id token has no associated public key");
        }
        return encryptIdToken(oidcRegisteredService.getIdTokenEncryptionAlg(), oidcRegisteredService.getIdTokenEncryptionEncoding(), jsonWebSignature.getKeyIdHeaderValue(), rsaJsonWebKey.getPublicKey(), str);
    }

    private String signIdToken(OidcRegisteredService oidcRegisteredService, JsonWebSignature jsonWebSignature) throws Exception {
        LOGGER.debug("Fetching JSON web key to sign the id token for : [{}]", oidcRegisteredService.getClientId());
        PublicJsonWebKey signingKey = getSigningKey();
        LOGGER.debug("Found JSON web key to sign the id token: [{}]", signingKey);
        if (signingKey.getPrivateKey() == null) {
            throw new IllegalArgumentException("JSON web key used to sign the id token has no associated private key");
        }
        configureJsonWebSignatureForIdTokenSigning(oidcRegisteredService, jsonWebSignature, signingKey);
        return jsonWebSignature.getCompactSerialization();
    }

    protected PublicJsonWebKey getSigningKey() {
        Optional optional = (Optional) this.defaultJsonWebKeystoreCache.get(getIssuer());
        if (optional.isPresent()) {
            return (PublicJsonWebKey) optional.get();
        }
        throw new IllegalArgumentException("No signing key could be found for issuer " + getIssuer());
    }

    public String getJsonWebKeySigningAlgorithm(OAuthRegisteredService oAuthRegisteredService) {
        OidcRegisteredService oidcRegisteredService = (OidcRegisteredService) OidcRegisteredService.class.cast(oAuthRegisteredService);
        return StringUtils.isBlank(oidcRegisteredService.getIdTokenSigningAlg()) ? super.getJsonWebKeySigningAlgorithm(oAuthRegisteredService) : oidcRegisteredService.getIdTokenSigningAlg();
    }
}
