package io.cellery.security.cell.sts.server.core;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.cellery.security.cell.sts.server.core.service.CelleryCellSTSException;
import io.cellery.security.cell.sts.server.jwks.KeyResolverException;
import io.cellery.security.cell.sts.server.utils.CertificateUtils;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:io/cellery/security/cell/sts/server/core/STSJWTBuilder.class */
public class STSJWTBuilder {
    private static final String MICRO_GATEWAY_DEFAULT_AUDIENCE_VALUE = "http://org.cellery.apimgt/gateway";
    private static final String SCOPE_CLAIM = "scope";
    private static final String KEY_TYPE_CLAIM = "keytype";
    private static final String PRODUCTION_KEY_TYPE = "PRODUCTION";
    private JWSHeader.Builder headerBuilder = new JWSHeader.Builder(JWSAlgorithm.RS256);
    private JWTClaimsSet.Builder claimSetBuilder = new JWTClaimsSet.Builder();
    private long expiryInSeconds = 1200;
    private List<String> audience = new ArrayList();
    private String issuer = "https://sts.cellry.io";

    public STSJWTBuilder subject(String str) {
        this.claimSetBuilder.subject(str);
        return this;
    }

    public STSJWTBuilder issuer(String str) {
        if (str != null) {
            this.issuer = str;
        }
        return this;
    }

    public STSJWTBuilder claim(String str, Object obj) {
        this.claimSetBuilder.claim(str, obj);
        return this;
    }

    public STSJWTBuilder claims(Map<String, Object> map) {
        map.forEach((str, obj) -> {
            this.claimSetBuilder.claim(str, obj);
        });
        return this;
    }

    public STSJWTBuilder scopes(List<String> list) {
        return claim(SCOPE_CLAIM, list);
    }

    public STSJWTBuilder expiryInSeconds(long j) {
        this.expiryInSeconds = j;
        return this;
    }

    public STSJWTBuilder audience(List<String> list) {
        this.audience = list;
        return this;
    }

    public STSJWTBuilder audience(String str) {
        this.audience.add(str);
        return this;
    }

    public String build() throws CelleryCellSTSException {
        try {
            JWSHeader buildJWSHeader = buildJWSHeader();
            addMandatoryClaims(this.claimSetBuilder);
            SignedJWT signedJWT = new SignedJWT(buildJWSHeader, this.claimSetBuilder.build());
            try {
                signedJWT.sign(new RSASSASigner(CertificateUtils.getKeyResolver().getPrivateKey()));
                return signedJWT.serialize();
            } catch (JOSEException | KeyResolverException e) {
                throw new CelleryCellSTSException("Error while signing JWT", e);
            }
        } catch (KeyResolverException | NoSuchAlgorithmException | CertificateEncodingException e2) {
            throw new CelleryCellSTSException("Error while building JWS header", e2);
        }
    }

    private JWSHeader buildJWSHeader() throws KeyResolverException, CertificateEncodingException, NoSuchAlgorithmException {
        String thumbPrint = CertificateUtils.getThumbPrint(CertificateUtils.getKeyResolver().getCertificate());
        this.headerBuilder.keyID(thumbPrint);
        this.headerBuilder.x509CertThumbprint(new Base64URL(thumbPrint));
        return this.headerBuilder.build();
    }

    private void addMandatoryClaims(JWTClaimsSet.Builder builder) {
        Date date = new Date(System.currentTimeMillis());
        Date date2 = new Date(date.getTime() + (this.expiryInSeconds * 1000));
        builder.jwtID(UUID.randomUUID().toString()).issuer(getIssuer()).issueTime(date).expirationTime(date2).audience(getAudience(this.audience)).claim(KEY_TYPE_CLAIM, PRODUCTION_KEY_TYPE);
    }

    private String getIssuer() {
        return this.issuer;
    }

    private List<String> getAudience(List<String> list) {
        return (list == null || list.isEmpty()) ? Collections.singletonList(MICRO_GATEWAY_DEFAULT_AUDIENCE_VALUE) : (List) list.stream().filter(StringUtils::isNotBlank).collect(Collectors.toList());
    }
}
