package org.apereo.cas.util.cipher;

import com.google.common.base.Predicates;
import java.io.File;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.annotation.PreDestroy;
import lombok.Generated;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.util.io.FileWatcherService;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.RsaJsonWebKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/cas-server-core-util-api-5.3.5.jar:org/apereo/cas/util/cipher/JsonWebKeySetStringCipherExecutor.class */
public class JsonWebKeySetStringCipherExecutor extends BaseStringCipherExecutor implements AutoCloseable {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JsonWebKeySetStringCipherExecutor.class);
    private final FileWatcherService keystorePatchWatcherService;
    private final Optional<String> keyIdToUse;
    private final Optional<HttpsJwks> httpsJkws;
    private JsonWebKeySet webKeySet;

    public JsonWebKeySetStringCipherExecutor(File file) {
        this(file, (Optional<String>) Optional.empty());
    }

    public JsonWebKeySetStringCipherExecutor(File file, String str) {
        this(file, Optional.empty(), str);
    }

    public JsonWebKeySetStringCipherExecutor(File file, Optional<String> optional) {
        this(file, optional, null);
    }

    public JsonWebKeySetStringCipherExecutor(File file, Optional<String> optional, String str) {
        String readFileToString = FileUtils.readFileToString(file, StandardCharsets.UTF_8);
        this.keystorePatchWatcherService = new FileWatcherService(file, file2 -> {
            try {
                this.webKeySet = new JsonWebKeySet(FileUtils.readFileToString(file, StandardCharsets.UTF_8));
            } catch (Exception e) {
                LOGGER.error(e.getMessage(), (Throwable) e);
            }
        });
        this.webKeySet = new JsonWebKeySet(readFileToString);
        this.keyIdToUse = optional;
        this.httpsJkws = StringUtils.isNotBlank(str) ? Optional.of(new HttpsJwks(str)) : Optional.empty();
        this.keystorePatchWatcherService.start(getClass().getSimpleName());
        LOGGER.debug("Started JWKS watcher thread");
    }

    @Override // java.lang.AutoCloseable
    @PreDestroy
    public void close() {
        if (this.keystorePatchWatcherService != null) {
            this.keystorePatchWatcherService.close();
        }
    }

    @Override // org.apereo.cas.util.cipher.BaseStringCipherExecutor, org.apereo.cas.CipherExecutor
    public String encode(Serializable serializable, Object[] objArr) {
        configureSigningParametersForEncoding();
        configureEncryptionParametersForEncoding();
        return super.encode(serializable, objArr);
    }

    @Override // org.apereo.cas.util.cipher.BaseStringCipherExecutor, org.apereo.cas.CipherExecutor
    public String decode(Serializable serializable, Object[] objArr) {
        configureSigningParametersForDecoding();
        configureEncryptionParametersForDecoding();
        return super.decode(serializable, objArr);
    }

    private void configureSigningParametersForDecoding() {
        Optional<RsaJsonWebKey> findRsaJsonWebKeyByProvidedKeyId = findRsaJsonWebKeyByProvidedKeyId(this.webKeySet.getJsonWebKeys());
        if (!findRsaJsonWebKeyByProvidedKeyId.isPresent()) {
            throw new IllegalArgumentException("Could not locate RSA JSON web key from keystore");
        }
        RsaJsonWebKey rsaJsonWebKey = findRsaJsonWebKeyByProvidedKeyId.get();
        if (rsaJsonWebKey.getPublicKey() == null) {
            throw new IllegalArgumentException("Public key located from keystore for key id " + rsaJsonWebKey.getKeyId() + " is undefined");
        }
        setSigningKey(rsaJsonWebKey.getPublicKey());
    }

    private void configureEncryptionParametersForDecoding() {
        if (!this.httpsJkws.isPresent()) {
            LOGGER.debug("No JWKS endpoint is defined. Configuration of encryption parameters and keys are skipped");
            return;
        }
        try {
            Optional<RsaJsonWebKey> findRsaJsonWebKey = findRsaJsonWebKey(this.httpsJkws.get().getJsonWebKeys(), Predicates.alwaysTrue());
            if (!findRsaJsonWebKey.isPresent()) {
                throw new IllegalArgumentException("Could not locate RSA JSON web key from endpoint");
            }
            RsaJsonWebKey rsaJsonWebKey = findRsaJsonWebKey.get();
            if (rsaJsonWebKey.getPrivateKey() == null) {
                throw new IllegalArgumentException("Private key located from endpoint for key id " + rsaJsonWebKey.getKeyId() + " is undefined");
            }
            setSecretKeyEncryptionKey(rsaJsonWebKey.getPrivateKey());
            setContentEncryptionAlgorithmIdentifier("A128CBC-HS256");
            setEncryptionAlgorithm("RSA-OAEP-256");
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    private void configureEncryptionParametersForEncoding() {
        if (!this.httpsJkws.isPresent()) {
            LOGGER.debug("No JWKS endpoint is defined. Configuration of encryption parameters and keys are skipped");
            return;
        }
        try {
            Optional<RsaJsonWebKey> findRsaJsonWebKey = findRsaJsonWebKey(this.httpsJkws.get().getJsonWebKeys(), Predicates.alwaysTrue());
            if (!findRsaJsonWebKey.isPresent()) {
                throw new IllegalArgumentException("Could not locate RSA JSON web key from endpoint");
            }
            RsaJsonWebKey rsaJsonWebKey = findRsaJsonWebKey.get();
            if (rsaJsonWebKey.getPublicKey() == null) {
                throw new IllegalArgumentException("Public key located from endpoint for key id " + rsaJsonWebKey.getKeyId() + " is undefined");
            }
            setSecretKeyEncryptionKey(rsaJsonWebKey.getPublicKey());
            setContentEncryptionAlgorithmIdentifier("A128CBC-HS256");
            setEncryptionAlgorithm("RSA-OAEP-256");
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    private void configureSigningParametersForEncoding() {
        Optional<RsaJsonWebKey> findRsaJsonWebKeyByProvidedKeyId = findRsaJsonWebKeyByProvidedKeyId(this.webKeySet.getJsonWebKeys());
        if (!findRsaJsonWebKeyByProvidedKeyId.isPresent()) {
            throw new IllegalArgumentException("Could not locate RSA JSON web key from keystore");
        }
        RsaJsonWebKey rsaJsonWebKey = findRsaJsonWebKeyByProvidedKeyId.get();
        if (rsaJsonWebKey.getPrivateKey() == null) {
            throw new IllegalArgumentException("Private key located from keystore for key id " + rsaJsonWebKey.getKeyId() + " is undefined");
        }
        setSigningKey(rsaJsonWebKey.getPrivateKey());
    }

    private Optional<RsaJsonWebKey> findRsaJsonWebKeyByProvidedKeyId(List<JsonWebKey> list) {
        return findRsaJsonWebKey(list, this.keyIdToUse.isPresent() ? jsonWebKey -> {
            return jsonWebKey.getKeyId().equalsIgnoreCase(this.keyIdToUse.get());
        } : Predicates.alwaysTrue());
    }

    private Optional<RsaJsonWebKey> findRsaJsonWebKey(List<JsonWebKey> list, Predicate<JsonWebKey> predicate) {
        Stream<JsonWebKey> filter = list.stream().filter(jsonWebKey -> {
            return (jsonWebKey instanceof RsaJsonWebKey) && predicate.test(jsonWebKey);
        });
        Class<RsaJsonWebKey> cls = RsaJsonWebKey.class;
        Objects.requireNonNull(RsaJsonWebKey.class);
        return filter.map((v1) -> {
            return r1.cast(v1);
        }).findFirst();
    }

    @Generated
    public void setWebKeySet(JsonWebKeySet jsonWebKeySet) {
        this.webKeySet = jsonWebKeySet;
    }
}
