package org.mitre.openid.connect.service.impl;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.net.URI;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.mitre.jwt.encryption.service.JWTEncryptionAndDecryptionService;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.mitre.jwt.signer.service.impl.ClientKeyCacheService;
import org.mitre.jwt.signer.service.impl.SymmetricKeyJWTValidatorCacheService;
import org.mitre.oauth2.model.AuthenticationHolderEntity;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.repository.AuthenticationHolderRepository;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.mitre.openid.connect.request.ConnectRequestParameters;
import org.mitre.openid.connect.service.OIDCTokenService;
import org.mitre.openid.connect.util.IdTokenHashUtils;
import org.mitre.openid.connect.web.AuthenticationTimeStamper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:org/mitre/openid/connect/service/impl/DefaultOIDCTokenService.class */
public class DefaultOIDCTokenService implements OIDCTokenService {
    private static final Logger logger = LoggerFactory.getLogger(DefaultOIDCTokenService.class);

    @Autowired
    private JWTSigningAndValidationService jwtService;

    @Autowired
    private AuthenticationHolderRepository authenticationHolderRepository;

    @Autowired
    private ConfigurationPropertiesBean configBean;

    @Autowired
    private ClientKeyCacheService encrypters;

    @Autowired
    private SymmetricKeyJWTValidatorCacheService symmetricCacheService;

    @Autowired
    private OAuth2TokenEntityService tokenService;

    public OAuth2AccessTokenEntity createIdToken(ClientDetailsEntity clientDetailsEntity, OAuth2Request oAuth2Request, Date date, String str, OAuth2AccessTokenEntity oAuth2AccessTokenEntity) {
        PlainJWT signedJWT;
        JWSAlgorithm defaultSigningAlgorithm = this.jwtService.getDefaultSigningAlgorithm();
        if (clientDetailsEntity.getIdTokenSignedResponseAlg() != null) {
            defaultSigningAlgorithm = clientDetailsEntity.getIdTokenSignedResponseAlg();
        }
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity2 = new OAuth2AccessTokenEntity();
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        if (oAuth2Request.getExtensions().containsKey(ConnectRequestParameters.MAX_AGE) || oAuth2Request.getExtensions().containsKey("idtoken") || (clientDetailsEntity.getRequireAuthTime() != null && clientDetailsEntity.getRequireAuthTime().booleanValue())) {
            if (oAuth2Request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP) != null) {
                Long valueOf = Long.valueOf(Long.parseLong((String) oAuth2Request.getExtensions().get(AuthenticationTimeStamper.AUTH_TIMESTAMP)));
                if (valueOf != null) {
                    builder.claim("auth_time", Long.valueOf(valueOf.longValue() / 1000));
                }
            } else {
                logger.warn("Unable to find authentication timestamp! There is likely something wrong with the configuration.");
            }
        }
        builder.issueTime(date);
        if (clientDetailsEntity.getIdTokenValiditySeconds() != null) {
            Date date2 = new Date(System.currentTimeMillis() + (clientDetailsEntity.getIdTokenValiditySeconds().intValue() * 1000));
            builder.expirationTime(date2);
            oAuth2AccessTokenEntity2.setExpiration(date2);
        }
        builder.issuer(this.configBean.getIssuer());
        builder.subject(str);
        builder.audience(Lists.newArrayList(new String[]{clientDetailsEntity.getClientId()}));
        builder.jwtID(UUID.randomUUID().toString());
        String str2 = (String) oAuth2Request.getExtensions().get(ConnectRequestParameters.NONCE);
        if (!Strings.isNullOrEmpty(str2)) {
            builder.claim(ConnectRequestParameters.NONCE, str2);
        }
        if (oAuth2Request.getResponseTypes().contains("token")) {
            builder.claim("at_hash", IdTokenHashUtils.getAccessTokenHash(defaultSigningAlgorithm, oAuth2AccessTokenEntity));
        }
        if (clientDetailsEntity.getIdTokenEncryptedResponseAlg() == null || clientDetailsEntity.getIdTokenEncryptedResponseAlg().equals(Algorithm.NONE) || clientDetailsEntity.getIdTokenEncryptedResponseEnc() == null || clientDetailsEntity.getIdTokenEncryptedResponseEnc().equals(Algorithm.NONE) || (Strings.isNullOrEmpty(clientDetailsEntity.getJwksUri()) && clientDetailsEntity.getJwks() == null)) {
            if (defaultSigningAlgorithm.equals(Algorithm.NONE)) {
                signedJWT = new PlainJWT(builder.build());
            } else if (defaultSigningAlgorithm.equals(JWSAlgorithm.HS256) || defaultSigningAlgorithm.equals(JWSAlgorithm.HS384) || defaultSigningAlgorithm.equals(JWSAlgorithm.HS512)) {
                signedJWT = new SignedJWT(new JWSHeader(defaultSigningAlgorithm, (JOSEObjectType) null, (String) null, (Set) null, (URI) null, (JWK) null, (URI) null, (Base64URL) null, (Base64URL) null, (List) null, this.jwtService.getDefaultSignerKeyId(), (Map) null, (Base64URL) null), builder.build());
                this.symmetricCacheService.getSymmetricValidtor(clientDetailsEntity).signJwt((SignedJWT) signedJWT);
            } else {
                builder.claim("kid", this.jwtService.getDefaultSignerKeyId());
                signedJWT = new SignedJWT(new JWSHeader(defaultSigningAlgorithm, (JOSEObjectType) null, (String) null, (Set) null, (URI) null, (JWK) null, (URI) null, (Base64URL) null, (Base64URL) null, (List) null, this.jwtService.getDefaultSignerKeyId(), (Map) null, (Base64URL) null), builder.build());
                this.jwtService.signJwt((SignedJWT) signedJWT);
            }
            oAuth2AccessTokenEntity2.setJwt(signedJWT);
        } else {
            JWTEncryptionAndDecryptionService encrypter = this.encrypters.getEncrypter(clientDetailsEntity);
            if (encrypter != null) {
                EncryptedJWT encryptedJWT = new EncryptedJWT(new JWEHeader(clientDetailsEntity.getIdTokenEncryptedResponseAlg(), clientDetailsEntity.getIdTokenEncryptedResponseEnc()), builder.build());
                encrypter.encryptJwt(encryptedJWT);
                oAuth2AccessTokenEntity2.setJwt(encryptedJWT);
            } else {
                logger.error("Couldn't find encrypter for client: " + clientDetailsEntity.getClientId());
            }
        }
        oAuth2AccessTokenEntity2.setAuthenticationHolder(oAuth2AccessTokenEntity.getAuthenticationHolder());
        oAuth2AccessTokenEntity2.setScope(Sets.newHashSet(new String[]{"id-token"}));
        oAuth2AccessTokenEntity2.setClient(oAuth2AccessTokenEntity.getClient());
        return oAuth2AccessTokenEntity2;
    }

    public OAuth2AccessTokenEntity createRegistrationAccessToken(ClientDetailsEntity clientDetailsEntity) {
        return createAssociatedToken(clientDetailsEntity, Sets.newHashSet(new String[]{"registration-token"}));
    }

    public OAuth2AccessTokenEntity createResourceAccessToken(ClientDetailsEntity clientDetailsEntity) {
        return createAssociatedToken(clientDetailsEntity, Sets.newHashSet(new String[]{"resource-token"}));
    }

    public OAuth2AccessTokenEntity rotateRegistrationAccessTokenForClient(ClientDetailsEntity clientDetailsEntity) {
        OAuth2AccessTokenEntity registrationAccessTokenForClient = this.tokenService.getRegistrationAccessTokenForClient(clientDetailsEntity);
        if (registrationAccessTokenForClient == null) {
            return null;
        }
        Set<String> scope = registrationAccessTokenForClient.getScope();
        this.tokenService.revokeAccessToken(registrationAccessTokenForClient);
        return createAssociatedToken(clientDetailsEntity, scope);
    }

    private OAuth2AccessTokenEntity createAssociatedToken(ClientDetailsEntity clientDetailsEntity, Set<String> set) {
        OAuth2AccessTokenEntity registrationAccessTokenForClient = this.tokenService.getRegistrationAccessTokenForClient(clientDetailsEntity);
        if (registrationAccessTokenForClient != null) {
            this.tokenService.revokeAccessToken(registrationAccessTokenForClient);
        }
        OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(new OAuth2Request(Maps.newHashMap(), clientDetailsEntity.getClientId(), Sets.newHashSet(new SimpleGrantedAuthority[]{new SimpleGrantedAuthority("ROLE_CLIENT")}), true, set, (Set) null, (String) null, (Set) null, (Map) null), (Authentication) null);
        OAuth2AccessTokenEntity oAuth2AccessTokenEntity = new OAuth2AccessTokenEntity();
        oAuth2AccessTokenEntity.setClient(clientDetailsEntity);
        oAuth2AccessTokenEntity.setScope(set);
        AuthenticationHolderEntity authenticationHolderEntity = new AuthenticationHolderEntity();
        authenticationHolderEntity.setAuthentication(oAuth2Authentication);
        oAuth2AccessTokenEntity.setAuthenticationHolder(this.authenticationHolderRepository.save(authenticationHolderEntity));
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(this.jwtService.getDefaultSigningAlgorithm(), (JOSEObjectType) null, (String) null, (Set) null, (URI) null, (JWK) null, (URI) null, (Base64URL) null, (Base64URL) null, (List) null, this.jwtService.getDefaultSignerKeyId(), (Map) null, (Base64URL) null), new JWTClaimsSet.Builder().audience(Lists.newArrayList(new String[]{clientDetailsEntity.getClientId()})).issuer(this.configBean.getIssuer()).issueTime(new Date()).expirationTime(oAuth2AccessTokenEntity.getExpiration()).jwtID(UUID.randomUUID().toString()).build());
        this.jwtService.signJwt(signedJWT);
        oAuth2AccessTokenEntity.setJwt(signedJWT);
        return oAuth2AccessTokenEntity;
    }

    public ConfigurationPropertiesBean getConfigBean() {
        return this.configBean;
    }

    public void setConfigBean(ConfigurationPropertiesBean configurationPropertiesBean) {
        this.configBean = configurationPropertiesBean;
    }

    public JWTSigningAndValidationService getJwtService() {
        return this.jwtService;
    }

    public void setJwtService(JWTSigningAndValidationService jWTSigningAndValidationService) {
        this.jwtService = jWTSigningAndValidationService;
    }

    public AuthenticationHolderRepository getAuthenticationHolderRepository() {
        return this.authenticationHolderRepository;
    }

    public void setAuthenticationHolderRepository(AuthenticationHolderRepository authenticationHolderRepository) {
        this.authenticationHolderRepository = authenticationHolderRepository;
    }
}
