package org.apereo.cas.token;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import java.time.ZonedDateTime;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apereo.cas.CipherExecutor;
import org.apereo.cas.authentication.Authentication;
import org.apereo.cas.authentication.principal.Service;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.ticket.ExpirationPolicy;
import org.apereo.cas.ticket.TicketGrantingTicket;
import org.apereo.cas.token.cipher.RegisteredServiceTokenTicketCipherExecutor;
import org.apereo.cas.util.DateTimeUtils;
import org.hjson.JsonValue;
import org.hjson.Stringify;
import org.jasig.cas.client.validation.Assertion;
import org.jasig.cas.client.validation.TicketValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/token/JWTTokenTicketBuilder.class */
public class JWTTokenTicketBuilder implements TokenTicketBuilder {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(JWTTokenTicketBuilder.class);
    private final TicketValidator ticketValidator;
    private final String casSeverPrefix;
    private final CipherExecutor<String, String> defaultTokenCipherExecutor;
    private final ExpirationPolicy expirationPolicy;
    private final ServicesManager servicesManager;

    @Override // org.apereo.cas.token.TokenTicketBuilder
    public String build(String str, Service service) {
        Assertion validate = this.ticketValidator.validate(str, service.getId());
        LinkedHashMap linkedHashMap = new LinkedHashMap(validate.getAttributes());
        linkedHashMap.putAll(validate.getPrincipal().getAttributes());
        return buildJwt(str, service.getId(), validate.getAuthenticationDate(), validate.getPrincipal().getName(), validate.getValidUntilDate() != null ? validate.getValidUntilDate() : DateTimeUtils.dateOf(ZonedDateTime.now().plusSeconds(this.expirationPolicy.getTimeToLive().longValue())), linkedHashMap);
    }

    @Override // org.apereo.cas.token.TokenTicketBuilder
    public String build(TicketGrantingTicket ticketGrantingTicket) {
        Authentication authentication = ticketGrantingTicket.getAuthentication();
        LinkedHashMap linkedHashMap = new LinkedHashMap(authentication.getAttributes());
        linkedHashMap.putAll(authentication.getPrincipal().getAttributes());
        return buildJwt(ticketGrantingTicket.getId(), this.casSeverPrefix, DateTimeUtils.dateOf(ticketGrantingTicket.getCreationTime()), authentication.getPrincipal().getId(), DateTimeUtils.dateOf(ZonedDateTime.now().plusSeconds(this.expirationPolicy.getTimeToLive().longValue())), linkedHashMap);
    }

    private String buildJwt(String str, String str2, Date date, String str3, Date date2, Map<String, Object> map) {
        JWTClaimsSet.Builder subject = new JWTClaimsSet.Builder().audience(str2).issuer(this.casSeverPrefix).jwtID(str).issueTime(date).subject(str3);
        Objects.requireNonNull(subject);
        map.forEach(subject::claim);
        subject.expirationTime(date2);
        JWTClaimsSet build = subject.build();
        String jSONString = build.toJSONObject().toJSONString();
        LOGGER.debug("Generated JWT [{}]", JsonValue.readJSON(jSONString).toString(Stringify.FORMATTED));
        LOGGER.debug("Locating service [{}] in service registry", str2);
        RegisteredService findServiceBy = this.servicesManager.findServiceBy(str2);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(findServiceBy);
        LOGGER.debug("Locating service specific signing and encryption keys for [{}] in service registry", str2);
        RegisteredServiceTokenTicketCipherExecutor registeredServiceTokenTicketCipherExecutor = new RegisteredServiceTokenTicketCipherExecutor();
        if (registeredServiceTokenTicketCipherExecutor.supports(findServiceBy)) {
            LOGGER.debug("Encoding JWT based on keys provided by service [{}]", findServiceBy.getServiceId());
            return registeredServiceTokenTicketCipherExecutor.encode(jSONString, Optional.of(findServiceBy));
        }
        if (this.defaultTokenCipherExecutor.isEnabled()) {
            LOGGER.debug("Encoding JWT based on default global keys for [{}]", str2);
            return (String) this.defaultTokenCipherExecutor.encode(jSONString);
        }
        String serialize = new PlainJWT(build).serialize();
        LOGGER.trace("Generating plain JWT as the ticket: [{}]", serialize);
        return serialize;
    }

    @Generated
    public TicketValidator getTicketValidator() {
        return this.ticketValidator;
    }

    @Generated
    public String getCasSeverPrefix() {
        return this.casSeverPrefix;
    }

    @Generated
    public CipherExecutor<String, String> getDefaultTokenCipherExecutor() {
        return this.defaultTokenCipherExecutor;
    }

    @Generated
    public ExpirationPolicy getExpirationPolicy() {
        return this.expirationPolicy;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public JWTTokenTicketBuilder(TicketValidator ticketValidator, String str, CipherExecutor<String, String> cipherExecutor, ExpirationPolicy expirationPolicy, ServicesManager servicesManager) {
        this.ticketValidator = ticketValidator;
        this.casSeverPrefix = str;
        this.defaultTokenCipherExecutor = cipherExecutor;
        this.expirationPolicy = expirationPolicy;
        this.servicesManager = servicesManager;
    }
}
