package com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt;

import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.AadJwtClaimNames;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.produce.JWSSignerFactory;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/security/jwt/AadJwtEncoder.class */
public final class AadJwtEncoder {
    private static final String ENCODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to encode the Jwt: %s";
    private static final JWSSignerFactory JWS_SIGNER_FACTORY = new DefaultJWSSignerFactory();
    private final Map<JWK, JWSSigner> jwsSigners = new ConcurrentHashMap();
    private final JWKSource<SecurityContext> jwkSource;

    public AadJwtEncoder(JWKSource<SecurityContext> jWKSource) {
        Assert.notNull(jWKSource, "jwkSource cannot be null");
        this.jwkSource = jWKSource;
    }

    public Jwt encode(Map<String, Object> map, Map<String, Object> map2) throws JwtException {
        Assert.notNull(map, "jwsHeader cannot be null");
        Assert.notNull(map2, "jwtClaimsSet cannot be null");
        return new Jwt(serialize(map, map2, selectJwk(map)), (Instant) map2.get("iat"), (Instant) map2.get("exp"), map, map2);
    }

    private JWK selectJwk(Map<String, Object> map) {
        try {
            List list = this.jwkSource.get(new JWKSelector(createJwkMatcher(map)), (SecurityContext) null);
            if (list.size() > 1) {
                throw new JwtException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + String.valueOf(map.get("alg")) + "'"));
            }
            if (list.isEmpty()) {
                throw new JwtException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key"));
            }
            return (JWK) list.get(0);
        } catch (Exception e) {
            throw new JwtException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + e.getMessage()), e);
        }
    }

    private String serialize(Map<String, Object> map, Map<String, Object> map2, JWK jwk) {
        JWSHeader convertHeader = convertHeader(map);
        JWTClaimsSet convertClaims = convertClaims(map2);
        JWSSigner computeIfAbsent = this.jwsSigners.computeIfAbsent(jwk, AadJwtEncoder::createSigner);
        SignedJWT signedJWT = new SignedJWT(convertHeader, convertClaims);
        try {
            signedJWT.sign(computeIfAbsent);
            return signedJWT.serialize();
        } catch (JOSEException e) {
            throw new JwtException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to sign the JWT -> " + e.getMessage()), e);
        }
    }

    private static JWKMatcher createJwkMatcher(Map<String, Object> map) {
        Algorithm parse = JWSAlgorithm.parse((String) map.get("alg"));
        if (JWSAlgorithm.Family.RSA.contains(parse)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(parse)).keyUses(new KeyUse[]{KeyUse.SIGNATURE, null}).algorithms(new Algorithm[]{parse, null}).x509CertSHA256Thumbprint(Base64URL.from((String) map.get("x5t#S256"))).build();
        }
        return null;
    }

    private static JWSSigner createSigner(JWK jwk) {
        try {
            return JWS_SIGNER_FACTORY.createJWSSigner(jwk);
        } catch (JOSEException e) {
            throw new JwtException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to create a JWS Signer -> " + e.getMessage()), e);
        }
    }

    private static JWSHeader convertHeader(Map<String, Object> map) {
        JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.parse((String) map.get("alg")));
        Map map2 = (Map) map.get("jwk");
        if (!CollectionUtils.isEmpty(map2)) {
            try {
                builder.jwk(JWK.parse(map2));
            } catch (Exception e) {
                throw new JwtException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Unable to convert 'jku' JOSE header"), e);
            }
        }
        String str = (String) map.get("kid");
        if (StringUtils.hasText(str)) {
            builder.keyID(str);
        }
        String str2 = (String) map.get("x5t");
        if (StringUtils.hasText(str2)) {
            builder.x509CertThumbprint(new Base64URL(str2));
        }
        String str3 = (String) map.get("typ");
        if (StringUtils.hasText(str3)) {
            builder.type(new JOSEObjectType(str3));
        }
        HashMap hashMap = new HashMap();
        map.forEach((str4, obj) -> {
            if (JWSHeader.getRegisteredParameterNames().contains(str4)) {
                return;
            }
            hashMap.put(str4, obj);
        });
        if (!hashMap.isEmpty()) {
            builder.customParams(hashMap);
        }
        return builder.build();
    }

    private static JWTClaimsSet convertClaims(Map<String, Object> map) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        Object obj = map.get(AadJwtClaimNames.ISS);
        if (obj != null) {
            builder.issuer(obj.toString());
        }
        String str = (String) map.get(AadJwtClaimNames.SUB);
        if (StringUtils.hasText(str)) {
            builder.subject(str);
        }
        List list = (List) map.get(AadJwtClaimNames.AUD);
        if (!CollectionUtils.isEmpty(list)) {
            builder.audience(list);
        }
        Instant instant = (Instant) map.get("exp");
        if (instant != null) {
            builder.expirationTime(Date.from(instant));
        }
        Instant instant2 = (Instant) map.get("nbf");
        if (instant2 != null) {
            builder.notBeforeTime(Date.from(instant2));
        }
        Instant instant3 = (Instant) map.get("iat");
        if (instant3 != null) {
            builder.issueTime(Date.from(instant3));
        }
        String str2 = (String) map.get("jti");
        if (StringUtils.hasText(str2)) {
            builder.jwtID(str2);
        }
        HashMap hashMap = new HashMap();
        map.forEach((str3, obj2) -> {
            if (JWTClaimsSet.getRegisteredNames().contains(str3)) {
                return;
            }
            hashMap.put(str3, obj2);
        });
        if (!hashMap.isEmpty()) {
            Objects.requireNonNull(builder);
            hashMap.forEach(builder::claim);
        }
        return builder.build();
    }
}
