package org.apereo.cas.util.jwt;

import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import lombok.Generated;
import org.apache.commons.lang3.ArrayUtils;
import org.apereo.cas.util.EncodingUtils;
import org.jooq.lambda.Unchecked;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-util-api-6.6.0.jar:org/apereo/cas/util/jwt/JsonWebTokenSigner.class */
public class JsonWebTokenSigner {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JsonWebTokenSigner.class);
    public static final Set<String> ALGORITHM_ALL_EXCEPT_NONE = Set.of("*");
    private final String keyId;
    private final String algorithm;
    private final Map<String, Object> headers;
    private final Key key;
    private final Set<String> allowedAlgorithms;

    @Generated
    /* loaded from: input_file:WEB-INF/lib/cas-server-core-util-api-6.6.0.jar:org/apereo/cas/util/jwt/JsonWebTokenSigner$JsonWebTokenSignerBuilder.class */
    public static abstract class JsonWebTokenSignerBuilder<C extends JsonWebTokenSigner, B extends JsonWebTokenSignerBuilder<C, B>> {

        @Generated
        private boolean keyId$set;

        @Generated
        private String keyId$value;

        @Generated
        private String algorithm;

        @Generated
        private boolean headers$set;

        @Generated
        private Map<String, Object> headers$value;

        @Generated
        private Key key;

        @Generated
        private boolean allowedAlgorithms$set;

        @Generated
        private Set<String> allowedAlgorithms$value;

        @Generated
        protected abstract B self();

        @Generated
        public abstract C build();

        @Generated
        public B keyId(String str) {
            this.keyId$value = str;
            this.keyId$set = true;
            return self();
        }

        @Generated
        public B algorithm(String str) {
            this.algorithm = str;
            return self();
        }

        @Generated
        public B headers(Map<String, Object> map) {
            this.headers$value = map;
            this.headers$set = true;
            return self();
        }

        @Generated
        public B key(Key key) {
            this.key = key;
            return self();
        }

        @Generated
        public B allowedAlgorithms(Set<String> set) {
            this.allowedAlgorithms$value = set;
            this.allowedAlgorithms$set = true;
            return self();
        }

        @Generated
        public String toString() {
            return "JsonWebTokenSigner.JsonWebTokenSignerBuilder(keyId$value=" + this.keyId$value + ", algorithm=" + this.algorithm + ", headers$value=" + this.headers$value + ", key=" + this.key + ", allowedAlgorithms$value=" + this.allowedAlgorithms$value + ")";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Generated
    /* loaded from: input_file:WEB-INF/lib/cas-server-core-util-api-6.6.0.jar:org/apereo/cas/util/jwt/JsonWebTokenSigner$JsonWebTokenSignerBuilderImpl.class */
    public static final class JsonWebTokenSignerBuilderImpl extends JsonWebTokenSignerBuilder<JsonWebTokenSigner, JsonWebTokenSignerBuilderImpl> {
        @Generated
        private JsonWebTokenSignerBuilderImpl() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apereo.cas.util.jwt.JsonWebTokenSigner.JsonWebTokenSignerBuilder
        @Generated
        public JsonWebTokenSignerBuilderImpl self() {
            return this;
        }

        @Override // org.apereo.cas.util.jwt.JsonWebTokenSigner.JsonWebTokenSignerBuilder
        @Generated
        public JsonWebTokenSigner build() {
            return new JsonWebTokenSigner(this);
        }
    }

    public byte[] sign(byte[] bArr) {
        return (byte[]) Unchecked.supplier(() -> {
            return sign(EncodingUtils.encodeUrlSafeBase64(bArr), true).getBytes(StandardCharsets.UTF_8);
        }).get();
    }

    public String sign(JwtClaims jwtClaims) {
        return (String) Unchecked.supplier(() -> {
            return sign(jwtClaims.toJson(), false);
        }).get();
    }

    private String sign(String str, boolean z) throws Exception {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        if (z) {
            jsonWebSignature.setEncodedPayload(str);
        } else {
            jsonWebSignature.setPayload(str);
        }
        jsonWebSignature.setAlgorithmHeaderValue(this.algorithm);
        jsonWebSignature.setAlgorithmConstraints(getAlgorithmConstraints());
        jsonWebSignature.setHeader("typ", "JWT");
        jsonWebSignature.setKey(this.key);
        jsonWebSignature.setKeyIdHeaderValue(this.keyId);
        this.headers.forEach((str2, obj) -> {
            jsonWebSignature.setHeader(str2, obj.toString());
        });
        LOGGER.trace("Signing id token with key id header value [{}] and algorithm header value [{}]", jsonWebSignature.getKeyIdHeaderValue(), jsonWebSignature.getAlgorithmHeaderValue());
        return jsonWebSignature.getCompactSerialization();
    }

    private AlgorithmConstraints getAlgorithmConstraints() {
        return (this.allowedAlgorithms.isEmpty() || this.allowedAlgorithms.contains("*")) ? AlgorithmConstraints.DISALLOW_NONE : new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, (String[]) this.allowedAlgorithms.toArray(ArrayUtils.EMPTY_STRING_ARRAY));
    }

    @Generated
    private static String $default$keyId() {
        return UUID.randomUUID().toString();
    }

    @Generated
    private static Map<String, Object> $default$headers() {
        return new LinkedHashMap();
    }

    @Generated
    private static Set<String> $default$allowedAlgorithms() {
        return new LinkedHashSet();
    }

    @Generated
    protected JsonWebTokenSigner(JsonWebTokenSignerBuilder<?, ?> jsonWebTokenSignerBuilder) {
        if (((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).keyId$set) {
            this.keyId = ((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).keyId$value;
        } else {
            this.keyId = $default$keyId();
        }
        this.algorithm = ((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).algorithm;
        if (((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).headers$set) {
            this.headers = ((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).headers$value;
        } else {
            this.headers = $default$headers();
        }
        this.key = ((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).key;
        if (((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).allowedAlgorithms$set) {
            this.allowedAlgorithms = ((JsonWebTokenSignerBuilder) jsonWebTokenSignerBuilder).allowedAlgorithms$value;
        } else {
            this.allowedAlgorithms = $default$allowedAlgorithms();
        }
    }

    @Generated
    public static JsonWebTokenSignerBuilder<?, ?> builder() {
        return new JsonWebTokenSignerBuilderImpl();
    }
}
