package org.wso2.is.key.manager.tokenpersistence.utils;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.Optional;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.UserSessionException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.store.UserSessionStore;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.OAuthUtil;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.JWTUtils;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.is.key.manager.tokenpersistence.PersistenceConstants;
import org.wso2.is.key.manager.tokenpersistence.internal.ServiceReferenceHolder;

/* loaded from: input_file:org/wso2/is/key/manager/tokenpersistence/utils/TokenMgtUtil.class */
public class TokenMgtUtil {
    private static final Log log = LogFactory.getLog(TokenMgtUtil.class);

    public static String getTokenIdentifier(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String jwtid = jWTClaimsSet.getJWTID();
        if (jwtid == null) {
            throw new IdentityOAuth2Exception("JTI could not be retrieved from the JWT token.");
        }
        return jwtid;
    }

    public static SignedJWT parseJWT(String str) throws IdentityOAuth2Exception {
        try {
            return JWTUtils.parseJWT(str);
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug(String.format("Failed to parse the received token: %s", str));
                } else {
                    log.debug("Failed to parse the received token.");
                }
            }
            throw new IdentityOAuth2Exception("Error while parsing token.", e);
        }
    }

    public static JWTClaimsSet getTokenJWTClaims(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        Optional jWTClaimSet = JWTUtils.getJWTClaimSet(signedJWT);
        if (jWTClaimSet.isPresent()) {
            return (JWTClaimsSet) jWTClaimSet.get();
        }
        throw new IdentityOAuth2Exception("Claim values are empty in the given Token.");
    }

    public static void validateJWTSignature(SignedJWT signedJWT, JWTClaimsSet jWTClaimsSet, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        try {
            JWTClaimsSet jWTClaimsSet2 = signedJWT.getJWTClaimsSet();
            IdentityProvider residentIDPForIssuer = JWTUtils.getResidentIDPForIssuer(jWTClaimsSet, getSigningTenantDomain(jWTClaimsSet, authenticatedUser));
            Optional certificateFromClaims = JWTUtils.getCertificateFromClaims(jWTClaimsSet2);
            X509Certificate resolveSignerCertificate = certificateFromClaims.isPresent() ? (X509Certificate) certificateFromClaims.get() : JWTUtils.resolveSignerCertificate(residentIDPForIssuer);
            if (resolveSignerCertificate == null) {
                throw new IdentityOAuth2Exception("Unable to locate certificate for Identity Provider: " + residentIDPForIssuer.getDisplayName());
            }
            if (!JWTUtils.verifySignature(signedJWT, resolveSignerCertificate, JWTUtils.verifyAlgorithm(signedJWT))) {
                throw new IdentityOAuth2Exception("Invalid signature.");
            }
        } catch (JOSEException | ParseException e) {
            throw new IdentityOAuth2Exception("Error while validating Token.", e);
        }
    }

    public static String[] getScopes(Object obj) {
        return obj instanceof String ? ((String) obj).split(" ") : new String[0];
    }

    public static AuthenticatedUser getAuthenticatedUser(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String str = null;
        try {
            log.debug("Getting tenant domain from OAuth app.");
            if (jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.APP_DOMAIN) != null) {
                str = (String) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.APP_DOMAIN);
            } else {
                String str2 = (String) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY);
                if (str2 != null) {
                    str = OAuth2Util.getTenantDomainOfOauthApp(str2);
                }
            }
            boolean z = jWTClaimsSet.getClaim("is_federated") != null && ((Boolean) jWTClaimsSet.getClaim("is_federated")).booleanValue();
            AuthenticatedUser resolveAuthenticatedUserFromEntityId = resolveAuthenticatedUserFromEntityId((String) jWTClaimsSet.getClaim("entity_id"), str, jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.USER_DOMAIN) != null ? (String) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.USER_DOMAIN) : getTenantDomain(), z, jWTClaimsSet.getSubject());
            if (z) {
                if (resolveAuthenticatedUserFromEntityId == null) {
                    resolveAuthenticatedUserFromEntityId = createFederatedAuthenticatedUser((String) jWTClaimsSet.getClaim("entity_id"));
                } else {
                    resolveAuthenticatedUserFromEntityId.setFederatedUser(true);
                }
            }
            if (resolveAuthenticatedUserFromEntityId == null) {
                throw new IdentityOAuth2Exception("Error while getting authenticated user. Authenticated user not found.");
            }
            resolveAuthenticatedUserFromEntityId.setAuthenticatedSubjectIdentifier(jWTClaimsSet.getSubject());
            return resolveAuthenticatedUserFromEntityId;
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while getting tenant domain from OAuth app with consumer key: " + ((String) null));
        }
    }

    private static AuthenticatedUser resolveAuthenticatedUserFromEntityId(String str, String str2, String str3, boolean z, String str4) throws IdentityOAuth2Exception {
        AuthenticatedUser authenticatedUser = null;
        Optional<OAuthAppDO> oAuthApp = getOAuthApp(str);
        if (oAuthApp.isPresent()) {
            authenticatedUser = oAuthApp.get().getAppOwner();
        } else {
            try {
                String userNameFromUserID = getUserNameFromUserID(str, str3);
                if (StringUtils.isBlank(userNameFromUserID)) {
                    str3 = str2;
                    userNameFromUserID = getUserNameFromUserID(str, str3);
                }
                if (StringUtils.isNotBlank(userNameFromUserID)) {
                    authenticatedUser = OAuth2Util.getUserFromUserName(userNameFromUserID);
                    authenticatedUser.setTenantDomain(str3);
                    authenticatedUser.setUserId(str);
                } else if (!z && !StringUtils.isBlank(str4)) {
                    authenticatedUser = OAuth2Util.getUserFromUserName(str4);
                    authenticatedUser.setUserId(str);
                }
            } catch (UserStoreException e) {
                throw new IdentityOAuth2Exception("Error while getting username from JWT.", e);
            }
        }
        return authenticatedUser;
    }

    private static String getUserNameFromUserID(String str, String str2) throws UserStoreException {
        RealmService realmService = ServiceReferenceHolder.getInstance().getRealmService();
        return realmService.getTenantUserRealm(realmService.getTenantManager().getTenantId(str2)).getUserStoreManager().getUserNameFromUserID(str);
    }

    public static String getTenantDomain() {
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        return tenantDomain;
    }

    public static boolean isTokenRevokedIndirectly(JWTClaimsSet jWTClaimsSet, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        Date issueTime = jWTClaimsSet.getIssueTime();
        String str = (String) jWTClaimsSet.getClaim("entity_id");
        String str2 = (String) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY);
        boolean isTokenRevokedIndirectlyFromApp = isTokenRevokedIndirectlyFromApp(str2, issueTime);
        if (!isTokenRevokedIndirectlyFromApp) {
            isTokenRevokedIndirectlyFromApp = ServiceReferenceHolder.getInstance().getInvalidTokenPersistenceService().isTokenRevokedForSubjectEntity(str, issueTime);
        }
        if (isTokenRevokedIndirectlyFromApp) {
            String str3 = null;
            if (authenticatedUser != null) {
                String[] scopes = getScopes(jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.SCOPE));
                OAuthUtil.clearOAuthCache(str2, authenticatedUser, OAuth2Util.buildScopeString(scopes), "NONE");
                OAuthUtil.clearOAuthCache(str2, authenticatedUser, OAuth2Util.buildScopeString(scopes));
                OAuthUtil.clearOAuthCache(str2, authenticatedUser);
                str3 = authenticatedUser.getTenantDomain();
            }
            OAuthCache.getInstance().clearCacheEntry(new OAuthCacheKey(getTokenIdentifier(jWTClaimsSet)), str3);
        }
        return isTokenRevokedIndirectlyFromApp;
    }

    public static boolean isTokenRevokedIndirectlyFromApp(String str, Date date) throws IdentityOAuth2Exception {
        return ServiceReferenceHolder.getInstance().getInvalidTokenPersistenceService().isTokenRevokedForConsumerKey(str, date);
    }

    public static boolean isTokenRevokedDirectly(String str, String str2) throws IdentityOAuth2Exception {
        return ServiceReferenceHolder.getInstance().getInvalidTokenPersistenceService().isInvalidToken(str, str2);
    }

    public static Optional<AccessTokenDO> getTokenDOFromCache(String str) {
        AccessTokenDO accessTokenDO = null;
        if (OAuthCache.getInstance().isEnabled()) {
            AccessTokenDO accessTokenDO2 = (CacheEntry) OAuthCache.getInstance().getValueFromCache(getOAuthCacheKey(str));
            if (accessTokenDO2 instanceof AccessTokenDO) {
                accessTokenDO = accessTokenDO2;
                if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug(String.format("Hit OAuthCache for accessTokenIdentifier: %s", str));
                } else {
                    log.debug("Hit OAuthCache with accessTokenIdentifier");
                }
            }
        }
        return Optional.ofNullable(accessTokenDO);
    }

    public static void addTokenToCache(String str, AccessTokenDO accessTokenDO) {
        if (OAuthCache.getInstance().isEnabled()) {
            OAuthCache.getInstance().addToCache(getOAuthCacheKey(str), accessTokenDO);
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug(String.format("Access token(hashed): %s added to OAuthCache.", DigestUtils.sha256Hex(str)));
                } else {
                    log.debug("Access token added to OAuthCache.");
                }
            }
        }
    }

    public static OAuthCacheKey getOAuthCacheKey(String str) {
        return new OAuthCacheKey(str);
    }

    public static boolean isRefreshTokenType(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        if (jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.TOKEN_TYPE_ELEM) != null && PersistenceConstants.REFRESH_TOKEN.equals(jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.TOKEN_TYPE_ELEM).toString())) {
            return true;
        }
        if (jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.TOKEN_TYPE_ELEM) != null) {
            throw new IdentityOAuth2Exception("Invalid token type received");
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        if (IdentityUtil.isTokenLoggable("AccessToken")) {
            log.debug(String.format("The refresh_token claim missing in the JWT: %s. Hence not considering as a valid refresh token.", DigestUtils.sha256Hex(getTokenIdentifier(jWTClaimsSet))));
            return false;
        }
        log.debug("The refresh_token claim missing in the JWT. Hence not considering as a valid refresh token.");
        return false;
    }

    public static Optional<OAuthAppDO> getOAuthApp(String str) throws IdentityOAuth2Exception {
        OAuthAppDO oAuthAppDO = null;
        try {
            oAuthAppDO = OAuth2Util.getAppInformationByClientId(str);
            if (log.isDebugEnabled()) {
                log.debug("Retrieved OAuth application : " + str + ". Authorized user : " + oAuthAppDO.getAppOwner().toString());
            }
        } catch (InvalidOAuthClientException e) {
            if (log.isDebugEnabled()) {
                log.debug("OAuth application : " + str + " not found");
            }
        }
        return Optional.ofNullable(oAuthAppDO);
    }

    public static AuthenticatedUser createFederatedAuthenticatedUser(String str) throws IdentityOAuth2Exception {
        try {
            AuthenticatedUser user = UserSessionStore.getInstance().getUser(str);
            if (user == null) {
                throw new IdentityOAuth2Exception("Error occurred while resolving the user from the userId for the federated user. No user found for the userId");
            }
            user.setUserId(str);
            user.setUserName(user.getUserName());
            user.setTenantDomain(user.getTenantDomain());
            user.setUserStoreDomain(user.getUserStoreDomain());
            user.setFederatedUser(true);
            user.setFederatedIdPName(user.getFederatedIdPName());
            return user;
        } catch (UserSessionException e) {
            throw new IdentityOAuth2Exception("Error occurred while resolving the user from the userId for the federated user", e);
        }
    }

    public static String getTokenId(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String obj = jWTClaimsSet.getClaim("usid") != null ? jWTClaimsSet.getClaim("usid").toString() : null;
        if (obj == null) {
            throw new IdentityOAuth2Exception("TokenId could not be retrieved from the JWT token.");
        }
        return obj;
    }

    public static String getSigningTenantDomain(JWTClaimsSet jWTClaimsSet, AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        HashMap hashMap = (HashMap) jWTClaimsSet.getClaim("realm");
        if (MapUtils.isNotEmpty(hashMap)) {
            if (hashMap.get("signing_tenant") != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Getting signing tenant domain from JWT's 'signing_tenant' claim.");
                }
                return (String) hashMap.get("signing_tenant");
            }
            if (hashMap.get("tenant") != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Getting signing tenant domain from JWT's 'tenant' claim.");
                }
                return (String) hashMap.get("tenant");
            }
        }
        String str = (String) jWTClaimsSet.getClaim(PersistenceConstants.JWTClaim.AUTHORIZATION_PARTY);
        if (str == null) {
            return getTenantDomain();
        }
        if (!OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey()) {
            if (log.isDebugEnabled()) {
                log.debug("Getting signing tenant domain from authenticated user.");
            }
            return authenticatedUser.getTenantDomain();
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Getting signing tenant domain from OAuth app.");
            }
            return OAuth2Util.getTenantDomainOfOauthApp(str);
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while getting tenant domain from OAuth app with consumer key: " + str);
        }
    }
}
