package org.wso2.carbon.identity.oauth2.grant.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.grant.jwt.cache.JWTCache;
import org.wso2.carbon.identity.oauth2.grant.jwt.cache.JWTCacheEntry;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/grant/jwt/JWTBearerGrantHandler.class */
public class JWTBearerGrantHandler extends AbstractAuthorizationGrantHandler {
    private static Log log = LogFactory.getLog(JWTBearerGrantHandler.class);
    private static String tenantDomain;
    private JWTCache jwtCache;
    private static int validityPeriod;
    private boolean cacheUsedJTI;

    public void init() throws IdentityOAuth2Exception {
        super.init();
        ClassLoader classLoader = JWTBearerGrantHandler.class.getClassLoader();
        Properties properties = new Properties();
        InputStream resourceAsStream = classLoader.getResourceAsStream(JWTConstants.PROPERTIES_FILE);
        try {
            try {
                properties.load(resourceAsStream);
                validityPeriod = Integer.parseInt(properties.getProperty(JWTConstants.VALIDITY_PERIOD));
                this.cacheUsedJTI = Boolean.parseBoolean(properties.getProperty(JWTConstants.CACHE_USED_JTI));
                if (this.cacheUsedJTI) {
                    this.jwtCache = JWTCache.getInstance();
                }
            } catch (IOException e) {
                throw new IdentityOAuth2Exception("Can not find the file", e);
            } catch (NumberFormatException e2) {
                throw new IdentityOAuth2Exception("Invalid Validity period", e2);
            }
        } finally {
            try {
                resourceAsStream.close();
            } catch (IOException e3) {
                log.error("Error while closing the stream");
            }
        }
    }

    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        super.validateGrant(oAuthTokenReqMessageContext);
        String str = null;
        tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        SignedJWT signedJWT = getSignedJWT(oAuthTokenReqMessageContext);
        if (signedJWT == null) {
            handleException("No Valid Assertion was found for urn:ietf:params:oauth:grant-type:jwt-bearer");
        }
        ReadOnlyJWTClaimsSet claimSet = getClaimSet(signedJWT);
        if (claimSet == null) {
            handleException("Claim values are empty in the given JSON Web Token");
        }
        String issuer = claimSet.getIssuer();
        String subject = claimSet.getSubject();
        List audience = claimSet.getAudience();
        Date expirationTime = claimSet.getExpirationTime();
        Date notBeforeTime = claimSet.getNotBeforeTime();
        Date issueTime = claimSet.getIssueTime();
        String jwtid = claimSet.getJWTID();
        Map customClaims = claimSet.getCustomClaims();
        boolean z = false;
        long currentTimeMillis = System.currentTimeMillis();
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        if (StringUtils.isEmpty(issuer) || StringUtils.isEmpty(subject) || expirationTime == null || audience == null) {
            handleException("Mandatory fields(Issuer, Subject, Expiration time or Audience) are empty in the given JSON Web Token.");
        }
        try {
            IdentityProvider idPByName = IdentityProviderManager.getInstance().getIdPByName(issuer, tenantDomain);
            if (idPByName != null) {
                str = getTokenEndpointAlias(idPByName);
            } else {
                handleException("No Registered IDP found for the JWT with issuer name : " + issuer);
            }
            if (!validateSignature(signedJWT, idPByName)) {
                handleException("Signature or Message Authentication invalid.");
            } else if (log.isDebugEnabled()) {
                log.debug("Signature/MAC validated successfully.");
            }
            oAuthTokenReqMessageContext.setAuthorizedUser(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(subject));
            if (log.isDebugEnabled()) {
                log.debug("Subject(sub) found in JWT: " + subject);
                log.debug(subject + " set as the Authorized User.");
            }
            oAuthTokenReqMessageContext.setScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope());
            if (StringUtils.isEmpty(str)) {
                handleException("Token Endpoint alias of the local Identity Provider has not been configured for " + idPByName.getIdentityProviderName());
            }
            Iterator it = audience.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (StringUtils.equals(str, (String) it.next())) {
                    if (log.isDebugEnabled()) {
                        log.debug(str + " of IDP was found in the list of audiences.");
                    }
                    z = true;
                }
            }
            if (!z) {
                handleException("None of the audience values matched the tokenEndpoint Alias " + str);
            }
            if (checkExpirationTime(expirationTime, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                log.debug("Expiration Time(exp) of JWT was validated successfully.");
            }
            if (notBeforeTime == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Not Before Time(nbf) not found in JWT. Continuing Validation");
                }
            } else if (checkNotBeforeTime(notBeforeTime, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                log.debug("Not Before Time(nbf) of JWT was validated successfully.");
            }
            if (issueTime == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Issued At Time(iat) not found in JWT. Continuing Validation");
                }
            } else if (checkValidityOfTheToken(issueTime, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                log.debug("Issued At Time(iat) of JWT was validated successfully.");
            }
            if (this.cacheUsedJTI && jwtid != null) {
                JWTCacheEntry jWTCacheEntry = (JWTCacheEntry) this.jwtCache.getValueFromCache(jwtid);
                if (jWTCacheEntry != null && checkCachedJTI(jwtid, signedJWT, jWTCacheEntry, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                    log.debug("JWT id: " + jwtid + " not found in the cache.");
                    log.debug("jti of the JWT has been validated successfully.");
                }
            } else if (log.isDebugEnabled()) {
                if (!this.cacheUsedJTI) {
                    log.debug("List of used JSON Web Token IDs are not maintained. Continue Validation");
                }
                if (jwtid == null) {
                    log.debug("JSON Web Token ID(jti) not found in JWT. Continuing Validation");
                }
            }
            if (customClaims == null) {
                if (log.isDebugEnabled()) {
                    log.debug("No custom claims found. Continue validating other claims.");
                }
            } else if (!validateCustomClaims(claimSet.getCustomClaims())) {
                handleException("Custom Claims in the JWT were invalid");
            }
            if (log.isDebugEnabled()) {
                log.debug("JWT Token was validated successfully");
            }
            if (this.cacheUsedJTI) {
                this.jwtCache.addToCache(jwtid, new JWTCacheEntry(signedJWT));
            }
            if (log.isDebugEnabled()) {
                log.debug("JWT Token was added to the cache successfully");
            }
        } catch (JOSEException e) {
            handleException("Error when verifying signature");
        } catch (IdentityProviderManagementException e2) {
            handleException("Error while getting the Federated Identity Provider ");
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Issuer(iss) of the JWT validated successfully");
        return true;
    }

    private SignedJWT getSignedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str = null;
        SignedJWT signedJWT = null;
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals(JWTConstants.OAUTH_JWT_ASSERTION)) {
                str = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        try {
            signedJWT = SignedJWT.parse(str);
            if (log.isDebugEnabled()) {
                logJWT(signedJWT);
            }
        } catch (ParseException e) {
            handleException("Error while parsing the JWT" + e.getMessage());
        }
        return signedJWT;
    }

    private ReadOnlyJWTClaimsSet getClaimSet(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        ReadOnlyJWTClaimsSet readOnlyJWTClaimsSet = null;
        try {
            readOnlyJWTClaimsSet = signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            handleException("Error when trying to retrieve claimsSet from the JWT");
        }
        return readOnlyJWTClaimsSet;
    }

    private String getTokenEndpointAlias(IdentityProvider identityProvider) {
        Property property = null;
        String str = null;
        if ("LOCAL".equals(identityProvider.getIdentityProviderName())) {
            try {
                identityProvider = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
            } catch (IdentityProviderManagementException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while getting Resident IDP :" + e.getMessage());
                }
            }
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (federatedAuthenticator != null) {
                property = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "OAuth2TokenEPUrl");
            }
            if (property != null) {
                str = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Token End Point Alias of Resident IDP :" + str);
                }
            }
        } else {
            str = identityProvider.getAlias();
            if (log.isDebugEnabled()) {
                log.debug("Token End Point Alias of the Federated IDP: " + str);
            }
        }
        return str;
    }

    private boolean checkExpirationTime(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        if (j + j2 <= time) {
            return true;
        }
        handleException("JSON Web Token is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated");
        return true;
    }

    private boolean checkNotBeforeTime(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        if (j + j2 >= time) {
            return true;
        }
        handleException("JSON Web Token is used before Not_Before_Time., Not Before Time(ms) : " + time + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated");
        return true;
    }

    private boolean checkValidityOfTheToken(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        long j3 = validityPeriod * 60 * 1000;
        if ((j + j2) - time <= j3) {
            return true;
        }
        handleException("JSON Web Token is issued before the allowed time., Issued At Time(ms) : " + time + ", Reject before limit(ms) : " + j3 + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated");
        return true;
    }

    private boolean checkCachedJTI(String str, SignedJWT signedJWT, JWTCacheEntry jWTCacheEntry, long j, long j2) throws IdentityOAuth2Exception {
        try {
            SignedJWT jwt = jWTCacheEntry.getJwt();
            if (j + j2 > jwt.getJWTClaimsSet().getExpirationTime().getTime()) {
                if (log.isDebugEnabled()) {
                    log.debug("JWT Token has been reused after the allowed expiry time : " + jwt.getJWTClaimsSet().getExpirationTime());
                }
                this.jwtCache.addToCache(str, new JWTCacheEntry(signedJWT));
                if (log.isDebugEnabled()) {
                    log.debug("jti of the JWT has been validated successfully and cache updated");
                } else {
                    handleException("JWT Token \n" + signedJWT.getHeader().toJSONObject().toString() + "\n" + signedJWT.getPayload().toJSONObject().toString() + "\nHas been replayed before the allowed expiry time : " + jwt.getJWTClaimsSet().getExpirationTime());
                }
            }
            return true;
        } catch (ParseException e) {
            handleException("Unable to parse the cached jwt assertion : " + jWTCacheEntry.getEncodedJWt());
            return true;
        }
    }

    private void logJWT(SignedJWT signedJWT) {
        log.debug("JWT Header: " + signedJWT.getHeader().toJSONObject().toString());
        log.debug("JWT Payload: " + signedJWT.getPayload().toJSONObject().toString());
        log.debug("Signature: " + signedJWT.getSignature().toString());
    }

    private boolean validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws JOSEException, IdentityOAuth2Exception {
        JWSVerifier jWSVerifier = null;
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
        } catch (CertificateException e) {
            handleException("Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain);
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            handleException("Algorithm must not be null.");
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Signature Algorithm found in the JWT Header: " + name);
            }
            if (name.indexOf("RS") == 0) {
                RSAPublicKey rSAPublicKey = null;
                if (x509Certificate != null) {
                    rSAPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
                } else {
                    handleException("Unable to get certificate");
                }
                if (rSAPublicKey != null) {
                    jWSVerifier = new RSASSAVerifier(rSAPublicKey);
                } else {
                    handleException("Public key is null");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Signature Algorithm not supported yet : " + name);
            }
            if (jWSVerifier == null) {
                handleException("Could not create a signature verifier for algorithm type: " + name);
            }
        }
        return jWSVerifier != null && signedJWT.verify(jWSVerifier);
    }

    protected boolean validateCustomClaims(Map<String, Object> map) {
        return true;
    }

    private void handleException(String str) throws IdentityOAuth2Exception {
        log.error(str);
        throw new IdentityOAuth2Exception(str);
    }
}
