package org.wso2.carbon.identity.client.attestation.mgt.validators;

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.services.playintegrity.v1.PlayIntegrity;
import com.google.api.services.playintegrity.v1.PlayIntegrityRequestInitializer;
import com.google.api.services.playintegrity.v1.model.AppIntegrity;
import com.google.api.services.playintegrity.v1.model.DecodeIntegrityTokenRequest;
import com.google.api.services.playintegrity.v1.model.DecodeIntegrityTokenResponse;
import com.google.api.services.playintegrity.v1.model.RequestDetails;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.ServiceAccountCredentials;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Calendar;
import java.util.TimeZone;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.ClientAttestationMetaData;
import org.wso2.carbon.identity.client.attestation.mgt.exceptions.ClientAttestationMgtException;
import org.wso2.carbon.identity.client.attestation.mgt.model.ClientAttestationContext;
import org.wso2.carbon.identity.client.attestation.mgt.utils.Constants;
import org.wso2.carbon.identity.core.util.IdentityUtil;

/* loaded from: input_file:org/wso2/carbon/identity/client/attestation/mgt/validators/AndroidAttestationValidator.class */
public class AndroidAttestationValidator implements ClientAttestationValidator {
    private static final Log LOG = LogFactory.getLog(AndroidAttestationValidator.class);
    private static final String ANDROID = "ANDROID";
    private String applicationResourceId;
    private String tenantDomain;
    private ClientAttestationMetaData clientAttestationMetaData;

    public AndroidAttestationValidator(String str, String str2, ClientAttestationMetaData clientAttestationMetaData) {
        this.applicationResourceId = str;
        this.tenantDomain = str2;
        this.clientAttestationMetaData = clientAttestationMetaData;
    }

    @Override // org.wso2.carbon.identity.client.attestation.mgt.validators.ClientAttestationValidator
    public void validateAttestation(String str, ClientAttestationContext clientAttestationContext) throws ClientAttestationMgtException {
        DecodeIntegrityTokenResponse decodeIntegrityToken = decodeIntegrityToken(str, clientAttestationContext);
        if (decodeIntegrityToken == null) {
            throw new ClientAttestationMgtException("Unable to validate attestation, cause decodeIntegrityTokenResponse is null for application : " + this.applicationResourceId + "tenant domain : " + this.tenantDomain);
        }
        validateIntegrityResponse(decodeIntegrityToken, clientAttestationContext);
    }

    private DecodeIntegrityTokenResponse decodeIntegrityToken(String str, ClientAttestationContext clientAttestationContext) throws ClientAttestationMgtException {
        try {
            String androidAttestationServiceCredentials = this.clientAttestationMetaData.getAndroidAttestationServiceCredentials();
            if (androidAttestationServiceCredentials == null) {
                throw new ClientAttestationMgtException("Unable to validate attestation, cause AndroidAttestationServiceCredentials is null for application : " + this.applicationResourceId + "tenant domain : " + this.tenantDomain);
            }
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(androidAttestationServiceCredentials.getBytes(StandardCharsets.UTF_8));
            DecodeIntegrityTokenRequest decodeIntegrityTokenRequest = new DecodeIntegrityTokenRequest();
            decodeIntegrityTokenRequest.setIntegrityToken(str);
            HttpCredentialsAdapter httpCredentialsAdapter = new HttpCredentialsAdapter(ServiceAccountCredentials.fromStream(byteArrayInputStream));
            return (DecodeIntegrityTokenResponse) new PlayIntegrity.Builder(GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance(), httpCredentialsAdapter).setApplicationName(this.clientAttestationMetaData.getAndroidPackageName()).setGoogleClientRequestInitializer(new PlayIntegrityRequestInitializer()).build().v1().decodeIntegrityToken(this.clientAttestationMetaData.getAndroidPackageName(), decodeIntegrityTokenRequest).execute();
        } catch (IOException | GeneralSecurityException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Unable to decode or verify attestation request from Client :" + this.applicationResourceId + " in tenant : " + this.tenantDomain + " from google play integrity service.", e);
            }
            throw new ClientAttestationMgtException("Unable to decode or verify the integrity token from google play integrity service.", e);
        }
    }

    private void validateIntegrityResponse(DecodeIntegrityTokenResponse decodeIntegrityTokenResponse, ClientAttestationContext clientAttestationContext) {
        if (validateRequestDetails(decodeIntegrityTokenResponse, clientAttestationContext) && validateAppIntegrity(decodeIntegrityTokenResponse, clientAttestationContext)) {
            clientAttestationContext.setAttested(true);
        }
    }

    private boolean validateRequestDetails(DecodeIntegrityTokenResponse decodeIntegrityTokenResponse, ClientAttestationContext clientAttestationContext) {
        RequestDetails requestDetails = decodeIntegrityTokenResponse.getTokenPayloadExternal().getRequestDetails();
        String androidPackageName = this.clientAttestationMetaData.getAndroidPackageName();
        long timeInMillis = Calendar.getInstance(TimeZone.getTimeZone(Constants.UTC)).getTimeInMillis();
        long longValue = requestDetails.getTimestampMillis().longValue();
        String property = IdentityUtil.getProperty(Constants.CLIENT_ATTESTATION_ALLOWED_WINDOW_IN_MILL_SECOND);
        if (!StringUtils.equals(requestDetails.getRequestPackageName(), androidPackageName)) {
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Package name in the request details does not match with the requested client.");
            return false;
        }
        if (!StringUtils.isNotEmpty(property)) {
            return true;
        }
        try {
            if (timeInMillis - longValue <= Long.parseLong(property)) {
                return true;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Attestation request provided by Client :" + this.applicationResourceId + " in tenant : " + this.tenantDomain + " is older than required window.");
            }
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Attestation request provided by Client is older than required window.");
            return false;
        } catch (NumberFormatException e) {
            LOG.error("Error while parsing attestation allowed window timeout config: " + property, e);
            clientAttestationContext.setAttested(false);
            clientAttestationContext.setValidationFailureMessage("Error while parsing attestation allowed window timeout config. Probably a misconfiguration, hence rejecting the request.");
            return false;
        }
    }

    private boolean validateAppIntegrity(DecodeIntegrityTokenResponse decodeIntegrityTokenResponse, ClientAttestationContext clientAttestationContext) {
        AppIntegrity appIntegrity = decodeIntegrityTokenResponse.getTokenPayloadExternal().getAppIntegrity();
        if (StringUtils.equals(appIntegrity.getAppRecognitionVerdict(), Constants.PLAY_RECOGNIZED)) {
            return true;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Attestation request provided by Client :" + this.applicationResourceId + " in tenant : " + this.tenantDomain + " is invalid. Application integrity validation failed. Unexpected recognition verdict: " + appIntegrity.getAppRecognitionVerdict());
        }
        clientAttestationContext.setAttested(false);
        clientAttestationContext.setValidationFailureMessage("Application integrity validation failed. Unexpected recognition verdict: " + appIntegrity.getAppRecognitionVerdict());
        return false;
    }

    @Override // org.wso2.carbon.identity.client.attestation.mgt.validators.ClientAttestationValidator
    public String getAttestationValidationType() {
        return ANDROID;
    }
}
