package org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt;

import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Properties;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.JWTValidator;
import org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handler/clientauth/jwt/PrivateKeyJWTClientAuthHandler.class */
public class PrivateKeyJWTClientAuthHandler extends AbstractClientAuthHandler {
    private static final Log log = LogFactory.getLog(PrivateKeyJWTClientAuthHandler.class);
    private JWTValidator jwtValidator;

    public void init(Properties properties) throws IdentityOAuth2Exception {
        this.authConfig = properties.getProperty("StrictClientCredentialValidation");
        this.jwtValidator = createJWTValidator(properties);
    }

    private JWTValidator createJWTValidator(Properties properties) {
        String str;
        str = "";
        int i = 300;
        try {
            String property = properties.getProperty(Constants.REJECT_BEFORE_PERIOD);
            if (StringUtils.isNotEmpty(property)) {
                i = Integer.parseInt(property);
            }
            String property2 = properties.getProperty(Constants.TOKEN_ENDPOINT_ALIAS);
            str = StringUtils.isNotEmpty(property2) ? property2 : "";
            if (log.isDebugEnabled()) {
                log.debug("PrivateKeyJWT Validity period is set to:" + i);
            }
        } catch (NumberFormatException e) {
            log.warn("Invalid PrivateKeyJWT Validity period found in the configuration. Using default value:300");
        }
        return new JWTValidator(i, true, true, str, "");
    }

    public boolean canAuthenticate(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        return isValidJWTClientAssertionRequest(getRequestParameter(oAuthTokenReqMessageContext, Constants.OAUTH_JWT_ASSERTION_TYPE), getRequestParameter(oAuthTokenReqMessageContext, Constants.OAUTH_JWT_ASSERTION));
    }

    private boolean isValidJWTClientAssertionRequest(String str, String str2) {
        if (log.isDebugEnabled()) {
            log.debug("Authenticate Requested with : " + str + " and private_key_jwt: " + str2);
        }
        return Constants.OAUTH_JWT_BEARER_GRANT_TYPE.equals(str) && StringUtils.isNotEmpty(str2);
    }

    public boolean authenticateClient(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        try {
            SignedJWT signedJWT = getSignedJWT(oAuthTokenReqMessageContext);
            boolean isValidToken = this.jwtValidator.isValidToken(signedJWT);
            if (isValidToken && StringUtils.isEmpty(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId())) {
                oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().setClientId(this.jwtValidator.resolveSubject(this.jwtValidator.getClaimSet(signedJWT)));
            }
            return isValidToken;
        } catch (IdentityOAuth2Exception e) {
            log.error("Error occurred validating the signed JWT", e);
            return false;
        }
    }

    private String getRequestParameter(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, String str) throws IdentityOAuth2Exception {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str2 = null;
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals(str) && !ArrayUtils.isEmpty(requestParameter.getValue())) {
                str2 = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        if (StringUtils.isEmpty(str2)) {
            return null;
        }
        return str2;
    }

    private SignedJWT getSignedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String requestParameter = getRequestParameter(oAuthTokenReqMessageContext, Constants.OAUTH_JWT_ASSERTION);
        if (StringUtils.isEmpty(requestParameter)) {
            return null;
        }
        try {
            SignedJWT parse = SignedJWT.parse(requestParameter);
            logJWT(parse);
            if (parse != null) {
                return parse;
            }
            log.error("No Valid Assertion was found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
            throw new IdentityOAuth2Exception("No Valid Assertion was found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        } catch (ParseException e) {
            log.error("Error while parsing the JWT", e);
            throw new IdentityOAuth2Exception("Error while parsing the JWT", e);
        }
    }

    private void logJWT(SignedJWT signedJWT) {
        if (log.isDebugEnabled()) {
            log.debug("JWT Header: " + signedJWT.getHeader().toJSONObject().toString());
            log.debug("JWT Payload: " + signedJWT.getPayload().toJSONObject().toString());
            log.debug("Signature: " + signedJWT.getSignature().toString());
        }
    }
}
