package com.wso2.openbanking.accelerator.gateway.executor.service;

import com.wso2.openbanking.accelerator.common.config.OpenBankingConfigParser;
import com.wso2.openbanking.accelerator.common.exception.CertificateValidationException;
import com.wso2.openbanking.accelerator.common.exception.TPPValidationException;
import com.wso2.openbanking.accelerator.common.model.PSD2RoleEnum;
import com.wso2.openbanking.accelerator.common.util.eidas.certificate.extractor.CertificateContent;
import com.wso2.openbanking.accelerator.common.util.eidas.certificate.extractor.CertificateContentExtractor;
import com.wso2.openbanking.accelerator.gateway.cache.GatewayCacheKey;
import com.wso2.openbanking.accelerator.gateway.cache.TppValidationCache;
import com.wso2.openbanking.accelerator.gateway.executor.model.RevocationStatus;
import com.wso2.openbanking.accelerator.gateway.executor.revocation.RevocationValidator;
import com.wso2.openbanking.accelerator.gateway.internal.TPPCertValidatorDataHolder;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/gateway/executor/service/CertValidationService.class */
public class CertValidationService {
    private static final Log log = LogFactory.getLog(CertValidationService.class);
    private static CertValidationService certValidationService;

    private CertValidationService() {
    }

    public static synchronized CertValidationService getInstance() {
        if (certValidationService == null) {
            certValidationService = new CertValidationService();
        }
        return certValidationService;
    }

    @Deprecated
    public boolean verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, int i) {
        OpenBankingConfigParser openBankingConfigParser = OpenBankingConfigParser.getInstance();
        RevocationValidatorFactory revocationValidatorFactory = new RevocationValidatorFactory();
        for (RevocationValidator revocationValidator : (RevocationValidator[]) openBankingConfigParser.getCertificateRevocationValidators().entrySet().stream().sorted(Map.Entry.comparingByKey()).map((v0) -> {
            return v0.getValue();
        }).map(str -> {
            return revocationValidatorFactory.getValidator(str, i);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i2 -> {
            return new RevocationValidator[i2];
        })) {
            RevocationStatus isRevoked = isRevoked(revocationValidator, x509Certificate, x509Certificate2);
            if (RevocationStatus.GOOD == isRevoked) {
                return true;
            }
            if (RevocationStatus.REVOKED == isRevoked) {
                return false;
            }
        }
        log.error("Unable to verify certificate revocation information");
        return false;
    }

    public boolean verify(X509Certificate x509Certificate, X509Certificate x509Certificate2, int i, int i2, int i3, int i4) {
        OpenBankingConfigParser openBankingConfigParser = OpenBankingConfigParser.getInstance();
        RevocationValidatorFactory revocationValidatorFactory = new RevocationValidatorFactory();
        for (RevocationValidator revocationValidator : (RevocationValidator[]) openBankingConfigParser.getCertificateRevocationValidators().entrySet().stream().sorted(Map.Entry.comparingByKey()).map((v0) -> {
            return v0.getValue();
        }).map(str -> {
            return revocationValidatorFactory.getValidator(str, i, i2, i3, i4);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i5 -> {
            return new RevocationValidator[i5];
        })) {
            RevocationStatus isRevoked = isRevoked(revocationValidator, x509Certificate, x509Certificate2);
            if (RevocationStatus.GOOD == isRevoked) {
                return true;
            }
            if (RevocationStatus.REVOKED == isRevoked) {
                return false;
            }
        }
        log.error("Unable to verify certificate revocation information");
        return false;
    }

    private RevocationStatus isRevoked(RevocationValidator revocationValidator, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (log.isDebugEnabled()) {
            log.debug("X509 Certificate validation with " + revocationValidator.getClass().getSimpleName());
        }
        try {
            return revocationValidator.checkRevocationStatus(x509Certificate, x509Certificate2);
        } catch (CertificateValidationException e) {
            log.warn("Unable to validate certificate revocation with " + revocationValidator.getClass().getSimpleName(), e);
            return RevocationStatus.UNKNOWN;
        }
    }

    public boolean validateTppRoles(X509Certificate x509Certificate, List<PSD2RoleEnum> list) throws TPPValidationException, CertificateValidationException {
        if (!TPPCertValidatorDataHolder.getInstance().isTppValidationEnabled()) {
            if (TPPCertValidatorDataHolder.getInstance().isPsd2RoleValidationEnabled()) {
                return isRequiredRolesMatchWithScopes(x509Certificate, list);
            }
            throw new TPPValidationException("Both TPP validation and PSD2 role validation services are disabled");
        }
        if (!StringUtils.isNotBlank(TPPCertValidatorDataHolder.getInstance().getTPPValidationServiceImpl())) {
            throw new TPPValidationException("TPP validation service class implementation is empty");
        }
        TPPValidationService tppValidationService = TPPCertValidatorDataHolder.getInstance().getTppValidationService();
        if (tppValidationService == null) {
            throw new TPPValidationException("Unable to find the implementation class for TPP validation service");
        }
        TppValidationCache tppValidationCache = TppValidationCache.getInstance();
        GatewayCacheKey of = GatewayCacheKey.of(tppValidationService.getCacheKey(x509Certificate, list, Collections.emptyMap()));
        if (tppValidationCache.getFromCache(of) != null) {
            return ((Boolean) tppValidationCache.getFromCache(of)).booleanValue();
        }
        if (!tppValidationService.validate(x509Certificate, list, Collections.emptyMap())) {
            return false;
        }
        tppValidationCache.addToCache(of, true);
        return true;
    }

    private boolean isRequiredRolesMatchWithScopes(X509Certificate x509Certificate, List<PSD2RoleEnum> list) throws CertificateValidationException, TPPValidationException {
        CertificateContent extract = CertificateContentExtractor.extract(x509Certificate);
        if (log.isDebugEnabled()) {
            log.debug("The TPP is requesting roles: " + list);
            log.debug("Provided PSD2 eIDAS certificate contains the role: " + extract.getPspRoles());
        }
        for (PSD2RoleEnum pSD2RoleEnum : list) {
            if (!extract.getPspRoles().contains(pSD2RoleEnum.name())) {
                String str = "The PSD2 eIDAS certificate does not contain the required role " + pSD2RoleEnum.toString();
                log.error(str);
                throw new TPPValidationException(str);
            }
        }
        return true;
    }
}
