package com.wso2.openbanking.accelerator.identity.token.validators;

import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.identity.token.util.TokenFilterException;
import com.wso2.openbanking.accelerator.identity.util.ClientAuthenticatorEnum;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonHelper;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/token/validators/ClientAuthenticatorValidator.class */
public class ClientAuthenticatorValidator implements OBIdentityFilterValidator {
    private static final Log log = LogFactory.getLog(ClientAuthenticatorValidator.class);

    @Override // com.wso2.openbanking.accelerator.identity.token.validators.OBIdentityFilterValidator
    public void validate(ServletRequest servletRequest, String str) throws TokenFilterException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest)) {
            throw new ServletException("Error occurred during request validation, passed request is not a HttpServletRequest");
        }
        String retrieveRegisteredAuthMethod = retrieveRegisteredAuthMethod(str);
        if (!retrieveRegisteredAuthMethod.equals(IdentityCommonConstants.NOT_APPLICABLE) && !retrieveRegisteredAuthMethod.contains(retrieveRequestAuthMethod(servletRequest))) {
            throw new TokenFilterException(400, "invalid_request", "Request does not follow the registered token endpoint auth method " + retrieveRegisteredAuthMethod);
        }
    }

    @Generated(message = "Excluding from code coverage because a the actual implementation test cases are coverd")
    public String retrieveRequestAuthMethod(ServletRequest servletRequest) throws TokenFilterException {
        try {
            if (isPrivateKeyJWTAuthentication(servletRequest)) {
                log.debug("Validating request with JWT client authentication method");
                return ClientAuthenticatorEnum.PRIVATE_KEY_JWT.toString();
            }
            if (!new IdentityCommonHelper().isMTLSAuthentication(servletRequest)) {
                return "INVALID_AUTH";
            }
            log.debug("Validating request with MTLS client authentication method");
            return ClientAuthenticatorEnum.TLS_CLIENT_AUTH.toString();
        } catch (OpenBankingException e) {
            throw new TokenFilterException(401, "invalid_request", e.getMessage());
        }
    }

    public boolean isPrivateKeyJWTAuthentication(ServletRequest servletRequest) {
        return IdentityCommonConstants.OAUTH_JWT_BEARER_GRANT_TYPE.equals(servletRequest.getParameter(IdentityCommonConstants.OAUTH_JWT_ASSERTION_TYPE)) && StringUtils.isNotEmpty(servletRequest.getParameter(IdentityCommonConstants.OAUTH_JWT_ASSERTION));
    }

    @Generated(message = "Excluding from code coverage because a service call is required for the method")
    public String retrieveRegisteredAuthMethod(String str) throws TokenFilterException {
        try {
            return (StringUtils.isNotEmpty(new IdentityCommonHelper().getCertificateContent(str)) && IdentityCommonUtil.getRegulatoryFromSPMetaData(str)) ? IdentityCommonConstants.NOT_APPLICABLE : new IdentityCommonHelper().getAppPropertyFromSPMetaData(str, IdentityCommonConstants.TOKEN_ENDPOINT_AUTH_METHOD);
        } catch (OpenBankingException e) {
            throw new TokenFilterException(401, "invalid_request", "Client authentication method not registered", e);
        }
    }
}
