package com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.identity.internal.IdentityExtensionsDataHolder;
import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants;
import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.exception.PushAuthRequestValidatorException;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonHelper;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.jwt.JWKSBasedJWTValidator;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/push/auth/extension/request/validator/util/PushAuthRequestValidatorUtils.class */
public class PushAuthRequestValidatorUtils {
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String OAUTH2_TOKEN_EP_URL = "OAuth2TokenEPUrl";
    private static final String OIDC_ID_TOKEN_ISSUER_ID = "OAuth.OpenIDConnect.IDTokenIssuerID";
    private static Log log = LogFactory.getLog(PushAuthRequestValidatorUtils.class);
    private static final ArrayList<String> ALLOWED_FORM_BODY_PARAMS = new ArrayList<String>() { // from class: com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.util.PushAuthRequestValidatorUtils.1
        {
            add("client_id");
            add(IdentityCommonConstants.OAUTH_JWT_ASSERTION);
            add(IdentityCommonConstants.OAUTH_JWT_ASSERTION_TYPE);
        }
    };

    public static void validateRequestFormBody(Map<String, Object> map) throws PushAuthRequestValidatorException {
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            if (!"request".equalsIgnoreCase(entry.getKey()) && !ALLOWED_FORM_BODY_PARAMS.contains(entry.getKey())) {
                log.error("Invalid parameters found in the request");
                throw new PushAuthRequestValidatorException(400, "invalid_request", "Invalid parameters found in the request");
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v24, types: [java.util.List] */
    public static void validateSignatureAlgorithm(Object obj) throws PushAuthRequestValidatorException {
        boolean z = false;
        if (obj != null && StringUtils.isNotBlank((String) obj)) {
            ArrayList arrayList = new ArrayList();
            Object obj2 = IdentityExtensionsDataHolder.getInstance().getConfigurationMap().get("SignatureValidation.AllowedAlgorithms.Algorithm");
            if (obj2 instanceof List) {
                arrayList = (List) obj2;
            } else {
                arrayList.add(obj2.toString());
            }
            z = arrayList.isEmpty() || arrayList.contains(obj);
        }
        if (z) {
            return;
        }
        log.error("Invalid request object signing algorithm");
        throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Invalid request object signing algorithm");
    }

    public static boolean isNonceMandatory(String str) {
        String str2 = "id_token";
        return Arrays.stream(str.split("\\s+")).anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    public static void validateNonceParameter(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (StringUtils.isNotBlank(jSONObject.getAsString("response_type")) && isNonceMandatory(jSONObject.getAsString("response_type")) && jSONObject.getAsString(PushAuthRequestConstants.NONCE) == null) {
            log.error("Invalid Nonce parameter in the request");
            throw new PushAuthRequestValidatorException(400, "invalid_request", "Invalid Nonce parameter in the request");
        }
    }

    public static void validatePKCEParameters(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (StringUtils.isEmpty(jSONObject.getAsString(PushAuthRequestConstants.CODE_CHALLENGE))) {
            log.error("Mandatory parameter code_challenge, not found in the request");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Mandatory parameter code_challenge, not found in the request");
        }
        if (StringUtils.isEmpty(jSONObject.getAsString(PushAuthRequestConstants.CODE_CHALLENGE_METHOD))) {
            log.error("Mandatory parameter code_challenge_method, not found in the request");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Mandatory parameter code_challenge_method, not found in the request");
        }
    }

    public static void validateResponseType(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (StringUtils.isEmpty(jSONObject.getAsString("response_type"))) {
            log.error("Mandatory parameter response_type, not found in the request");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Mandatory parameter response_type, not found in the request");
        }
    }

    public static void validateRedirectUri(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (StringUtils.isBlank(jSONObject.getAsString("redirect_uri"))) {
            log.error("Mandatory parameter redirect_uri, not found in the request");
            throw new PushAuthRequestValidatorException(400, "invalid_request", "Mandatory parameter redirect_uri, not found in the request");
        }
    }

    public static void validateScope(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (!StringUtils.isNotBlank(jSONObject.getAsString("scope"))) {
            log.error("Mandatory parameter scope, not found in the request");
            throw new PushAuthRequestValidatorException(400, "invalid_request", "Mandatory parameter scope, not found in the request");
        }
        List asList = Arrays.asList(jSONObject.getAsString("scope").split("\\s+"));
        try {
            List asList2 = Arrays.asList(new IdentityCommonHelper().getAppPropertyFromSPMetaData(jSONObject.getAsString("client_id"), "scope").split("\\s+"));
            Iterator it = asList.iterator();
            while (it.hasNext()) {
                if (!asList2.contains((String) it.next())) {
                    log.error("Invalid scopes in the request");
                    throw new PushAuthRequestValidatorException(400, "invalid_request", "Invalid scopes in the request");
                }
            }
        } catch (OpenBankingException e) {
            log.error("Error while retrieving sp meta data", e);
            throw new PushAuthRequestValidatorException(500, "server_error", "Error while retrieving sp meta data", e);
        }
    }

    @Generated(message = "Excluding from code coverage since it requires a service call")
    public static void validateAudience(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        String asString = jSONObject.getAsString("client_id");
        Object obj = jSONObject.get(PushAuthRequestConstants.AUDIENCE);
        boolean z = false;
        if (obj == null) {
            log.error("aud parameter is missing in the request object");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "aud parameter is missing in the request object");
        }
        List<String> allowedPARAudienceValues = getAllowedPARAudienceValues(getSPTenantDomainFromClientId(asString));
        if (obj instanceof String) {
            z = allowedPARAudienceValues.contains(obj);
        } else if (obj instanceof JSONArray) {
            Iterator it = ((JSONArray) obj).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                } else if (allowedPARAudienceValues.contains(it.next())) {
                    z = true;
                    break;
                }
            }
        }
        if (z) {
            return;
        }
        log.error("Invalid audience value in the request");
        throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Invalid audience value in the request");
    }

    public static void validateIssuer(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        String asString = jSONObject.getAsString(PushAuthRequestConstants.ISSUER);
        String asString2 = jSONObject.getAsString("client_id");
        boolean z = false;
        if (StringUtils.isNotBlank(asString) && StringUtils.isNotBlank(asString2)) {
            z = asString.equals(asString2);
        }
        if (z) {
            return;
        }
        log.error("Invalid issuer in the request");
        throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Invalid issuer in the request");
    }

    public static void validateExpirationTime(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (!StringUtils.isNotBlank(jSONObject.getAsString(PushAuthRequestConstants.EXPIRY))) {
            log.error("exp parameter is missing in the request object");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "exp parameter is missing in the request object");
        }
        Date date = new Date(Integer.parseInt(r0) * 1000);
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = date.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (time - (currentTimeMillis + timeStampSkewInSeconds) > PushAuthRequestConstants.ONE_HOUR_IN_MILLIS) {
            log.error("exp parameter in the request object is over 1 hour in the future");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "exp parameter in the request object is over 1 hour in the future");
        }
        if (currentTimeMillis + timeStampSkewInSeconds > time) {
            log.error("Request object expired");
            throw new PushAuthRequestValidatorException(400, "invalid_request", "Request object expired");
        }
    }

    public static void validateNotBeforeClaim(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        if (!StringUtils.isNotBlank(jSONObject.getAsString(PushAuthRequestConstants.NOT_BEFORE))) {
            log.error("nbf parameter is missing in the request object");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "nbf parameter is missing in the request object");
        }
        Date date = new Date(Integer.parseInt(r0) * 1000);
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = date.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds < time) {
            log.error("Request object is not valid yet");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Request object is not valid yet");
        }
        if ((currentTimeMillis + timeStampSkewInSeconds) - time > PushAuthRequestConstants.ONE_HOUR_IN_MILLIS) {
            log.error("nbf parameter in the request object is over 1 hour in the past");
            throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "nbf parameter in the request object is over 1 hour in the past");
        }
    }

    @Generated(message = "Excluding from code coverage since it requires several service calls")
    public static void validateSignature(String str, JSONObject jSONObject) throws PushAuthRequestValidatorException {
        boolean validateSignature;
        String str2 = null;
        try {
            ServiceProviderProperty[] spProperties = OAuth2Util.getServiceProvider(jSONObject.getAsString("client_id")).getSpProperties();
            if (spProperties != null) {
                for (ServiceProviderProperty serviceProviderProperty : spProperties) {
                    if ("jwksURI".equals(serviceProviderProperty.getName())) {
                        str2 = serviceProviderProperty.getValue();
                    }
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Retrieved JWKS URI: " + str2);
            }
            try {
                SignedJWT parse = SignedJWT.parse(str);
                if (StringUtils.isBlank(str2)) {
                    log.debug("Validating from certificate");
                    try {
                        validateSignature = isSignatureVerified(parse, OAuth2Util.getX509CertOfOAuthApp(jSONObject.getAsString("client_id"), getSPTenantDomainFromClientId(jSONObject.getAsString("client_id"))));
                    } catch (IdentityOAuth2Exception e) {
                        log.error("Unable to get certificate from app", e);
                        throw new PushAuthRequestValidatorException(500, "server_error", e.getMessage(), e);
                    }
                } else {
                    log.debug("Validating from JWKS URI");
                    try {
                        validateSignature = new JWKSBasedJWTValidator().validateSignature(parse.getParsedString(), str2, parse.getHeader().getAlgorithm().getName(), new HashMap());
                    } catch (IdentityOAuth2Exception e2) {
                        log.error("Unable to validate JWT using JWKS URL", e2);
                        throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, getCustomSignatureValidationErrorMessage(e2), e2);
                    }
                }
                if (validateSignature) {
                    return;
                }
                log.error("Request object signature validation failed");
                throw new PushAuthRequestValidatorException(400, "invalid_request", "Request object signature validation failed");
            } catch (ParseException e3) {
                log.error("Unable to parse JWT object", e3);
                throw new PushAuthRequestValidatorException(400, "invalid_request", e3.getMessage(), e3);
            }
        } catch (IdentityOAuth2Exception e4) {
            log.error("Unable to extract Service Provider Properties", e4);
            throw new PushAuthRequestValidatorException(500, "server_error", e4.getMessage(), e4);
        }
    }

    @Generated(message = "Excluding from code coverage since it requires several service calls")
    private static boolean isSignatureVerified(SignedJWT signedJWT, Certificate certificate) {
        JWSHeader header = signedJWT.getHeader();
        if (certificate == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Unable to locate certificate for JWT " + header.toString());
            return false;
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the JWT Header: " + name);
        }
        if (name.indexOf("RS") != 0 && name.indexOf("PS") != 0) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Signature Algorithm not supported yet : " + name);
            return false;
        }
        PublicKey publicKey = certificate.getPublicKey();
        if (!(publicKey instanceof RSAPublicKey)) {
            log.debug("Public key is not an RSA public key.");
            return false;
        }
        try {
            return signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
        } catch (JOSEException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Unable to verify the signature of the request object: " + signedJWT.serialize());
            return false;
        }
    }

    @Generated(message = "Excluding from code coverage since it requires several service calls")
    private static List<String> getAllowedPARAudienceValues(String str) throws PushAuthRequestValidatorException {
        ArrayList arrayList = new ArrayList();
        String str2 = "";
        try {
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(IdentityProviderManager.getInstance().getResidentIdP(str).getFederatedAuthenticatorConfigs(), "openidconnect");
            Property property = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), OIDC_IDP_ENTITY_ID);
            if (property != null) {
                str2 = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Found IdPEntityID: " + str2 + " for tenantDomain: " + str);
                }
            }
            Property property2 = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), OAUTH2_TOKEN_EP_URL);
            if (property2 != null) {
                arrayList.add(property2.getValue());
                if (log.isDebugEnabled()) {
                    log.debug("Found OAuth2TokenEPUrl: " + property2.getValue() + " for tenantDomain: " + str);
                }
            }
            if (StringUtils.isEmpty(str2)) {
                str2 = IdentityUtil.getProperty(OIDC_ID_TOKEN_ISSUER_ID);
                if (StringUtils.isNotEmpty(str2) && log.isDebugEnabled()) {
                    log.debug("'IdPEntityID' property was empty for tenantDomain: " + str + ". Using OIDC IDToken Issuer value: " + str2 + " as alias to identify Resident IDP.");
                }
            }
            arrayList.add(str2);
            try {
                arrayList.add(new URL(new URL(str2), IdentityCommonConstants.PAR_ENDPOINT).toString());
                return arrayList;
            } catch (MalformedURLException e) {
                log.error("Error occurred while deriving PAR endpoint URL.", e);
                throw new PushAuthRequestValidatorException(500, "server_error", "Server Error while deriving PAR endpoint URL.", e);
            }
        } catch (IdentityProviderManagementException e2) {
            log.error("Error while loading OAuth2TokenEPUrl of the resident IDP of tenant:" + str, e2);
            throw new PushAuthRequestValidatorException(500, "server_error", "Server Error while validating audience of Request Object.", e2);
        }
    }

    public static String getSPTenantDomainFromClientId(String str) {
        try {
            return OAuth2Util.getTenantDomainOfOauthApp(OAuth2Util.getAppInformationByClientId(str));
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            return IdentityCommonConstants.CARBON_SUPER;
        }
    }

    public static String decrypt(String str, String str2) throws PushAuthRequestValidatorException {
        try {
            EncryptedJWT parse = EncryptedJWT.parse(str);
            RSADecrypter rSADecrypter = new RSADecrypter(getRSAPrivateKey(str2));
            parse.decrypt(rSADecrypter);
            JWEObject parse2 = JWEObject.parse(str);
            parse2.decrypt(rSADecrypter);
            return (parse2.getPayload() == null || parse2.getPayload().toString().split("\\.").length != 3) ? new PlainJWT(parse.getJWTClaimsSet()).serialize() : parse2.getPayload().toString();
        } catch (JOSEException | IdentityOAuth2Exception | ParseException e) {
            if (log.isDebugEnabled()) {
                log.debug("Failed to decrypt Request Object from " + str, e);
            }
            throw new PushAuthRequestValidatorException(400, "invalid_request", "Failed to decrypt Request Object", e);
        }
    }

    private static RSAPrivateKey getRSAPrivateKey(String str) throws IdentityOAuth2Exception {
        String sPTenantDomainFromClientId = getSPTenantDomainFromClientId(str);
        return (RSAPrivateKey) OAuth2Util.getPrivateKey(sPTenantDomainFromClientId, OAuth2Util.getTenantId(sPTenantDomainFromClientId));
    }

    private static String getCustomSignatureValidationErrorMessage(IdentityOAuth2Exception identityOAuth2Exception) {
        String message = identityOAuth2Exception.getCause().getMessage();
        return StringUtils.isEmpty(message) ? identityOAuth2Exception.getMessage() : message.equalsIgnoreCase("JWT before use time") ? "Invalid not before time. 'nbf' must be a past value." : message.equalsIgnoreCase("Expired JWT") ? "Invalid expiry time. 'exp' claim must be a future value." : message;
    }
}
