package com.wso2.openbanking.accelerator.identity.builders;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.wso2.openbanking.accelerator.identity.dcr.validation.DCRCommonConstants;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.time.Instant;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.oauth.cache.SessionDataCache;
import org.wso2.carbon.identity.oauth.cache.SessionDataCacheEntry;
import org.wso2.carbon.identity.oauth.cache.SessionDataCacheKey;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.RequestObjectException;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.RequestObjectBuilder;
import org.wso2.carbon.identity.openidconnect.model.RequestObject;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/builders/DefaultOBRequestUriRequestObjectBuilder.class */
public class DefaultOBRequestUriRequestObjectBuilder implements RequestObjectBuilder {
    private static final Log log = LogFactory.getLog(DefaultOBRequestUriRequestObjectBuilder.class);
    private static final String PAR_INITIATED_REQ_OBJ = "par_initiated_request_object";

    public RequestObject buildRequestObject(String str, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        String[] split = str.split(":");
        SessionDataCacheEntry valueFromCache = SessionDataCache.getInstance().getValueFromCache(new SessionDataCacheKey(split[split.length - 1]));
        RequestObject requestObject = new RequestObject();
        if (valueFromCache == null) {
            throw new RequestObjectException("invalid_request", "Invalid request URI");
        }
        String[] split2 = valueFromCache.getoAuth2Parameters().getEssentialClaims().split(":");
        if (Instant.now().getEpochSecond() > Long.parseLong(split2[1])) {
            throw new RequestObjectException("invalid_request", "Expired request URI");
        }
        String str2 = split2[0];
        if (isEncrypted(str2)) {
            str2 = decrypt(str2, oAuth2Parameters);
            if (StringUtils.isEmpty(str2)) {
                return requestObject;
            }
        }
        setRequestObjectValues(str2, requestObject);
        return requestObject;
    }

    public String decrypt(String str, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        try {
            EncryptedJWT parse = EncryptedJWT.parse(str);
            RSADecrypter rSADecrypter = new RSADecrypter(getRSAPrivateKey(oAuth2Parameters));
            parse.decrypt(rSADecrypter);
            JWEObject parse2 = JWEObject.parse(str);
            parse2.decrypt(rSADecrypter);
            return (parse2.getPayload() == null || parse2.getPayload().toString().split("\\.").length != 3) ? new PlainJWT(parse.getJWTClaimsSet()).serialize() : parse2.getPayload().toString();
        } catch (JOSEException | IdentityOAuth2Exception | ParseException e) {
            log.error("Failed to decrypt Request Object from " + str, e);
            throw new RequestObjectException("invalid_request", "Failed to decrypt Request Object");
        }
    }

    private RSAPrivateKey getRSAPrivateKey(OAuth2Parameters oAuth2Parameters) throws IdentityOAuth2Exception {
        String tenantDomainForDecryption = getTenantDomainForDecryption(oAuth2Parameters);
        return (RSAPrivateKey) OAuth2Util.getPrivateKey(tenantDomainForDecryption, OAuth2Util.getTenantId(tenantDomainForDecryption));
    }

    private String getTenantDomainForDecryption(OAuth2Parameters oAuth2Parameters) {
        return StringUtils.isNotEmpty(oAuth2Parameters.getTenantDomain()) ? oAuth2Parameters.getTenantDomain() : "super";
    }

    private boolean isEncrypted(String str) {
        return str.split("\\.").length == 5;
    }

    private void setRequestObjectValues(String str, RequestObject requestObject) throws RequestObjectException {
        try {
            JOSEObject parse = JOSEObject.parse(str);
            if (parse.getHeader().getAlgorithm() == null || parse.getHeader().getAlgorithm().equals(JWSAlgorithm.NONE)) {
                requestObject.setPlainJWT(PlainJWT.parse(str));
            } else {
                requestObject.setSignedJWT(SignedJWT.parse(str));
            }
            JSONObject jSONObject = requestObject.getClaimsSet().toJSONObject();
            jSONObject.put(PAR_INITIATED_REQ_OBJ, DCRCommonConstants.DCR_REGISTRATION_PARAM_REQUIRED_TRUE);
            requestObject.setClaimSet(JWTClaimsSet.parse(jSONObject));
        } catch (ParseException e) {
            log.error("No Valid JWT is found for the Request Object.", e);
            throw new RequestObjectException("invalid_request", "No Valid JWT is found for the Request Object.");
        }
    }
}
