package com.wso2.openbanking.accelerator.identity.token.validators;

import com.nimbusds.jwt.SignedJWT;
import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.identity.token.util.TokenFilterException;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonConstants;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonHelper;
import com.wso2.openbanking.accelerator.identity.util.IdentityCommonUtil;
import java.text.ParseException;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/token/validators/SignatureAlgorithmEnforcementValidator.class */
public class SignatureAlgorithmEnforcementValidator implements OBIdentityFilterValidator {
    private static final Log log = LogFactory.getLog(SignatureAlgorithmEnforcementValidator.class);

    @Override // com.wso2.openbanking.accelerator.identity.token.validators.OBIdentityFilterValidator
    public void validate(ServletRequest servletRequest, String str) throws TokenFilterException {
        if (servletRequest instanceof HttpServletRequest) {
            String parameter = servletRequest.getParameter(IdentityCommonConstants.OAUTH_JWT_ASSERTION);
            if (StringUtils.isNotEmpty(parameter) && StringUtils.isNotEmpty(getRegisteredSigningAlgorithm(str))) {
                validateInboundSignatureAlgorithm(getRequestSigningAlgorithm(parameter), getRegisteredSigningAlgorithm(str));
            }
        }
    }

    public void validateInboundSignatureAlgorithm(String str, String str2) throws TokenFilterException {
        if (log.isDebugEnabled()) {
            log.debug(String.format("Validating request algorithm %s against registered algorithm %s.", str, str2));
        }
        if (str2.equals(IdentityCommonConstants.NOT_APPLICABLE)) {
            return;
        }
        if (!StringUtils.isNotEmpty(str) || !str.equals(str2)) {
            throw new TokenFilterException(401, IdentityCommonConstants.OAUTH2_INVALID_CLIENT_MESSAGE, "Registered algorithm does not match with the token signed algorithm");
        }
    }

    @Generated(message = "Ignoring because it requires a service call")
    public String getRegisteredSigningAlgorithm(String str) throws TokenFilterException {
        try {
            return (StringUtils.isNotEmpty(new IdentityCommonHelper().getCertificateContent(str)) && IdentityCommonUtil.getRegulatoryFromSPMetaData(str)) ? IdentityCommonConstants.NOT_APPLICABLE : new IdentityCommonHelper().getAppPropertyFromSPMetaData(str, IdentityCommonConstants.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
        } catch (OpenBankingException e) {
            throw new TokenFilterException(401, "invalid_request", "Token signing algorithm not registered", e);
        }
    }

    public String getRequestSigningAlgorithm(String str) throws TokenFilterException {
        try {
            return SignedJWT.parse(str).getHeader().getAlgorithm().getName();
        } catch (ParseException e) {
            throw new TokenFilterException(400, IdentityCommonConstants.OAUTH2_INVALID_CLIENT_MESSAGE, "Error occurred while parsing the signed assertion", e);
        }
    }
}
