package com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator;

import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.common.util.JWTUtils;
import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.constants.PushAuthRequestConstants;
import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.exception.PushAuthRequestValidatorException;
import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.model.PushAuthErrorResponse;
import com.wso2.openbanking.accelerator.identity.push.auth.extension.request.validator.util.PushAuthRequestValidatorUtils;
import java.text.ParseException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import net.minidev.json.JSONObject;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.oauth2.OAuth2Service;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;

/* loaded from: input_file:com/wso2/openbanking/accelerator/identity/push/auth/extension/request/validator/PushAuthRequestValidator.class */
public class PushAuthRequestValidator {
    private static final Log log = LogFactory.getLog(PushAuthRequestValidator.class);
    private static PushAuthRequestValidator pushAuthRequestValidator;
    private static final String ERROR_DESCRIPTION = "error_description";
    private static final String ERROR = "error";

    public static PushAuthRequestValidator getPushAuthRequestValidator() {
        return pushAuthRequestValidator;
    }

    public static void setRegistrationValidator(PushAuthRequestValidator pushAuthRequestValidator2) {
        pushAuthRequestValidator = pushAuthRequestValidator2;
    }

    public final Map<String, Object> validateParams(HttpServletRequest httpServletRequest, Map<String, List<String>> map) throws PushAuthRequestValidatorException {
        Map<String, Object> hashMap = new HashMap<>();
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            if (entry.getValue().size() > 1) {
                if (log.isDebugEnabled()) {
                    log.debug("Repeated param found:" + entry.getKey());
                }
                throw new PushAuthRequestValidatorException(400, "invalid_request", "Repeated parameter found in the request");
            }
            hashMap.put(entry.getKey(), entry.getValue().get(0));
        }
        if (hashMap.containsKey("request_uri")) {
            log.error("Request does not allow request_uri parameter");
            throw new PushAuthRequestValidatorException(400, "invalid_request", "Request does not allow request_uri parameter");
        }
        if (hashMap.containsKey("request")) {
            PushAuthRequestValidatorUtils.validateRequestFormBody(hashMap);
            try {
                String obj = hashMap.get("request").toString();
                String decrypt = obj.split("\\.").length == 5 ? PushAuthRequestValidatorUtils.decrypt(obj, hashMap.get("client_id") != null ? hashMap.get("client_id").toString() : null) : obj;
                JSONObject decodeRequestJWT = JWTUtils.decodeRequestJWT(decrypt, PushAuthRequestConstants.BODY);
                JSONObject decodeRequestJWT2 = JWTUtils.decodeRequestJWT(decrypt, PushAuthRequestConstants.HEADER);
                hashMap.put(PushAuthRequestConstants.DECODED_JWT_BODY, decodeRequestJWT);
                hashMap.put(PushAuthRequestConstants.DECODED_JWT_HEADER, decodeRequestJWT2);
                if (decodeRequestJWT == null || decodeRequestJWT2 == null) {
                    log.error("Invalid JWT as request");
                    throw new PushAuthRequestValidatorException(400, "invalid_request", "Invalid JWT as request");
                }
                validateRedirectUri(decodeRequestJWT);
                OAuth2ClientValidationResponseDTO clientValidationInfo = getClientValidationInfo(decodeRequestJWT);
                if (!clientValidationInfo.isValidClient()) {
                    log.error(clientValidationInfo.getErrorMsg());
                    throw new PushAuthRequestValidatorException(400, "invalid_request", clientValidationInfo.getErrorMsg());
                }
                validateSignatureAlgorithm(decodeRequestJWT2.get(PushAuthRequestConstants.ALG_HEADER));
                validateSignature(decrypt, decodeRequestJWT);
                validateResponseType(decodeRequestJWT);
                validateNonceParameter(decodeRequestJWT);
                validateScope(decodeRequestJWT);
                validateAudience(decodeRequestJWT);
                validateIssuer(decodeRequestJWT);
                validateExpirationTime(decodeRequestJWT);
                validateNotBeforeClaim(decodeRequestJWT);
                validatePKCEParameters(decodeRequestJWT);
                if (StringUtils.isNotBlank(decodeRequestJWT.getAsString("request")) || StringUtils.isNotBlank(decodeRequestJWT.getAsString("request_uri"))) {
                    log.error("Both request and request_uri parameters are not allowed in the request object");
                    throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Both request and request_uri parameters are not allowed in the request object");
                }
            } catch (ParseException e) {
                log.error("Exception while decoding JWT. Returning error.", e);
                throw new PushAuthRequestValidatorException(400, PushAuthRequestConstants.INVALID_REQUEST_OBJECT, "Unable to decode JWT.", e);
            }
        }
        validateAdditionalParams(hashMap);
        return hashMap;
    }

    public void validateAdditionalParams(Map<String, Object> map) throws PushAuthRequestValidatorException {
    }

    public void validateRedirectUri(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateRedirectUri(jSONObject);
    }

    public void validateScope(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateScope(jSONObject);
    }

    public void validateSignatureAlgorithm(Object obj) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateSignatureAlgorithm(obj);
    }

    public void validateNonceParameter(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateNonceParameter(jSONObject);
    }

    public void validateIssuer(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateIssuer(jSONObject);
    }

    public void validateExpirationTime(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateExpirationTime(jSONObject);
    }

    public void validateNotBeforeClaim(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateNotBeforeClaim(jSONObject);
    }

    public PushAuthErrorResponse createErrorResponse(int i, String str, String str2) {
        PushAuthErrorResponse pushAuthErrorResponse = new PushAuthErrorResponse();
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("error_description", str2);
        jSONObject.put("error", str);
        pushAuthErrorResponse.setPayload(jSONObject);
        pushAuthErrorResponse.setHttpStatusCode(i);
        return pushAuthErrorResponse;
    }

    @Generated(message = "Excluding from code coverage since it requires a service call")
    protected OAuth2ClientValidationResponseDTO getClientValidationInfo(JSONObject jSONObject) {
        return new OAuth2Service().validateClientInfo(jSONObject.getAsString("client_id"), jSONObject.getAsString("redirect_uri"));
    }

    @Generated(message = "Excluding from code coverage since it requires a service call")
    protected void validateSignature(String str, JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateSignature(str, jSONObject);
    }

    @Generated(message = "Excluding from code coverage since it requires a service call")
    protected void validateAudience(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateAudience(jSONObject);
    }

    protected void validatePKCEParameters(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validatePKCEParameters(jSONObject);
    }

    protected void validateResponseType(JSONObject jSONObject) throws PushAuthRequestValidatorException {
        PushAuthRequestValidatorUtils.validateResponseType(jSONObject);
    }
}
