package org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt;

import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.client.authentication.AbstractOAuthClientAuthenticator;
import org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnException;
import org.wso2.carbon.identity.oauth2.model.ClientAuthenticationMethodModel;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.internal.JWTServiceDataHolder;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.JWTValidator;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handler/clientauth/jwt/PrivateKeyJWTClientAuthenticator.class */
public class PrivateKeyJWTClientAuthenticator extends AbstractOAuthClientAuthenticator {
    private static final Log log = LogFactory.getLog(PrivateKeyJWTClientAuthenticator.class);
    private static final String PRIVATE_KEY_JWT_CLIENT_AUTHENTICATOR_AUTH_METHOD = "private_key_jwt";
    private static final String PRIVATE_KEY_JWT_CLIENT_AUTHENTICATOR_DISPLAY_NAME = "Private Key JWT";
    private JWTValidator jwtValidator;
    private int rejectBeforePeriod = Constants.DEFAULT_VALIDITY_PERIOD_IN_MINUTES;
    private boolean preventTokenReuse = true;
    private String tokenEPAlias = Constants.DEFAULT_AUDIENCE;

    public PrivateKeyJWTClientAuthenticator() {
        readServerConfig();
        this.jwtValidator = createJWTValidator(this.tokenEPAlias, this.preventTokenReuse, this.rejectBeforePeriod);
    }

    private void readServerConfig() {
        try {
            if (StringUtils.isNotEmpty(this.properties.getProperty(Constants.TOKEN_ENDPOINT_ALIAS))) {
                this.tokenEPAlias = this.properties.getProperty(Constants.TOKEN_ENDPOINT_ALIAS);
            }
            if (StringUtils.isNotEmpty(this.properties.getProperty(Constants.PREVENT_TOKEN_REUSE))) {
                this.preventTokenReuse = Boolean.parseBoolean(this.properties.getProperty(Constants.PREVENT_TOKEN_REUSE));
            }
            if (StringUtils.isNotEmpty(this.properties.getProperty(Constants.REJECT_BEFORE_IN_MINUTES))) {
                this.rejectBeforePeriod = Integer.parseInt(this.properties.getProperty(Constants.REJECT_BEFORE_IN_MINUTES));
            }
            JWTServiceDataHolder.getInstance().setPreventTokenReuse(this.preventTokenReuse);
        } catch (NumberFormatException e) {
            log.warn("Invalid PrivateKeyJWT Validity period found in the configuration. Using default value: " + this.rejectBeforePeriod);
        }
    }

    public boolean authenticateClient(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        oAuthClientAuthnContext.addParameter(Constants.AUTHENTICATOR_TYPE_PARAM, Constants.AUTHENTICATOR_TYPE_PK_JWT);
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        if (log.isDebugEnabled()) {
            log.debug("x-forwarded-for: " + httpServletRequest.getHeader("x-forwarded-for"));
            log.debug("x-forwarded-host: " + httpServletRequest.getHeader("x-forwarded-host"));
            log.debug("requestUrl: " + stringBuffer);
        }
        return this.jwtValidator.isValidAssertion(getSignedJWT(map, oAuthClientAuthnContext), stringBuffer);
    }

    public boolean canAuthenticate(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) {
        return isValidJWTClientAssertionRequest((String) getBodyParameters(map).get(Constants.OAUTH_JWT_ASSERTION_TYPE), (String) getBodyParameters(map).get(Constants.OAUTH_JWT_ASSERTION));
    }

    public String getClientId(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        return this.jwtValidator.resolveSubject(this.jwtValidator.getClaimSet(getSignedJWT(map, oAuthClientAuthnContext)));
    }

    private SignedJWT getSignedJWT(Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        Object parameter = oAuthClientAuthnContext.getParameter(Constants.PRIVATE_KEY_JWT);
        if (parameter != null) {
            return (SignedJWT) parameter;
        }
        String str = (String) getBodyParameters(map).get(Constants.OAUTH_JWT_ASSERTION);
        if (StringUtils.isEmpty(str)) {
            throw new OAuthClientAuthnException("No Valid Assertion was found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "invalid_request");
        }
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (parse == null) {
                throw new OAuthClientAuthnException("No Valid Assertion was found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "invalid_request");
            }
            oAuthClientAuthnContext.addParameter(Constants.PRIVATE_KEY_JWT, parse);
            return parse;
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                log.debug(e.getMessage());
            }
            throw new OAuthClientAuthnException("Error while parsing the JWT.", "invalid_request");
        }
    }

    private boolean isValidJWTClientAssertionRequest(String str, String str2) {
        if (log.isDebugEnabled()) {
            log.debug("Authenticate Requested with clientAssertionType : " + str);
            if (IdentityUtil.isTokenLoggable("AccessToken")) {
                log.debug("Authenticate Requested with clientAssertion : " + str2);
            }
        }
        return Constants.OAUTH_JWT_BEARER_GRANT_TYPE.equals(str) && StringUtils.isNotEmpty(str2);
    }

    private JWTValidator createJWTValidator(String str, boolean z, int i) {
        return new JWTValidator(z, str, i, null, populateMandatoryClaims(), true);
    }

    private List<String> populateMandatoryClaims() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(Constants.ISSUER_CLAIM);
        arrayList.add(Constants.SUBJECT_CLAIM);
        arrayList.add(Constants.AUDIENCE_CLAIM);
        arrayList.add(Constants.EXPIRATION_TIME_CLAIM);
        arrayList.add(Constants.JWT_ID_CLAIM);
        return arrayList;
    }

    public List<ClientAuthenticationMethodModel> getSupportedClientAuthenticationMethods() {
        return Arrays.asList(new ClientAuthenticationMethodModel(PRIVATE_KEY_JWT_CLIENT_AUTHENTICATOR_AUTH_METHOD, PRIVATE_KEY_JWT_CLIENT_AUTHENTICATOR_DISPLAY_NAME));
    }
}
