package org.wso2.carbon.identity.application.authenticator.basicauth.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.context.AuthenticationContext;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authenticator.basicauth.BasicAuthenticator;
import org.wso2.carbon.identity.application.authenticator.basicauth.jwt.cache.AuthJwtCache;
import org.wso2.carbon.identity.application.authenticator.basicauth.jwt.internal.JWTBasicAuthenticatorServiceComponentDataHolder;
import org.wso2.carbon.identity.application.common.model.User;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/basicauth/jwt/JWTBasicAuthenticator.class */
public class JWTBasicAuthenticator extends BasicAuthenticator {
    private static final Log log = LogFactory.getLog(JWTBasicAuthenticator.class);
    private static long DEFAULT_TIMESTAMP_SKEW = 300;

    public boolean canHandle(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getParameter(JWTBasicAuthenticatorConstants.PARAM_TOKEN) != null;
    }

    protected void processAuthenticationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationContext authenticationContext) throws AuthenticationFailedException {
        String parameter = httpServletRequest.getParameter(JWTBasicAuthenticatorConstants.PARAM_TOKEN);
        if (log.isDebugEnabled() && IdentityUtil.isTokenLoggable(JWTBasicAuthenticatorConstants.AUTH_TOKEN)) {
            log.debug("User authentication token : " + parameter);
        }
        Map properties = authenticationContext.getProperties();
        if (properties == null) {
            properties = new HashMap();
            authenticationContext.setProperties(properties);
        }
        SignedJWT signedJWT = getSignedJWT(parameter);
        JWTClaimsSet claimSet = getClaimSet(signedJWT);
        if (!isValidClaimSet(claimSet)) {
            throw new AuthenticationFailedException("Invalid token");
        }
        String subject = claimSet.getSubject();
        User userFromUserName = User.getUserFromUserName(subject);
        if (!isValidSignature(signedJWT, userFromUserName.getTenantDomain())) {
            throw new AuthenticationFailedException("User authentication failed : Invalid signature.");
        }
        AuthJwtCache.getInstance().addToCache(claimSet.getJWTID(), claimSet.getJWTID());
        properties.put("user-tenant-domain", userFromUserName.getTenantDomain());
        authenticationContext.setSubject(AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(subject));
        String parameter2 = httpServletRequest.getParameter("chkRemember");
        if (parameter2 == null || !"on".equals(parameter2)) {
            return;
        }
        authenticationContext.setRememberMe(true);
    }

    public String getFriendlyName() {
        return JWTBasicAuthenticatorConstants.AUTHENTICATOR_FRIENDLY_NAME;
    }

    public String getName() {
        return JWTBasicAuthenticatorConstants.AUTHENTICATOR_NAME;
    }

    private SignedJWT getSignedJWT(String str) throws AuthenticationFailedException {
        if (StringUtils.isBlank(str)) {
            throw new AuthenticationFailedException("No Valid JWT Assertion was found.");
        }
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (parse == null) {
                throw new AuthenticationFailedException("No Valid JWT Assertion was found.");
            }
            return parse;
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                log.debug(e.getMessage());
            }
            throw new AuthenticationFailedException("Error while parsing the JWT.");
        }
    }

    private JWTClaimsSet getClaimSet(SignedJWT signedJWT) throws AuthenticationFailedException {
        if (signedJWT == null) {
            throw new AuthenticationFailedException("No Valid JWT Assertion was found.");
        }
        try {
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            if (jWTClaimsSet == null) {
                throw new AuthenticationFailedException("Claim values are empty in the given JWT.");
            }
            return jWTClaimsSet;
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error when trying to retrieve claimsSet from the JWT.");
            }
            throw new AuthenticationFailedException("Error when trying to retrieve claimsSet from the JWT.");
        }
    }

    private boolean isValidClaimSet(JWTClaimsSet jWTClaimsSet) throws AuthenticationFailedException {
        if (StringUtils.isEmpty(jWTClaimsSet.getSubject()) || StringUtils.isEmpty(jWTClaimsSet.getIssuer()) || StringUtils.isEmpty(jWTClaimsSet.getJWTID()) || jWTClaimsSet.getExpirationTime() == null) {
            throw new AuthenticationFailedException("Invalid token : Required fields are not present in JWT.");
        }
        if (AuthJwtCache.getInstance().getValueFromCache(jWTClaimsSet.getJWTID()) != null) {
            throw new AuthenticationFailedException("Invalid token : Possible replay attack.");
        }
        return checkExpirationTime(jWTClaimsSet.getExpirationTime().getTime(), System.currentTimeMillis(), getTimeStampSkew());
    }

    private boolean isValidSignature(SignedJWT signedJWT, String str) throws AuthenticationFailedException {
        return validateSignature(signedJWT, getCertificate(str));
    }

    private X509Certificate getCertificate(String str) throws AuthenticationFailedException {
        try {
            int tenantId = JWTBasicAuthenticatorServiceComponentDataHolder.getInstance().getRealmService().getTenantManager().getTenantId(str);
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
            try {
                return tenantId != -1234 ? (X509Certificate) keyStoreManager.getKeyStore(generateKSNameFromDomainName(str)).getCertificate(str) : keyStoreManager.getDefaultPrimaryCertificate();
            } catch (KeyStoreException e) {
                String str2 = "Error instantiating an X509Certificate object for the primary certificate  in tenant: " + str;
                if (log.isDebugEnabled()) {
                    log.debug(str2, e);
                }
                throw new AuthenticationFailedException(str2);
            } catch (Exception e2) {
                String str3 = "Unable to load key store manager for the tenant domain: " + str;
                if (log.isDebugEnabled()) {
                    log.debug(str3, e2);
                }
                throw new AuthenticationFailedException(str3);
            }
        } catch (UserStoreException e3) {
            throw new AuthenticationFailedException("Error while getting the tenant ID from the tenant domain : " + str);
        }
    }

    private String generateKSNameFromDomainName(String str) {
        return str.trim().replace(JWTBasicAuthenticatorConstants.FULLSTOP_DELIMITER, JWTBasicAuthenticatorConstants.DASH_DELIMITER) + JWTBasicAuthenticatorConstants.KEYSTORE_FILE_EXTENSION;
    }

    private boolean validateSignature(SignedJWT signedJWT, X509Certificate x509Certificate) throws AuthenticationFailedException {
        JWSHeader header = signedJWT.getHeader();
        if (x509Certificate == null) {
            throw new AuthenticationFailedException("Unable to locate certificate for JWT " + header.toString());
        }
        String name = header.getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            throw new AuthenticationFailedException("Signature validation failed. No algorithm is found in JWT header.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm: " + name + " found in JWT Header.");
        }
        if (name.indexOf("RS") != 0) {
            throw new AuthenticationFailedException("Signature Algorithm not supported : " + name);
        }
        PublicKey publicKey = x509Certificate.getPublicKey();
        if (!(publicKey instanceof RSAPublicKey)) {
            throw new AuthenticationFailedException("Signature validation failed. Public key is not an RSA public key.");
        }
        try {
            return signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
        } catch (JOSEException e) {
            if (log.isDebugEnabled()) {
                log.debug("Signature verification failed for the JWT.", e);
            }
            throw new AuthenticationFailedException("Signature verification failed for the JWT.");
        }
    }

    private long getTimeStampSkew() {
        if (getAuthenticatorConfig().getParameterMap() != null) {
            String str = (String) getAuthenticatorConfig().getParameterMap().get(JWTBasicAuthenticatorConstants.TIMESTAMP_SKEW);
            if (StringUtils.isNotBlank(str)) {
                try {
                    return Long.parseLong(str);
                } catch (NumberFormatException e) {
                    if (log.isDebugEnabled()) {
                        log.debug("Failed to parse configured 'TimestampSkew' value: " + str + " to a long value. Picking the default value: " + DEFAULT_TIMESTAMP_SKEW);
                    }
                }
            } else if (log.isDebugEnabled()) {
                log.debug("'TimestampSkew' is not configured in application-authentication.xml file for the authenticator. Picking the default value: " + DEFAULT_TIMESTAMP_SKEW);
            }
        }
        return DEFAULT_TIMESTAMP_SKEW;
    }

    private boolean checkExpirationTime(long j, long j2, long j3) throws AuthenticationFailedException {
        if (j2 + j3 <= j) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("JSON Web Token is expired., Expiration Time(ms) : " + j + ", TimeStamp Skew(ms) : " + j3 + ", Current Time(ms) : " + j2 + ". JWT Rejected and validation terminated");
        }
        throw new AuthenticationFailedException("Invalid token : Token is expired.");
    }
}
