package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jwt.SignedJWT;
import java.security.cert.Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.RequestObjectValidatorUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.RequestObjectException;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.identity.openidconnect.model.RequestObject;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.utils.DiagnosticLog;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/RequestObjectValidatorImpl.class */
public class RequestObjectValidatorImpl implements RequestObjectValidator {
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String OIDC_ID_TOKEN_ISSUER_ID = "OAuth.OpenIDConnect.IDTokenIssuerID";
    private static final int MILLISECONDS_PER_SECOND = 1000;
    private static final int MILLISECONDS_PER_HOUR = 3600000;
    private static Log log = LogFactory.getLog(RequestObjectValidatorImpl.class);

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean isSigned(RequestObject requestObject) {
        return requestObject.getSignedJWT() != null;
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean validateSignature(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        return RequestObjectValidatorUtil.validateSignature(requestObject, oAuth2Parameters);
    }

    @Deprecated
    protected boolean isSignatureVerified(SignedJWT signedJWT, String str) throws RequestObjectException {
        return RequestObjectValidatorUtil.isSignatureVerified(signedJWT, str);
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean validateRequestObject(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        if (!validateClientIdAndResponseType(requestObject, oAuth2Parameters) || !checkExpirationTime(requestObject) || !isValidRedirectUri(requestObject, oAuth2Parameters) || isParamPresent(requestObject, Constants.REQUEST_URI) || isParamPresent(requestObject, Constants.REQUEST)) {
            return false;
        }
        if (requestObject.isSigned() && (!isValidIssuer(requestObject, oAuth2Parameters) || !isValidAudience(requestObject, oAuth2Parameters))) {
            return false;
        }
        if (isFapiConformant(oAuth2Parameters.getClientId())) {
            checkFapiMandatedParams(requestObject);
            if (!isValidNbfExp(requestObject)) {
                return false;
            }
        }
        if (!LoggerUtils.isDiagnosticLogsEnabled()) {
            return true;
        }
        LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").resultMessage("Request object validation is successful.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS));
        return true;
    }

    private void checkFapiMandatedParams(RequestObject requestObject) throws RequestObjectException {
        for (String str : new String[]{"scope", "nonce", "redirect_uri"}) {
            if (!isParamPresent(requestObject, str)) {
                throw new RequestObjectException("invalid_request", str + " is not present in the request object.");
            }
        }
    }

    protected boolean isValidAudience(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        return validateAudience(getTokenEpURL(oAuth2Parameters.getTenantDomain()), requestObject.getClaimsSet().getAudience());
    }

    private boolean checkExpirationTime(RequestObject requestObject) throws RequestObjectException {
        Date expirationTime = requestObject.getClaimsSet().getExpirationTime();
        if (expirationTime == null) {
            return true;
        }
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = expirationTime.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds <= time) {
            return true;
        }
        logAndReturnFalse("Request Object is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected.");
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").inputParam("request object expiration time (ms)", expirationTime).resultMessage("Request Object is Expired.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
        }
        throw new RequestObjectException("invalid_request", "Request Object is Expired.");
    }

    protected boolean isValidNbfExp(RequestObject requestObject) throws RequestObjectException {
        Date notBeforeTime = requestObject.getClaimsSet().getNotBeforeTime();
        Date expirationTime = requestObject.getClaimsSet().getExpirationTime();
        String str = null;
        String str2 = null;
        if (notBeforeTime == null) {
            str = "Request Object does not contain Not Before Time.";
        } else if (expirationTime == null) {
            str = "Request Object does not contain Expiration Time.";
        } else {
            long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
            long time = notBeforeTime.getTime();
            long time2 = expirationTime.getTime();
            long currentTimeMillis = System.currentTimeMillis();
            if (currentTimeMillis + timeStampSkewInSeconds < time) {
                str = "Request Object is not valid yet.";
                str2 = String.format("Request Object is not valid yet., Not Before Time(ms) : %d, TimeStamp Skew : %d, Current Time : %d. Token Rejected.", Long.valueOf(time), Long.valueOf(timeStampSkewInSeconds), Long.valueOf(currentTimeMillis));
            } else if ((currentTimeMillis + timeStampSkewInSeconds) - CIBARequestObjectValidatorImpl.REQUEST_VALIDITY_PERIOD > time) {
                str = "Request Object nbf claim is too old.";
                str2 = String.format("Request Object nbf claim is too old., Not Before Time(ms) : %d, TimeStamp Skew : %d, Current Time : %d. Token Rejected.", Long.valueOf(time), Long.valueOf(timeStampSkewInSeconds), Long.valueOf(currentTimeMillis));
            } else if (time2 > time + CIBARequestObjectValidatorImpl.REQUEST_VALIDITY_PERIOD) {
                str = "Request Object expiry time is too far in the future than not before time.";
                str2 = String.format("Request Object expiry time is too far in the future than not before time., Expiration Time(ms) : %d, Not Before Time(ms) : %d, Current Time : %d. Token Rejected.", Long.valueOf(time2), Long.valueOf(time), Long.valueOf(currentTimeMillis));
            }
        }
        if (!StringUtils.isNotBlank(str)) {
            return true;
        }
        String str3 = StringUtils.isEmpty(str2) ? str : str2;
        logAndReturnFalse(str3);
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").resultMessage(str3).logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
        }
        throw new RequestObjectException("invalid_request", str);
    }

    protected boolean validateClientIdAndResponseType(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        String claimValue = requestObject.getClaimValue("client_id");
        String claimValue2 = requestObject.getClaimValue("response_type");
        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED);
        }
        if (!isValidParameter(oAuth2Parameters.getClientId(), claimValue)) {
            if (diagnosticLogBuilder != null) {
                diagnosticLogBuilder.inputParam("client id in request", oAuth2Parameters.getClientId()).inputParam("client id in request object", claimValue).resultMessage("Request Object and Authorization request contains unmatched client_id");
                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
            }
            throw new RequestObjectException("invalid_request", "Request Object and Authorization request contains unmatched client_id");
        }
        if (isValidParameter(oAuth2Parameters.getResponseType(), claimValue2)) {
            return true;
        }
        if (diagnosticLogBuilder != null) {
            diagnosticLogBuilder.inputParam("response type in request", oAuth2Parameters.getResponseType()).inputParam("response type in request object", claimValue2).resultMessage("Request Object and Authorization request contains unmatched response_type");
            LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
        }
        throw new RequestObjectException("invalid_request", "Request Object and Authorization request contains unmatched response_type");
    }

    protected boolean isValidParameter(String str, String str2) {
        return StringUtils.isEmpty(str2) || str2.equals(str);
    }

    protected String getTokenEpURL(String str) throws RequestObjectException {
        String str2 = "";
        try {
            Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(IdentityProviderManager.getInstance().getResidentIdP(str).getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), "IdPEntityId");
            if (property != null) {
                str2 = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Found IdPEntityID: " + str2 + " for tenantDomain: " + str);
                }
            }
            if (StringUtils.isEmpty(str2)) {
                str2 = IdentityUtil.getProperty(OIDC_ID_TOKEN_ISSUER_ID);
                if (StringUtils.isNotEmpty(str2) && log.isDebugEnabled()) {
                    log.debug("'IdPEntityID' property was empty for tenantDomain: " + str + ". Using OIDC IDToken Issuer value: " + str2 + " as alias to identify Resident IDP.");
                }
            }
            return str2;
        } catch (IdentityProviderManagementException e) {
            log.error("Error while loading OAuth2TokenEPUrl of the resident IDP of tenant:" + str, e);
            throw new RequestObjectException("server_error", "Server Error while validating audience of Request Object.");
        }
    }

    protected boolean isValidIssuer(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) {
        String issuer = requestObject.getClaimsSet().getIssuer();
        boolean z = StringUtils.isNotEmpty(issuer) && issuer.equals(oAuth2Parameters.getClientId());
        if (!z && LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").inputParam("issuer", issuer).inputParam("client id", oAuth2Parameters.getClientId()).resultMessage("'issuer' field in request object should match with 'client_id' in request.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
        }
        return z;
    }

    private boolean isParamPresent(RequestObject requestObject, String str) {
        return StringUtils.isNotEmpty(requestObject.getClaimValue(str));
    }

    protected boolean validateAudience(String str, List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (StringUtils.equals(str, it.next())) {
                return true;
            }
        }
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").inputParam(OAuth2Util.OPENID_CONNECT_AUDIENCE, list).configParam("token endpoint URL", str).resultMessage("None of the audiences in request object matched the token endpoint.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
        }
        return logAndReturnFalse("None of the audience values matched the tokenEndpoint Alias: " + str);
    }

    @Deprecated
    protected Certificate getCertificateForAlias(String str, String str2) throws RequestObjectException {
        return getX509CertOfOAuthApp(str2, str);
    }

    @Deprecated
    protected Certificate getX509CertOfOAuthApp(String str, String str2) throws RequestObjectException {
        return RequestObjectValidatorUtil.getX509CertOfOAuthApp(str, str2);
    }

    @Deprecated
    protected boolean isSignatureVerified(SignedJWT signedJWT, Certificate certificate) {
        return RequestObjectValidatorUtil.isSignatureVerified(signedJWT, certificate);
    }

    protected boolean isValidRedirectUri(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) {
        boolean z;
        String claimValue = requestObject.getClaimValue("redirect_uri");
        String redirectURI = oAuth2Parameters.getRedirectURI();
        if (StringUtils.isNotEmpty(redirectURI) && redirectURI.startsWith("regexp=")) {
            z = Pattern.matches(redirectURI.substring("regexp=".length()), claimValue);
        } else {
            z = StringUtils.isBlank(claimValue) || StringUtils.equals(claimValue, redirectURI);
        }
        if (!z && LoggerUtils.isDiagnosticLogsEnabled()) {
            LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-request-object").inputParam("redirect URI in request", oAuth2Parameters.getRedirectURI()).inputParam("redirect URI in request object", claimValue).resultMessage("Redirect URI in request object does not match with redirect URI in request.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
        }
        return z;
    }

    private boolean logAndReturnFalse(String str) {
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug(str);
        return false;
    }

    private boolean isFapiConformant(String str) throws RequestObjectException {
        try {
            return OAuth2Util.isFapiConformantApp(str);
        } catch (IdentityOAuth2Exception e) {
            throw new RequestObjectException("server_error", "Error while obtaining the service provider for clientId: " + str, e);
        } catch (InvalidOAuthClientException e2) {
            throw new RequestObjectException("invalid_client", "Could not find an existing app for clientId: " + str, e2);
        }
    }
}
