package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jwt.SignedJWT;
import java.security.cert.Certificate;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.RequestObjectValidatorUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.RequestObjectException;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.identity.openidconnect.model.RequestObject;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/RequestObjectValidatorImpl.class */
public class RequestObjectValidatorImpl implements RequestObjectValidator {
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String OIDC_ID_TOKEN_ISSUER_ID = "OAuth.OpenIDConnect.IDTokenIssuerID";
    private static Log log = LogFactory.getLog(RequestObjectValidatorImpl.class);

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean isSigned(RequestObject requestObject) {
        return requestObject.getSignedJWT() != null;
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean validateSignature(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        return RequestObjectValidatorUtil.validateSignature(requestObject, oAuth2Parameters);
    }

    @Deprecated
    protected boolean isSignatureVerified(SignedJWT signedJWT, String str) throws RequestObjectException {
        return RequestObjectValidatorUtil.isSignatureVerified(signedJWT, str);
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean validateRequestObject(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        if (!validateClientIdAndResponseType(requestObject, oAuth2Parameters) || !checkExpirationTime(requestObject) || !isValidRedirectUri(requestObject, oAuth2Parameters) || isParamPresent(requestObject, Constants.REQUEST_URI) || isParamPresent(requestObject, Constants.REQUEST)) {
            return false;
        }
        if (requestObject.isSigned()) {
            return isValidIssuer(requestObject, oAuth2Parameters) && isValidAudience(requestObject, oAuth2Parameters);
        }
        return true;
    }

    protected boolean isValidAudience(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        return validateAudience(getTokenEpURL(oAuth2Parameters.getTenantDomain()), requestObject.getClaimsSet().getAudience());
    }

    private boolean checkExpirationTime(RequestObject requestObject) throws RequestObjectException {
        Date expirationTime = requestObject.getClaimsSet().getExpirationTime();
        if (expirationTime == null) {
            return true;
        }
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = expirationTime.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds <= time) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("Request Object is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected.");
        }
        throw new RequestObjectException("invalid_request", "Request Object is Expired.");
    }

    protected boolean validateClientIdAndResponseType(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        String claimValue = requestObject.getClaimValue("client_id");
        String claimValue2 = requestObject.getClaimValue("response_type");
        if (!isValidParameter(oAuth2Parameters.getClientId(), claimValue)) {
            throw new RequestObjectException("invalid_request", "Request Object and Authorization request contains unmatched client_id");
        }
        if (isValidParameter(oAuth2Parameters.getResponseType(), claimValue2)) {
            return true;
        }
        throw new RequestObjectException("invalid_request", "Request Object and Authorization request contains unmatched response_type");
    }

    protected boolean isValidParameter(String str, String str2) {
        return StringUtils.isEmpty(str2) || str2.equals(str);
    }

    protected String getTokenEpURL(String str) throws RequestObjectException {
        String str2 = "";
        try {
            Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(IdentityProviderManager.getInstance().getResidentIdP(str).getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), "IdPEntityId");
            if (property != null) {
                str2 = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Found IdPEntityID: " + str2 + " for tenantDomain: " + str);
                }
            }
            if (StringUtils.isEmpty(str2)) {
                str2 = IdentityUtil.getProperty(OIDC_ID_TOKEN_ISSUER_ID);
                if (StringUtils.isNotEmpty(str2) && log.isDebugEnabled()) {
                    log.debug("'IdPEntityID' property was empty for tenantDomain: " + str + ". Using OIDC IDToken Issuer value: " + str2 + " as alias to identify Resident IDP.");
                }
            }
            return str2;
        } catch (IdentityProviderManagementException e) {
            log.error("Error while loading OAuth2TokenEPUrl of the resident IDP of tenant:" + str, e);
            throw new RequestObjectException("server_error", "Server Error while validating audience of Request Object.");
        }
    }

    protected boolean isValidIssuer(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) {
        String issuer = requestObject.getClaimsSet().getIssuer();
        return StringUtils.isNotEmpty(issuer) && issuer.equals(oAuth2Parameters.getClientId());
    }

    private boolean isParamPresent(RequestObject requestObject, String str) {
        return StringUtils.isNotEmpty(requestObject.getClaimValue(str));
    }

    protected boolean validateAudience(String str, List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (StringUtils.equals(str, it.next())) {
                return true;
            }
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("None of the audience values matched the tokenEndpoint Alias: " + str);
        return false;
    }

    @Deprecated
    protected Certificate getCertificateForAlias(String str, String str2) throws RequestObjectException {
        return getX509CertOfOAuthApp(str2, str);
    }

    @Deprecated
    protected Certificate getX509CertOfOAuthApp(String str, String str2) throws RequestObjectException {
        return RequestObjectValidatorUtil.getX509CertOfOAuthApp(str, str2);
    }

    @Deprecated
    protected boolean isSignatureVerified(SignedJWT signedJWT, Certificate certificate) {
        return RequestObjectValidatorUtil.isSignatureVerified(signedJWT, certificate);
    }

    protected boolean isValidRedirectUri(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) {
        String claimValue = requestObject.getClaimValue("redirect_uri");
        return StringUtils.isBlank(claimValue) || StringUtils.equals(claimValue, oAuth2Parameters.getRedirectURI());
    }
}
