package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.RequestObjectException;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.identity.openidconnect.model.RequestObject;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/RequestParamRequestObjectBuilder.class */
public class RequestParamRequestObjectBuilder implements RequestObjectBuilder {
    private static final Log log = LogFactory.getLog(RequestParamRequestObjectBuilder.class);

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectBuilder
    public RequestObject buildRequestObject(String str, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        RequestObject requestObject = new RequestObject();
        String str2 = str;
        if (isEncrypted(str2)) {
            str2 = decrypt(str2, oAuth2Parameters);
            if (StringUtils.isEmpty(str2)) {
                return requestObject;
            }
        }
        setRequestObjectValues(str2, requestObject);
        if (log.isDebugEnabled()) {
            log.debug("Request Object extracted from the request: " + str);
        }
        LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Request object parsed successfully.", "parse-request-object", (Map) null);
        return requestObject;
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectBuilder
    public String decrypt(String str, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        try {
            EncryptedJWT parse = EncryptedJWT.parse(str);
            RSADecrypter rSADecrypter = new RSADecrypter(getRSAPrivateKey(oAuth2Parameters));
            parse.decrypt(rSADecrypter);
            JWEObject parse2 = JWEObject.parse(str);
            parse2.decrypt(rSADecrypter);
            return (parse2.getPayload() == null || parse2.getPayload().toString().split(Constants.JWT_PART_DELIMITER).length != 3) ? new PlainJWT(parse.getJWTClaimsSet()).serialize() : parse2.getPayload().toString();
        } catch (JOSEException | ParseException | IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Failed to decrypt Request Object from " + str, e);
            }
            throw new RequestObjectException("invalid_request", "Failed to decrypt Request Object");
        }
    }

    protected boolean isEncrypted(String str) {
        return str.split(Constants.JWT_PART_DELIMITER).length == 5;
    }

    protected RSAPrivateKey getRSAPrivateKey(OAuth2Parameters oAuth2Parameters) throws IdentityOAuth2Exception {
        String tenantDomainForDecryption = getTenantDomainForDecryption(oAuth2Parameters);
        return (RSAPrivateKey) OAuth2Util.getPrivateKey(tenantDomainForDecryption, OAuth2Util.getTenantId(tenantDomainForDecryption));
    }

    private String getTenantDomainForDecryption(OAuth2Parameters oAuth2Parameters) {
        return StringUtils.isNotEmpty(oAuth2Parameters.getTenantDomain()) ? oAuth2Parameters.getTenantDomain() : "super";
    }

    private void setRequestObjectValues(String str, RequestObject requestObject) throws RequestObjectException {
        try {
            JOSEObject parse = JOSEObject.parse(str);
            if (parse.getHeader().getAlgorithm() == null || parse.getHeader().getAlgorithm().equals(JWSAlgorithm.NONE)) {
                requestObject.setPlainJWT(PlainJWT.parse(str));
            } else {
                requestObject.setSignedJWT(SignedJWT.parse(str));
            }
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                log.debug("No Valid JWT is found for the Request Object.Received Request Object: " + str, e);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap = new HashMap();
                hashMap.put("requestObject", str);
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "FAILED", "Request object is not a valid JWT.", "parse-request-object", (Map) null);
            }
            throw new RequestObjectException("invalid_request", "No Valid JWT is found for the Request Object.");
        }
    }
}
