package org.wso2.carbon.identity.oauth2.validators;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.Optional;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.OAuth2Constants;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.JWTUtils;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.utils.DiagnosticLog;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/OAuth2JWTTokenValidator.class */
public class OAuth2JWTTokenValidator extends DefaultOAuth2TokenValidator {
    private static final Log log = LogFactory.getLog(OAuth2JWTTokenValidator.class);
    private static final String TRUE = "true";

    @Override // org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator, org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator
    public boolean validateAccessToken(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        if (!JWTUtils.isJWT(oAuth2TokenValidationMessageContext.getRequestDTO().getAccessToken().getIdentifier())) {
            return false;
        }
        DiagnosticLog.DiagnosticLogBuilder diagnosticLogBuilder = null;
        if (LoggerUtils.isDiagnosticLogsEnabled()) {
            diagnosticLogBuilder = new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-jwt-access-token").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED);
        }
        try {
            try {
                SignedJWT signedJWT = getSignedJWT(oAuth2TokenValidationMessageContext);
                Optional<JWTClaimsSet> jWTClaimSet = JWTUtils.getJWTClaimSet(signedJWT);
                if (!jWTClaimSet.isPresent()) {
                    if (diagnosticLogBuilder != null) {
                        diagnosticLogBuilder.resultMessage("Claim values are empty in the provided token.");
                        LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
                    }
                    throw new IdentityOAuth2Exception("Claim values are empty in the given Token.");
                }
                if (!JWTUtils.validateRequiredFields(jWTClaimSet.get())) {
                    if (!LoggerUtils.isDiagnosticLogsEnabled()) {
                        return false;
                    }
                    LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-jwt-access-token").resultMessage("Mandatory fields (iss, sub, exp, jtl, aud) are empty in the provided token.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
                    return false;
                }
                String signingTenantDomain = JWTUtils.getSigningTenantDomain(jWTClaimSet.get(), (AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty("AccessTokenDO"));
                if (log.isDebugEnabled()) {
                    log.debug("Resolved tenant domain: " + signingTenantDomain + " to validate the JWT access token.");
                }
                if (!validateSignature(signedJWT, JWTUtils.getResidentIDPForIssuer(jWTClaimSet.get(), signingTenantDomain))) {
                    if (diagnosticLogBuilder == null) {
                        return false;
                    }
                    diagnosticLogBuilder.resultMessage("Signature validation failed.");
                    LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
                    return false;
                }
                if (!JWTUtils.checkExpirationTime(jWTClaimSet.get().getExpirationTime())) {
                    if (diagnosticLogBuilder == null) {
                        return false;
                    }
                    diagnosticLogBuilder.resultMessage("Token is expired.");
                    LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
                    return false;
                }
                JWTUtils.checkNotBeforeTime(jWTClaimSet.get().getNotBeforeTime());
                setJWTMessageContext(oAuth2TokenValidationMessageContext, jWTClaimSet.get());
                if (!LoggerUtils.isDiagnosticLogsEnabled()) {
                    return true;
                }
                LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-jwt-access-token").resultMessage("Token validation is successful.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.SUCCESS));
                return true;
            } catch (OrganizationManagementException e) {
                if (diagnosticLogBuilder != null) {
                    diagnosticLogBuilder.inputParam("error message", e.getMessage()).resultMessage("Error while retrieving the organization hierarchy.");
                    LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
                }
                throw new IdentityOAuth2Exception("Error while retrieving the organization hierarchy.", (Throwable) e);
            }
        } catch (JOSEException | ParseException e2) {
            if (diagnosticLogBuilder != null) {
                diagnosticLogBuilder.inputParam("error message", e2.getMessage()).resultMessage("System error occurred.");
                LoggerUtils.triggerDiagnosticLogEvent(diagnosticLogBuilder);
            }
            throw new IdentityOAuth2Exception("Error while validating Token.", (Throwable) e2);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator, org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator
    public String getTokenType() {
        return "JWT";
    }

    protected X509Certificate resolveSignerCertificate(JWSHeader jWSHeader, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        return JWTUtils.resolveSignerCertificate(identityProvider);
    }

    private SignedJWT getSignedJWT(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws ParseException {
        return JWTUtils.parseJWT(oAuth2TokenValidationMessageContext.getRequestDTO().getAccessToken().getIdentifier());
    }

    private boolean validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws IdentityOAuth2Exception, ParseException, JOSEException {
        JWSHeader header = signedJWT.getHeader();
        Optional<X509Certificate> certificateFromClaims = JWTUtils.getCertificateFromClaims(signedJWT.getJWTClaimsSet());
        X509Certificate resolveSignerCertificate = certificateFromClaims.isPresent() ? certificateFromClaims.get() : resolveSignerCertificate(header, identityProvider);
        if (resolveSignerCertificate == null) {
            throw new IdentityOAuth2Exception("Unable to locate certificate for Identity Provider: " + identityProvider.getDisplayName());
        }
        return JWTUtils.verifySignature(signedJWT, resolveSignerCertificate, JWTUtils.verifyAlgorithm(signedJWT));
    }

    private void setJWTMessageContext(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext, JWTClaimsSet jWTClaimsSet) {
        oAuth2TokenValidationMessageContext.addProperty(OAuth2Util.JWT_ACCESS_TOKEN, TRUE);
        oAuth2TokenValidationMessageContext.addProperty(OAuth2Util.SUB, jWTClaimsSet.getSubject());
        oAuth2TokenValidationMessageContext.addProperty("iss", jWTClaimsSet.getIssuer());
        oAuth2TokenValidationMessageContext.addProperty("aud", String.join(OAuth2Constants.RoleBasedScope.ATTRIBUTE_VALUE_SEPERATER, jWTClaimsSet.getAudience()));
        oAuth2TokenValidationMessageContext.addProperty(OAuth2Util.JTI, jWTClaimsSet.getJWTID());
    }
}
