package org.wso2.carbon.identity.application.authenticator.oidc.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authenticator.oidc.OIDCAuthenticatorConstants;
import org.wso2.carbon.identity.application.authenticator.oidc.util.OIDCErrorConstants;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.JWTSignatureValidationUtils;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/oidc/util/OIDCTokenValidationUtil.class */
public class OIDCTokenValidationUtil {
    private static final Log log = LogFactory.getLog(OIDCTokenValidationUtil.class);

    public static String getIssuer(JWTClaimsSet jWTClaimsSet) throws AuthenticationFailedException {
        return jWTClaimsSet.getIssuer();
    }

    public static void validateAudience(List<String> list, IdentityProvider identityProvider, String str) throws AuthenticationFailedException {
        boolean z = false;
        String tokenEndpointAlias = getTokenEndpointAlias(identityProvider, str);
        Iterator<String> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (StringUtils.equals(tokenEndpointAlias, it.next())) {
                if (log.isDebugEnabled()) {
                    log.debug(tokenEndpointAlias + " of IDP was found in the list of audiences.");
                }
                z = true;
            }
        }
        if (!z) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED.getCode(), String.format(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_AUD_CLAIM_VALIDATION_FAILED.getMessage(), tokenEndpointAlias));
        }
    }

    private static String getTokenEndpointAlias(IdentityProvider identityProvider, String str) {
        Property property = null;
        String str2 = null;
        if ("LOCAL".equals(identityProvider.getIdentityProviderName())) {
            try {
                identityProvider = IdentityProviderManager.getInstance().getResidentIdP(str);
            } catch (IdentityProviderManagementException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while getting Resident IDP :" + e.getMessage());
                }
            }
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), OIDCAuthenticatorConstants.AUTHENTICATOR_FRIENDLY_NAME);
            if (federatedAuthenticator != null) {
                property = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), OIDCAuthenticatorConstants.OAUTH2_TOKEN_URL);
            }
            if (property != null) {
                str2 = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Token End Point Alias of Resident IDP :" + str2);
                }
            }
        } else {
            str2 = identityProvider.getAlias();
            if (log.isDebugEnabled()) {
                log.debug("Token End Point Alias of the Federated IDP: " + str2);
            }
        }
        return str2;
    }

    public static void validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws JOSEException, IdentityOAuth2Exception, AuthenticationFailedException {
        if (!JWTSignatureValidationUtils.validateSignature(signedJWT, identityProvider)) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_SIGNATURE_VALIDATION_FAILED.getCode(), OIDCErrorConstants.ErrorMessages.JWT_TOKEN_SIGNATURE_VALIDATION_FAILED.getMessage());
        }
    }

    public static void validateIssuerClaim(JWTClaimsSet jWTClaimsSet) throws AuthenticationFailedException {
        if (StringUtils.isBlank(getIssuer(jWTClaimsSet))) {
            throw new AuthenticationFailedException(OIDCErrorConstants.ErrorMessages.JWT_TOKEN_ISS_CLAIM_VALIDATION_FAILED.getCode(), OIDCErrorConstants.ErrorMessages.JWT_TOKEN_ISS_CLAIM_VALIDATION_FAILED.getMessage());
        }
    }
}
