package org.wso2.choreo.connect.enforcer.security.jwt.validator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.util.DateUtils;
import java.io.IOException;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Date;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.exception.JWTGeneratorException;
import org.wso2.carbon.apimgt.common.gateway.jwttransformer.JWTTransformer;
import org.wso2.choreo.connect.enforcer.commons.exception.EnforcerException;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.config.dto.ExtendedTokenIssuerDto;
import org.wso2.choreo.connect.enforcer.security.jwt.SignedJWTInfo;
import org.wso2.choreo.connect.enforcer.util.JWTUtils;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/security/jwt/validator/JWTValidator.class */
public class JWTValidator {
    private static final Logger logger = LogManager.getLogger(JWTValidator.class);
    private JWKSet jwkSet;

    public JWTValidationInfo validateJWTToken(SignedJWTInfo signedJWTInfo) throws EnforcerException {
        JWTValidationInfo jWTValidationInfo = new JWTValidationInfo();
        String issuer = signedJWTInfo.getJwtClaimsSet().getIssuer();
        Map<String, ExtendedTokenIssuerDto> issuersMap = ConfigHolder.getInstance().getConfig().getIssuersMap();
        if (StringUtils.isNotEmpty(issuer) && issuersMap.containsKey(issuer)) {
            ExtendedTokenIssuerDto extendedTokenIssuerDto = issuersMap.get(issuer);
            JWTTransformer jwtTransformer = ConfigHolder.getInstance().getConfig().getJwtTransformer(issuer);
            jwtTransformer.loadConfiguration(extendedTokenIssuerDto);
            return validateToken(signedJWTInfo, extendedTokenIssuerDto, jwtTransformer);
        }
        jWTValidationInfo.setValid(false);
        jWTValidationInfo.setValidationCode(900901);
        logger.error("No matching issuer found for the token with issuer : " + issuer);
        return jWTValidationInfo;
    }

    private JWTValidationInfo validateToken(SignedJWTInfo signedJWTInfo, ExtendedTokenIssuerDto extendedTokenIssuerDto, JWTTransformer jWTTransformer) throws EnforcerException {
        JWTValidationInfo jWTValidationInfo = new JWTValidationInfo();
        try {
            if (!validateSignature(signedJWTInfo.getSignedJWT(), extendedTokenIssuerDto)) {
                jWTValidationInfo.setValid(false);
                jWTValidationInfo.setValidationCode(900901);
                return jWTValidationInfo;
            }
            JWTClaimsSet jwtClaimsSet = signedJWTInfo.getJwtClaimsSet();
            if (!validateTokenExpiry(jwtClaimsSet)) {
                jWTValidationInfo.setValid(false);
                jWTValidationInfo.setValidationCode(900901);
                return jWTValidationInfo;
            }
            jWTValidationInfo.setConsumerKey(jWTTransformer.getTransformedConsumerKey(jwtClaimsSet));
            jWTValidationInfo.setScopes(jWTTransformer.getTransformedScopes(jwtClaimsSet));
            createJWTValidationInfoFromJWT(jWTValidationInfo, jWTTransformer.transform(jwtClaimsSet));
            jWTValidationInfo.setRawPayload(signedJWTInfo.getToken());
            jWTValidationInfo.setKeyManager(extendedTokenIssuerDto.getName());
            return jWTValidationInfo;
        } catch (ParseException | JWTGeneratorException e) {
            throw new EnforcerException("Error while parsing JWT", e);
        }
    }

    protected boolean validateSignature(SignedJWT signedJWT, ExtendedTokenIssuerDto extendedTokenIssuerDto) throws EnforcerException {
        try {
            String certificateAlias = extendedTokenIssuerDto.getCertificateAlias();
            String keyID = signedJWT.getHeader().getKeyID();
            if (StringUtils.isNotEmpty(keyID)) {
                if (!extendedTokenIssuerDto.getJwksConfigurationDTO().isEnabled() || !StringUtils.isNotEmpty(extendedTokenIssuerDto.getJwksConfigurationDTO().getUrl())) {
                    if (extendedTokenIssuerDto.getCertificate() == null) {
                        return JWTUtils.verifyTokenSignature(signedJWT, keyID);
                    }
                    logger.debug("Retrieve certificate from Token issuer and validating");
                    return JWTUtils.verifyTokenSignature(signedJWT, (RSAPublicKey) extendedTokenIssuerDto.getCertificate().getPublicKey());
                }
                if (this.jwkSet == null) {
                    this.jwkSet = retrieveJWKSet(extendedTokenIssuerDto);
                }
                if (this.jwkSet.getKeyByKeyId(keyID) == null) {
                    this.jwkSet = retrieveJWKSet(extendedTokenIssuerDto);
                }
                if (!(this.jwkSet.getKeyByKeyId(keyID) instanceof RSAKey)) {
                    throw new EnforcerException("Key Algorithm not supported");
                }
                RSAPublicKey rSAPublicKey = ((RSAKey) this.jwkSet.getKeyByKeyId(keyID)).toRSAPublicKey();
                if (rSAPublicKey != null) {
                    return JWTUtils.verifyTokenSignature(signedJWT, rSAPublicKey);
                }
            }
            return JWTUtils.verifyTokenSignature(signedJWT, certificateAlias);
        } catch (JOSEException | IOException | ParseException e) {
            throw new EnforcerException("JWT Signature verification failed", e);
        }
    }

    protected boolean validateTokenExpiry(JWTClaimsSet jWTClaimsSet) {
        Date date = new Date();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        return expirationTime == null || DateUtils.isAfter(expirationTime, date, 5L);
    }

    private JWKSet retrieveJWKSet(ExtendedTokenIssuerDto extendedTokenIssuerDto) throws IOException, ParseException {
        this.jwkSet = JWKSet.parse(JWTUtils.retrieveJWKSConfiguration(extendedTokenIssuerDto.getJwksConfigurationDTO().getUrl()));
        return this.jwkSet;
    }

    private void createJWTValidationInfoFromJWT(JWTValidationInfo jWTValidationInfo, JWTClaimsSet jWTClaimsSet) throws ParseException {
        jWTValidationInfo.setIssuer(jWTClaimsSet.getIssuer());
        jWTValidationInfo.setValid(true);
        jWTValidationInfo.setClaims(jWTClaimsSet.getClaims());
        jWTValidationInfo.setExpiryTime(jWTClaimsSet.getExpirationTime().getTime());
        jWTValidationInfo.setIssuedTime(jWTClaimsSet.getIssueTime().getTime());
        jWTValidationInfo.setUser(jWTClaimsSet.getSubject());
        jWTValidationInfo.setJti(jWTClaimsSet.getJWTID());
        if (jWTClaimsSet.getClaim("scope") != null) {
            jWTValidationInfo.setScopes(Arrays.asList(jWTClaimsSet.getStringClaim("scope").split(" ")));
        }
    }
}
