package org.cloudfoundry.identity.uaa.util;

import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.oauth.KeyInfo;
import org.cloudfoundry.identity.uaa.oauth.KeyInfoService;
import org.cloudfoundry.identity.uaa.oauth.TokenRevokedException;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.jwt.Jwt;
import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.user.UaaUserDatabase;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.jwt.crypto.sign.InvalidSignatureException;
import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/util/TokenValidation.class */
public abstract class TokenValidation {
    private static final Log logger = LogFactory.getLog(TokenValidation.class);
    private final Map<String, Object> claims;
    private final Jwt tokenJwt;
    private final String token;
    private final KeyInfoService keyInfoService;
    private Optional<List<String>> scopes;

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/util/TokenValidation$AccessTokenValidation.class */
    private static class AccessTokenValidation extends TokenValidation {
        public AccessTokenValidation(String str, KeyInfoService keyInfoService) {
            super(str, keyInfoService);
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        protected void validateJtiValue(String str) {
            if (str.endsWith(TokenConstants.REFRESH_TOKEN_SUFFIX)) {
                throw new InvalidTokenException("Invalid access token.", null);
            }
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        String getClaimName() {
            return "scope";
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        Optional<List<String>> getScopes() {
            return readScopesFromClaim(getClaimName());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/util/TokenValidation$IdTokenValidation.class */
    public static class IdTokenValidation extends TokenValidation {
        public IdTokenValidation(String str, KeyInfoService keyInfoService) {
            super(str, keyInfoService);
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        String getClaimName() {
            return "scope";
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        Optional<List<String>> getScopes() {
            return readScopesFromClaim(getClaimName());
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        protected void validateJtiValue(String str) {
            if (str.endsWith(TokenConstants.REFRESH_TOKEN_SUFFIX)) {
                throw new InvalidTokenException("Invalid access token.", null);
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.20.0.jar:org/cloudfoundry/identity/uaa/util/TokenValidation$RefreshTokenValidation.class */
    private static class RefreshTokenValidation extends TokenValidation {
        public RefreshTokenValidation(String str, KeyInfoService keyInfoService) {
            super(str, keyInfoService);
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        protected void validateJtiValue(String str) {
            if (!str.endsWith(TokenConstants.REFRESH_TOKEN_SUFFIX)) {
                throw new InvalidTokenException("Invalid refresh token.", null);
            }
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        String getClaimName() {
            return getClaims().containsKey(ClaimConstants.GRANTED_SCOPES) ? ClaimConstants.GRANTED_SCOPES : "scope";
        }

        @Override // org.cloudfoundry.identity.uaa.util.TokenValidation
        Optional<List<String>> getScopes() {
            return readScopesFromClaim(getClaimName());
        }
    }

    public static TokenValidation buildAccessTokenValidator(String str, KeyInfoService keyInfoService) {
        AccessTokenValidation accessTokenValidation = new AccessTokenValidation(str, keyInfoService);
        accessTokenValidation.checkSignature();
        return accessTokenValidation;
    }

    public static TokenValidation buildRefreshTokenValidator(String str, KeyInfoService keyInfoService) {
        RefreshTokenValidation refreshTokenValidation = new RefreshTokenValidation(str, keyInfoService);
        refreshTokenValidation.checkSignature();
        return refreshTokenValidation;
    }

    public static TokenValidation buildIdTokenValidator(String str, SignatureVerifier signatureVerifier, KeyInfoService keyInfoService) {
        IdTokenValidation idTokenValidation = new IdTokenValidation(str, keyInfoService);
        idTokenValidation.checkSignature(signatureVerifier);
        return idTokenValidation;
    }

    abstract String getClaimName();

    abstract Optional<List<String>> getScopes();

    private TokenValidation(String str, KeyInfoService keyInfoService) {
        this.scopes = null;
        this.token = str;
        this.claims = UaaTokenUtils.getClaims(str);
        this.tokenJwt = JwtHelper.decode(str);
        this.keyInfoService = keyInfoService;
    }

    private SignatureVerifier fetchSignatureVerifierFromToken(Jwt jwt) {
        String kid = jwt.getHeader().getKid();
        if (kid == null) {
            throw new InvalidTokenException("kid claim not found in JWT token header");
        }
        KeyInfo key = this.keyInfoService.getKey(kid);
        if (key == null) {
            throw new InvalidTokenException(String.format("Token header claim [kid] references unknown signing key : [%s]", kid));
        }
        return key.getVerifier();
    }

    public TokenValidation checkSignature() {
        return checkSignature(fetchSignatureVerifierFromToken(this.tokenJwt));
    }

    public TokenValidation checkSignature(SignatureVerifier signatureVerifier) {
        try {
            this.tokenJwt.verifySignature(signatureVerifier);
            return this;
        } catch (RuntimeException e) {
            logger.debug("Invalid token (could not verify signature)", e);
            throw new InvalidTokenException("Could not verify token signature.", new InvalidSignatureException(this.token));
        }
    }

    public TokenValidation checkIssuer(String str) {
        if (str == null) {
            return this;
        }
        if (!this.claims.containsKey(ClaimConstants.ISS)) {
            throw new InvalidTokenException("Token does not bear an ISS claim.", null);
        }
        if (equals(str, this.claims.get(ClaimConstants.ISS))) {
            return this;
        }
        throw new InvalidTokenException("Invalid issuer (" + this.claims.get(ClaimConstants.ISS) + ") for token did not match expected: " + str, null);
    }

    protected TokenValidation checkExpiry(Instant instant) {
        if (!this.claims.containsKey("exp")) {
            throw new InvalidTokenException("Token does not bear an EXP claim.", null);
        }
        try {
            long intValue = ((Integer) this.claims.get("exp")).intValue();
            if (instant.getEpochSecond() > intValue) {
                throw new InvalidTokenException("Token expired at " + intValue, null);
            }
            return this;
        } catch (ClassCastException e) {
            throw new InvalidTokenException("Token bears an invalid or unparseable EXP claim.", e);
        }
    }

    public TokenValidation checkExpiry() {
        return checkExpiry(Instant.now());
    }

    protected TokenValidation checkUser(Function<String, UaaUser> function) {
        if (!UaaTokenUtils.isUserToken(this.claims)) {
            throw new InvalidTokenException("Token is not a user token.", null);
        }
        if (!this.claims.containsKey("user_id")) {
            throw new InvalidTokenException("Token does not bear a USER_ID claim.", null);
        }
        try {
            String str = (String) this.claims.get("user_id");
            if (str == null) {
                throw new InvalidTokenException("Token has a null USER_ID claim.", null);
            }
            try {
                UaaUser apply = function.apply(str);
                Assert.notNull(apply, "[Assertion failed] - this argument is required; it must not be null");
                if (apply == null) {
                    throw new InvalidTokenException("Found no data for user ID: " + str, null);
                }
                List<? extends GrantedAuthority> authorities = apply.getAuthorities();
                if (authorities == null) {
                    throw new InvalidTokenException("Invalid token (all scopes have been revoked)", null);
                }
                checkScopesWithin((List) authorities.stream().map((v0) -> {
                    return v0.getAuthority();
                }).collect(Collectors.toList()));
                return this;
            } catch (UsernameNotFoundException e) {
                throw new InvalidTokenException("Token bears a non-existent user ID: " + str, e);
            } catch (InvalidTokenException e2) {
                throw e2;
            }
        } catch (ClassCastException e3) {
            throw new InvalidTokenException("Token bears an invalid or unparseable USER_ID claim.", e3);
        }
    }

    protected TokenValidation checkScopesWithin(String... strArr) {
        return checkScopesWithin(Arrays.asList(strArr));
    }

    protected TokenValidation checkScopesWithin(Collection<String> collection) {
        getScopes().ifPresent(list -> {
            Set<Pattern> constructWildcards = UaaStringUtils.constructWildcards(collection);
            List list = (List) list.stream().filter(str -> {
                return !constructWildcards.stream().anyMatch(pattern -> {
                    return pattern.matcher(str).matches();
                });
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                return;
            }
            throw new InvalidTokenException(String.format("Some required %s are missing: " + ((String) list.stream().collect(Collectors.joining(" "))), getClaimName()));
        });
        return this;
    }

    public TokenValidation checkClientAndUser(ClientDetails clientDetails, UaaUser uaaUser) {
        TokenValidation checkClient = checkClient(str -> {
            if (equals(str, clientDetails.getClientId())) {
                return clientDetails;
            }
            throw new InvalidTokenException("Token's client ID does not match expected value: " + clientDetails.getClientId());
        });
        return UaaTokenUtils.isUserToken(this.claims) ? checkClient.checkUser(str2 -> {
            if (uaaUser == null) {
                throw new InvalidTokenException("Unable to validate user, no user found.");
            }
            if (equals(str2, uaaUser.getId())) {
                return uaaUser;
            }
            throw new InvalidTokenException("Token does not have expected user ID.");
        }).checkRequiredUserGroups((Collection) Optional.ofNullable((Collection) clientDetails.getAdditionalInformation().get(ClientConstants.REQUIRED_USER_GROUPS)).orElse(Collections.emptySet()), AuthorityUtils.authorityListToSet(uaaUser.getAuthorities())) : checkClient;
    }

    protected TokenValidation checkRequiredUserGroups(Collection<String> collection, Collection<String> collection2) {
        if (UaaTokenUtils.hasRequiredUserGroups(collection, collection2)) {
            return this;
        }
        throw new InvalidTokenException("User does not meet the client's required group criteria.", null);
    }

    protected TokenValidation checkClient(Function<String, ClientDetails> function) {
        if (!this.claims.containsKey(ClaimConstants.CID)) {
            throw new InvalidTokenException("Token bears no client ID.", null);
        }
        if (this.claims.containsKey("client_id") && !equals(this.claims.get(ClaimConstants.CID), this.claims.get("client_id"))) {
            throw new InvalidTokenException("Token bears conflicting client ID claims.", null);
        }
        try {
            String str = (String) this.claims.get(ClaimConstants.CID);
            try {
                ClientDetails apply = function.apply(str);
                checkScopesWithin(null == this.claims.get("user_id") ? (Collection) Optional.ofNullable(apply.getAuthorities()).map(collection -> {
                    return (List) collection.stream().map((v0) -> {
                        return v0.getAuthority();
                    }).collect(Collectors.toList());
                }).orElse(Collections.emptyList()) : apply.getScope());
                return this;
            } catch (InvalidTokenException e) {
                throw e;
            } catch (NoSuchClientException e2) {
                throw new InvalidTokenException("The token refers to a non-existent client: " + str, e2);
            }
        } catch (ClassCastException e3) {
            throw new InvalidTokenException("Token bears an invalid or unparseable CID claim.", e3);
        }
    }

    public TokenValidation checkRevocationSignature(List<String> list) {
        if (!this.claims.containsKey(ClaimConstants.REVOCATION_SIGNATURE)) {
            return this;
        }
        try {
            String str = (String) this.claims.get(ClaimConstants.REVOCATION_SIGNATURE);
            boolean z = false;
            Iterator<String> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (str.equals(it.next())) {
                    z = true;
                    break;
                }
            }
            if (str == null || !z) {
                throw new TokenRevokedException("revocable signature mismatch");
            }
            return this;
        } catch (ClassCastException e) {
            throw new InvalidTokenException("Token bears an invalid or unparseable revocation signature.", e);
        }
    }

    public TokenValidation checkAudience(String... strArr) {
        return checkAudience(Arrays.asList(strArr));
    }

    protected TokenValidation checkAudience(Collection<String> collection) {
        List list;
        if (!this.claims.containsKey("aud")) {
            throw new InvalidTokenException("The token does not bear an AUD claim.", null);
        }
        Object obj = this.claims.get("aud");
        if (obj instanceof String) {
            list = Collections.singletonList((String) obj);
        } else if (obj == null) {
            list = Collections.emptyList();
        } else {
            try {
                list = (List) ((List) obj).stream().map(obj2 -> {
                    return (String) obj2;
                }).collect(Collectors.toList());
            } catch (ClassCastException e) {
                throw new InvalidTokenException("The token's audience claim is invalid or unparseable.", e);
            }
        }
        List list2 = list;
        List list3 = (List) collection.stream().filter(str -> {
            return !list2.contains(str);
        }).collect(Collectors.toList());
        if (list3.isEmpty()) {
            return this;
        }
        throw new InvalidTokenException("Some parties were not in the token audience: " + ((String) list3.stream().map(str2 -> {
            return "".equals(str2) ? "EMPTY_VALUE" : str2;
        }).collect(Collectors.joining(", "))), null);
    }

    public TokenValidation checkRevocableTokenStore(RevocableTokenProvisioning revocableTokenProvisioning) {
        try {
            if (this.claims.containsKey(ClaimConstants.REVOCABLE) && ((Boolean) this.claims.get(ClaimConstants.REVOCABLE)).booleanValue()) {
                String str = (String) this.claims.get("jti");
                if (str == null) {
                    throw new InvalidTokenException("The token does not bear a token ID (JTI).", null);
                }
                RevocableToken revocableToken = null;
                try {
                    revocableToken = revocableTokenProvisioning.retrieve(str, IdentityZoneHolder.get().getId());
                } catch (EmptyResultDataAccessException e) {
                }
                if (revocableToken == null) {
                    throw new TokenRevokedException("The token has been revoked: " + str);
                }
            }
            return this;
        } catch (ClassCastException e2) {
            throw new InvalidTokenException("The token's revocability or JTI claim is invalid or unparseable.", e2);
        }
    }

    private static boolean equals(Object obj, Object obj2) {
        return obj == null ? obj2 == null : obj.equals(obj2);
    }

    protected Optional<List<String>> readScopesFromClaim(String str) {
        if (!this.claims.containsKey(str)) {
            throw new InvalidTokenException(String.format("The token does not bear a %s claim.", str), null);
        }
        Object obj = this.claims.get(str);
        if (obj == null) {
            obj = new ArrayList();
        }
        try {
            this.scopes = Optional.of((List) ((List) obj).stream().filter(Objects::nonNull).map((v0) -> {
                return v0.toString();
            }).collect(Collectors.toList()));
            return this.scopes;
        } catch (ClassCastException e) {
            throw new InvalidTokenException("The token's scope claim is invalid or unparseable.", e);
        }
    }

    public Jwt getJwt() {
        return this.tokenJwt;
    }

    public Map<String, Object> getClaims() {
        return this.claims;
    }

    public TokenValidation checkJti() {
        Object obj = getClaims().get("jti");
        if (obj == null) {
            throw new InvalidTokenException("The token must contain a jti claim.", null);
        }
        validateJtiValue(obj.toString());
        return this;
    }

    protected abstract void validateJtiValue(String str);

    public ClientDetails getClientDetails(ClientServicesExtension clientServicesExtension) {
        String str = (String) this.claims.get(ClaimConstants.CID);
        try {
            return clientServicesExtension.loadClientByClientId(str, IdentityZoneHolder.get().getId());
        } catch (NoSuchClientException e) {
            throw new InvalidTokenException("Invalid client ID " + str);
        }
    }

    public UaaUser getUserDetails(UaaUserDatabase uaaUserDatabase) {
        String str = (String) this.claims.get("user_id");
        if (!UaaTokenUtils.isUserToken(this.claims)) {
            return null;
        }
        try {
            return uaaUserDatabase.retrieveUserById(str);
        } catch (UsernameNotFoundException e) {
            throw new InvalidTokenException("Token bears a non-existent user ID: " + str);
        }
    }
}
