package io.cellery.security.extensions.jwt;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.cellery.security.extensions.util.Utils;
import java.text.ParseException;
import java.util.Date;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.OAuth2JWTTokenValidator;
import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:io/cellery/security/extensions/jwt/CellerySignedJWTValidator.class */
public class CellerySignedJWTValidator extends OAuth2JWTTokenValidator {
    private static final Log log = LogFactory.getLog(CellerySignedJWTValidator.class);
    private static final String CONSUMER_KEY = "consumerKey";

    public boolean validateAccessToken(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        try {
            SignedJWT parse = SignedJWT.parse(getAccessTokenIdentifier(oAuth2TokenValidationMessageContext));
            boolean isSignedJWTValid = isSignedJWTValid(parse);
            if (isSignedJWTValid) {
                JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
                oAuth2TokenValidationMessageContext.addProperty("REMOTE_ACCESS_TOKEN", Boolean.TRUE);
                oAuth2TokenValidationMessageContext.addProperty("JWT_ACCESS_TOKEN", Boolean.TRUE);
                oAuth2TokenValidationMessageContext.addProperty("iat", String.valueOf(getTimeInSeconds(jWTClaimsSet.getIssueTime())));
                oAuth2TokenValidationMessageContext.addProperty("exp", String.valueOf(getTimeInSeconds(jWTClaimsSet.getExpirationTime())));
                oAuth2TokenValidationMessageContext.addProperty("client_id", jWTClaimsSet.getClaim(CONSUMER_KEY));
                oAuth2TokenValidationMessageContext.addProperty("sub", jWTClaimsSet.getSubject());
                oAuth2TokenValidationMessageContext.addProperty("scope", jWTClaimsSet.getClaim("scope"));
                oAuth2TokenValidationMessageContext.addProperty("iss", jWTClaimsSet.getIssuer());
                oAuth2TokenValidationMessageContext.addProperty("jti", jWTClaimsSet.getJWTID());
            }
            return isSignedJWTValid;
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error validating signed jwt.", e);
        }
    }

    private long getTimeInSeconds(Date date) {
        return date.getTime() / 1000;
    }

    public boolean validateScope(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        if (Utils.isSignedJWT(getAccessTokenIdentifier(oAuth2TokenValidationMessageContext))) {
            return true;
        }
        return super.validateScope(oAuth2TokenValidationMessageContext);
    }

    private String getAccessTokenIdentifier(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) {
        return oAuth2TokenValidationMessageContext.getRequestDTO().getAccessToken().getIdentifier();
    }

    private boolean isSignedJWTValid(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        try {
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            if (jWTClaimsSet == null) {
                throw new IdentityOAuth2Exception("Claim values are empty in the validated JWT.");
            }
            validateMandatoryJWTClaims(jWTClaimsSet);
            validateConsumerKey(jWTClaimsSet);
            validateExpiryTime(jWTClaimsSet);
            validateNotBeforeTime(jWTClaimsSet);
            validateAudience(jWTClaimsSet);
            return Utils.validateSignature(signedJWT, getTrustedIdp(jWTClaimsSet));
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error while validating JWT.", e);
        }
    }

    private void validateConsumerKey(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String str = (String) jWTClaimsSet.getClaim(CONSUMER_KEY);
        if (!StringUtils.isNotBlank(str)) {
            throw new IdentityOAuth2Exception("Mandatory claim 'consumerKey' is missing in the signedJWT.");
        }
        try {
            OAuth2Util.getAppInformationByClientId(str);
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Invalid consumerKey. Cannot find a registered app for consumerKey: " + str);
        }
    }

    private void validateAudience(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
    }

    private void validateMandatoryJWTClaims(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String subject = jWTClaimsSet.getSubject();
        List audience = jWTClaimsSet.getAudience();
        String jwtid = jWTClaimsSet.getJWTID();
        if (StringUtils.isEmpty(jWTClaimsSet.getIssuer()) || StringUtils.isEmpty(subject) || jWTClaimsSet.getExpirationTime() == null || audience == null || jwtid == null) {
            throw new IdentityOAuth2Exception("Mandatory fields(Issuer, Subject, Expiration time, jtl or Audience) are empty in the given Token.");
        }
    }

    private void validateExpiryTime(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = jWTClaimsSet.getExpirationTime().getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds > time) {
            if (log.isDebugEnabled()) {
                log.debug("Token is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected and validation terminated.");
            }
            throw new IdentityOAuth2Exception("Token is expired.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Expiration Time(exp) of Token was validated successfully.");
        }
    }

    private void validateNotBeforeTime(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        Date notBeforeTime = jWTClaimsSet.getNotBeforeTime();
        if (notBeforeTime != null) {
            long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
            long time = notBeforeTime.getTime();
            long currentTimeMillis = System.currentTimeMillis();
            if (currentTimeMillis + timeStampSkewInSeconds < time) {
                if (log.isDebugEnabled()) {
                    log.debug("Token is used before Not_Before_Time., Not Before Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected and validation terminated.");
                }
                throw new IdentityOAuth2Exception("Token is used before Not_Before_Time.");
            }
            if (log.isDebugEnabled()) {
                log.debug("Not Before Time(nbf) of Token was validated successfully.");
            }
        }
    }

    private IdentityProvider getTrustedIdp(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String issuer = jWTClaimsSet.getIssuer();
        String tenantDomain = getTenantDomain(jWTClaimsSet);
        try {
            IdentityProvider idPByName = IdentityProviderManager.getInstance().getIdPByName(issuer, tenantDomain);
            if (idPByName != null && StringUtils.equalsIgnoreCase(idPByName.getIdentityProviderName(), "default")) {
                idPByName = getLocalIdpForIssuer(issuer, tenantDomain);
            }
            if (idPByName == null) {
                throw new IdentityOAuth2Exception("No trusted IDP registered with the issuer: " + issuer + " in tenantDomain: " + tenantDomain);
            }
            return idPByName;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception("Error while retrieving trusted IDP information for issuer: " + issuer + " in tenantDomain: " + tenantDomain);
        }
    }

    private IdentityProvider getLocalIdpForIssuer(String str, String str2) throws IdentityOAuth2Exception {
        String str3 = null;
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str2);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (federatedAuthenticator != null) {
                str3 = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), Utils.OPENID_IDP_ENTITY_ID).getValue();
            }
            if (StringUtils.equalsIgnoreCase(str3, str)) {
                return residentIdP;
            }
            return null;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception("Error retrieving resident IDP information for issuer: " + str + " of tenantDomain: " + str2, e);
        }
    }

    private String getTenantDomain(JWTClaimsSet jWTClaimsSet) {
        return "carbon.super";
    }
}
