package io.jans.as.server.token.ws.rs;

import io.jans.as.model.common.ExchangeTokenType;
import io.jans.as.model.common.SubjectTokenType;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.auth.DpopService;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.util.ServerUtil;
import io.jans.as.server.util.TokenHashUtil;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.apache.tika.utils.StringUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TxTokenValidator.class */
public class TxTokenValidator {

    @Inject
    private Logger log;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    public void validateRequestedTokenType(String str, OAuth2AuditLog oAuth2AuditLog) {
        if (TxTokenService.isTxTokenFlow(str)) {
            return;
        }
        this.log.trace("Invalid requested_token_type.");
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUESTED_TOKEN_TYPE, "Unknown requested_token_type. For transaction tokens value must be " + ExchangeTokenType.TX_TOKEN.getName()), oAuth2AuditLog));
    }

    public SubjectTokenType validateSubjectTokenType(String str, OAuth2AuditLog oAuth2AuditLog) {
        SubjectTokenType fromString = SubjectTokenType.fromString(str);
        if (fromString != null) {
            return fromString;
        }
        this.log.trace("Invalid subject_token_type.");
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_SUBJECT_TOKEN_TYPE, "Unknown subject_token_type."), oAuth2AuditLog));
    }

    public AuthorizationGrant validateSubjectToken(String str, SubjectTokenType subjectTokenType, OAuth2AuditLog oAuth2AuditLog) {
        if (StringUtils.isBlank(str)) {
            this.log.trace("Invalid subject_token. Blank value is not allowed.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Invalid subject_token."), oAuth2AuditLog));
        }
        if (subjectTokenType == SubjectTokenType.ACCESS_TOKEN) {
            return validateAccessToken(str, oAuth2AuditLog);
        }
        if (subjectTokenType == SubjectTokenType.ID_TOKEN) {
            return validateIdToken(str, oAuth2AuditLog);
        }
        this.log.trace("Invalid subject_token. subject_token_type is not supported.");
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Invalid subject_token. subject_token_type is not supported."), oAuth2AuditLog));
    }

    private AuthorizationGrant validateAccessToken(String str, OAuth2AuditLog oAuth2AuditLog) {
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
        if (authorizationGrantByAccessToken == null) {
            this.log.trace("Failed to find authorization grant by subject_token: {}", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Failed to find authorization grant by subject_token."), oAuth2AuditLog));
        }
        AbstractToken accessToken = authorizationGrantByAccessToken.getAccessToken(str);
        if (accessToken != null && accessToken.isValid()) {
            return authorizationGrantByAccessToken;
        }
        this.log.error("Access token is not valid.");
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Access token is not valid."), oAuth2AuditLog));
    }

    private AuthorizationGrant validateIdToken(String str, OAuth2AuditLog oAuth2AuditLog) {
        try {
            AuthorizationGrant idTokenGrant = getIdTokenGrant(str);
            if (idTokenGrant != null) {
                this.log.debug("Found subject_token in db.");
                return idTokenGrant;
            }
            Jwt parse = Jwt.parse(str);
            if (this.cryptoProvider.verifySignature(parse.getSigningInput(), parse.getEncodedSignature(), parse.getHeader().getKeyId(), (JSONObject) null, (String) null, parse.getHeader().getSignatureAlgorithm())) {
                this.log.debug("subject_token is validated successfully as id_token.");
                return null;
            }
            this.log.error("id_token signature verification failed.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Invalid subject_token. id_token signature verification failed."), oAuth2AuditLog));
        } catch (InvalidJwtException e) {
            this.log.error("Unable to parse subject_token as JWT.", e);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Invalid subject_token. Unable to parse subject_token as JWT."), oAuth2AuditLog));
        } catch (Exception e2) {
            this.log.error("Unable to validate subject_token as id_token JWT.", e2);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Invalid subject_token. Unable to validate subject_token as id_token JWT."), oAuth2AuditLog));
        } catch (WebApplicationException e3) {
            throw e3;
        }
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header(DpopService.PRAGMA, DpopService.NO_CACHE);
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }

    protected AuthorizationGrant getIdTokenGrant(String str) {
        if (org.apache.commons.lang3.StringUtils.isBlank(str)) {
            return null;
        }
        AuthorizationGrant authorizationGrantByIdToken = this.authorizationGrantList.getAuthorizationGrantByIdToken(TokenHashUtil.hash(str));
        return authorizationGrantByIdToken != null ? authorizationGrantByIdToken : this.authorizationGrantList.getAuthorizationGrantByIdToken(str);
    }

    public Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }
}
