package io.jans.as.server.model.registration;

import io.jans.as.client.RegisterRequest;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.common.SubjectType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.register.ApplicationType;
import io.jans.as.model.register.RegisterErrorResponseType;
import io.jans.as.model.util.Pair;
import io.jans.as.model.util.URLPatternList;
import io.jans.as.model.util.Util;
import io.jans.as.server.auth.DpopService;
import io.jans.as.server.util.ServerUtil;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.json.JSONArray;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/model/registration/RegisterParamsValidator.class */
public class RegisterParamsValidator {

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ErrorResponseFactory errorResponseFactory;
    private static final String HTTP = "http";
    private static final String HTTPS = "https";
    private static final String LOCALHOST = "localhost";
    private static final String LOOPBACK = "127.0.0.1";

    /* renamed from: io.jans.as.server.model.registration.RegisterParamsValidator$1, reason: invalid class name */
    /* loaded from: input_file:io/jans/as/server/model/registration/RegisterParamsValidator$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$jans$as$model$register$ApplicationType = new int[ApplicationType.values().length];

        static {
            try {
                $SwitchMap$io$jans$as$model$register$ApplicationType[ApplicationType.WEB.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$jans$as$model$register$ApplicationType[ApplicationType.NATIVE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public Pair<Boolean, String> validateParamsClientRegister(ApplicationType applicationType, SubjectType subjectType, List<GrantType> list, List<ResponseType> list2, List<String> list3) {
        if (applicationType == null) {
            return new Pair<>(false, "application_type is not valid.");
        }
        if (list != null && ((list.contains(GrantType.AUTHORIZATION_CODE) || list.contains(GrantType.IMPLICIT) || ((list2.contains(ResponseType.CODE) && !list.contains(GrantType.DEVICE_CODE) && !list.contains(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) && !list.contains(GrantType.CLIENT_CREDENTIALS)) || list2.contains(ResponseType.TOKEN) || list2.contains(ResponseType.ID_TOKEN))) && (list3 == null || list3.isEmpty()))) {
            return new Pair<>(false, "Redirect uris are empty.");
        }
        if (subjectType != null && this.appConfiguration.getSubjectTypesSupported().contains(subjectType.toString())) {
            return new Pair<>(true, "");
        }
        this.log.debug("Parameter subject_type is not valid.");
        return new Pair<>(false, "Parameter subject_type is not valid.");
    }

    public void validateAlgorithms(RegisterRequest registerRequest) {
        if (registerRequest.getIdTokenSignedResponseAlg() != null && registerRequest.getIdTokenSignedResponseAlg() != SignatureAlgorithm.NONE && !this.appConfiguration.getIdTokenSigningAlgValuesSupported().contains(registerRequest.getIdTokenSignedResponseAlg().toString())) {
            this.log.debug("Parameter id_token_signed_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter id_token_signed_response_alg is not valid.");
        }
        if (registerRequest.getAccessTokenSigningAlg() != null && registerRequest.getAccessTokenSigningAlg() != SignatureAlgorithm.NONE && !this.appConfiguration.getAccessTokenSigningAlgValuesSupported().contains(registerRequest.getAccessTokenSigningAlg().toString())) {
            this.log.debug("Parameter access_token_signed_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter access_token_signed_alg is not valid.");
        }
        if (registerRequest.getIdTokenEncryptedResponseAlg() != null && !this.appConfiguration.getIdTokenEncryptionAlgValuesSupported().contains(registerRequest.getIdTokenEncryptedResponseAlg().toString())) {
            this.log.debug("Parameter id_token_encrypted_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter id_token_encrypted_response_alg is not valid.");
        }
        if (registerRequest.getIdTokenEncryptedResponseEnc() != null && !this.appConfiguration.getIdTokenEncryptionEncValuesSupported().contains(registerRequest.getIdTokenEncryptedResponseEnc().toString())) {
            this.log.debug("Parameter id_token_encrypted_response_enc is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter id_token_encrypted_response_enc is not valid.");
        }
        if (registerRequest.getUserInfoSignedResponseAlg() != null && !this.appConfiguration.getUserInfoSigningAlgValuesSupported().contains(registerRequest.getUserInfoSignedResponseAlg().toString())) {
            this.log.debug("Parameter userinfo_signed_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter userinfo_signed_response_alg is not valid.");
        }
        if (registerRequest.getUserInfoEncryptedResponseAlg() != null && !this.appConfiguration.getUserInfoEncryptionAlgValuesSupported().contains(registerRequest.getUserInfoEncryptedResponseAlg().toString())) {
            this.log.debug("Parameter userinfo_encrypted_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter userinfo_encrypted_response_alg is not valid.");
        }
        if (registerRequest.getUserInfoEncryptedResponseEnc() != null && !this.appConfiguration.getUserInfoEncryptionEncValuesSupported().contains(registerRequest.getUserInfoEncryptedResponseEnc().toString())) {
            this.log.debug("Parameter userinfo_encrypted_response_enc is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter userinfo_encrypted_response_enc is not valid.");
        }
        if (registerRequest.getIntrospectionSignedResponseAlg() != null && !this.appConfiguration.getIntrospectionSigningAlgValuesSupported().contains(registerRequest.getIntrospectionSignedResponseAlg().toString())) {
            this.log.debug("Parameter introspection_signed_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter introspection_signed_response_alg is not valid.");
        }
        if (registerRequest.getIntrospectionEncryptedResponseAlg() != null && !this.appConfiguration.getIntrospectionEncryptionAlgValuesSupported().contains(registerRequest.getIntrospectionEncryptedResponseAlg().toString())) {
            this.log.debug("Parameter introspection_encrypted_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter introspection_encrypted_response_alg is not valid.");
        }
        if (registerRequest.getIntrospectionEncryptedResponseEnc() != null && !this.appConfiguration.getIntrospectionEncryptionEncValuesSupported().contains(registerRequest.getIntrospectionEncryptedResponseEnc().toString())) {
            this.log.debug("Parameter introspection_encrypted_response_enc is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter introspection_encrypted_response_enc is not valid.");
        }
        if (registerRequest.getSessionJwtSignedResponseAlg() != null && !this.appConfiguration.getSessionJwtSigningAlgValuesSupported().contains(registerRequest.getSessionJwtSignedResponseAlg().toString())) {
            this.log.debug("Parameter session_jwt_signed_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter session_jwt_signed_response_alg is not valid.");
        }
        if (registerRequest.getTxTokenSignedResponseAlg() != null && !this.appConfiguration.getTxTokenSigningAlgValuesSupported().contains(registerRequest.getTxTokenSignedResponseAlg().toString())) {
            this.log.debug("Parameter tx_token_signed_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter tx_token_signed_response_alg is not valid.");
        }
        if (registerRequest.getTxTokenEncryptedResponseAlg() != null && !this.appConfiguration.getTxTokenEncryptionAlgValuesSupported().contains(registerRequest.getTxTokenEncryptedResponseAlg().toString())) {
            this.log.debug("Parameter tx_token_encrypted_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter tx_token_encrypted_response_alg is not valid.");
        }
        if (registerRequest.getTxTokenEncryptedResponseEnc() != null && !this.appConfiguration.getTxTokenEncryptionEncValuesSupported().contains(registerRequest.getTxTokenEncryptedResponseEnc().toString())) {
            this.log.debug("Parameter tx_token_encrypted_response_enc is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter tx_token_encrypted_response_enc is not valid.");
        }
        if (registerRequest.getRequestObjectSigningAlg() != null && !this.appConfiguration.getRequestObjectSigningAlgValuesSupported().contains(registerRequest.getRequestObjectSigningAlg().toString())) {
            this.log.debug("Parameter request_object_signing_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter request_object_signing_alg is not valid.");
        }
        if (registerRequest.getRequestObjectEncryptionAlg() != null && !this.appConfiguration.getRequestObjectEncryptionAlgValuesSupported().contains(registerRequest.getRequestObjectEncryptionAlg().toString())) {
            this.log.debug("Parameter request_object_encryption_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter request_object_encryption_alg is not valid.");
        }
        if (registerRequest.getRequestObjectEncryptionEnc() != null && !this.appConfiguration.getRequestObjectEncryptionEncValuesSupported().contains(registerRequest.getRequestObjectEncryptionEnc().toString())) {
            this.log.debug("Parameter request_object_encryption_enc is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter request_object_encryption_enc is not valid.");
        }
        if (registerRequest.getTokenEndpointAuthMethod() != null && !this.appConfiguration.getTokenEndpointAuthMethodsSupported().contains(registerRequest.getTokenEndpointAuthMethod().toString())) {
            this.log.debug("Parameter token_endpoint_auth_method is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter token_endpoint_auth_method is not valid.");
        }
        if (registerRequest.getAdditionalTokenEndpointAuthMethods() != null && !registerRequest.getAdditionalTokenEndpointAuthMethods().isEmpty()) {
            for (AuthenticationMethod authenticationMethod : registerRequest.getAdditionalTokenEndpointAuthMethods()) {
                if (!this.appConfiguration.getTokenEndpointAuthMethodsSupported().contains(authenticationMethod.toString())) {
                    this.log.debug("additional_token_endpoint_auth_method contains not valid value: {}", authenticationMethod);
                    throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "additional_token_endpoint_auth_method contains not valid value.");
                }
            }
        }
        if (registerRequest.getTokenEndpointAuthSigningAlg() != null && !this.appConfiguration.getTokenEndpointAuthSigningAlgValuesSupported().contains(registerRequest.getTokenEndpointAuthSigningAlg().toString())) {
            this.log.debug("Parameter token_endpoint_auth_signing_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter token_endpoint_auth_signing_alg is not valid.");
        }
        if (registerRequest.getAuthorizationSignedResponseAlg() != null && (!this.appConfiguration.getAuthorizationSigningAlgValuesSupported().contains(registerRequest.getAuthorizationSignedResponseAlg().toString()) || registerRequest.getAuthorizationSignedResponseAlg() == SignatureAlgorithm.NONE)) {
            this.log.debug("Parameter authorization_signed_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter authorization_signed_response_alg is not valid.");
        }
        if (registerRequest.getAuthorizationEncryptedResponseAlg() != null && !this.appConfiguration.getAuthorizationEncryptionAlgValuesSupported().contains(registerRequest.getAuthorizationEncryptedResponseAlg().toString())) {
            this.log.debug("Parameter authorization_encrypted_response_alg is not valid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter authorization_encrypted_response_alg is not valid.");
        }
        if (registerRequest.getAuthorizationEncryptedResponseEnc() == null || this.appConfiguration.getAuthorizationEncryptionEncValuesSupported().contains(registerRequest.getAuthorizationEncryptedResponseEnc().toString())) {
            return;
        }
        this.log.debug("Parameter authorization_encrypted_response_enc is not valid.");
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Parameter authorization_encrypted_response_enc is not valid.");
    }

    public boolean validateParamsClientRead(String str, String str2) {
        return StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2);
    }

    /* JADX WARN: Finally extract failed */
    public boolean validateRedirectUris(List<GrantType> list, List<ResponseType> list2, ApplicationType applicationType, SubjectType subjectType, List<String> list3, String str) {
        boolean z = true;
        HashSet hashSet = new HashSet();
        if (list3 == null || list3.isEmpty()) {
            z = (list.contains(GrantType.AUTHORIZATION_CODE) || list.contains(GrantType.IMPLICIT) || (list2.contains(ResponseType.CODE) && !list.contains(GrantType.DEVICE_CODE) && !list.contains(GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS) && !list.contains(GrantType.CLIENT_CREDENTIALS)) || list2.contains(ResponseType.TOKEN) || list2.contains(ResponseType.ID_TOKEN)) ? false : true;
        } else {
            for (String str2 : list3) {
                if (str2 == null || str2.contains("#")) {
                    z = false;
                } else {
                    try {
                        URI uri = new URI(str2);
                        hashSet.add(uri.getHost());
                        switch (AnonymousClass1.$SwitchMap$io$jans$as$model$register$ApplicationType[applicationType.ordinal()]) {
                            case 1:
                                if (HTTP.equalsIgnoreCase(uri.getScheme()) && !LOCALHOST.equalsIgnoreCase(uri.getHost()) && !LOOPBACK.equalsIgnoreCase(uri.getHost())) {
                                    this.log.debug("Invalid protocol for redirect_uri: {} (only https protocol is allowed for application_type=web or localhost/127.0.0.1 for http)", str2);
                                    z = false;
                                    break;
                                }
                                break;
                        }
                    } catch (URISyntaxException e) {
                        this.log.debug("Failed to parse redirect_uri: {}, error: {}", str2, e.getMessage());
                        z = false;
                    }
                }
            }
        }
        this.log.trace("Validating redirect uris ... valid: {}, redirectUris: {}, grantTypes: {}, subjectType: {}", new Object[]{Boolean.valueOf(z), list3, list, subjectType});
        if (subjectType != null && subjectType.equals(SubjectType.PAIRWISE) && StringUtils.isBlank(str) && hashSet.size() > 1) {
            z = false;
        }
        boolean z2 = false;
        if (z) {
            try {
                if (StringUtils.isNotBlank(str)) {
                    try {
                        if (!HTTPS.equalsIgnoreCase(new URI(str).getScheme())) {
                            z = false;
                        }
                        Client newClient = ClientBuilder.newClient();
                        try {
                            Response invoke = newClient.target(str).request().buildGet().invoke();
                            if (invoke.getStatus() == 200) {
                                z = Util.asList(new JSONArray((String) invoke.readEntity(String.class))).containsAll(list3);
                            }
                            newClient.close();
                            if (!z) {
                                z2 = true;
                            }
                        } catch (Throwable th) {
                            newClient.close();
                            throw th;
                        }
                    } catch (Exception e2) {
                        this.log.debug(e2.getMessage(), e2);
                        z = false;
                        if (0 == 0) {
                            z2 = true;
                        }
                    }
                }
            } catch (Throwable th2) {
                if (!z) {
                }
                throw th2;
            }
        }
        if (z) {
            z = checkWhiteListRedirectUris(list3) && checkBlackListRedirectUris(list3);
        }
        if (z2) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Failed to validate redirect uris. No redirect_uri in sector_identifier_uri content.");
        }
        return z;
    }

    public boolean validateInitiateLoginUri(String str) {
        boolean z = false;
        try {
            if (HTTPS.equalsIgnoreCase(new URI(str).getScheme())) {
                z = true;
            }
        } catch (URISyntaxException e) {
            this.log.debug(e.getMessage(), e);
            z = false;
        }
        return z;
    }

    private boolean checkWhiteListRedirectUris(List<String> list) {
        if (list == null || list.isEmpty()) {
            return true;
        }
        boolean z = true;
        URLPatternList uRLPatternList = new URLPatternList(this.appConfiguration.getClientWhiteList());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            z &= uRLPatternList.isUrlListed(it.next());
        }
        return z;
    }

    private boolean checkBlackListRedirectUris(List<String> list) {
        if (list == null || list.isEmpty()) {
            return true;
        }
        boolean z = true;
        URLPatternList uRLPatternList = new URLPatternList(this.appConfiguration.getClientBlackList());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            z &= !uRLPatternList.isUrlListed(it.next());
        }
        return z;
    }

    public void validateLogoutUri(List<String> list, List<String> list2, ErrorResponseFactory errorResponseFactory) {
        if (list == null || list.isEmpty()) {
            return;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            validateLogoutUri(it.next(), list2, errorResponseFactory);
        }
    }

    public void validateLogoutUri(String str, List<String> list, ErrorResponseFactory errorResponseFactory) {
        if (Util.isNullOrEmpty(str)) {
            return;
        }
        if (list == null || list.isEmpty()) {
            this.log.debug("Preconditions of logout uri validation are failed.");
            throwInvalidLogoutUri(errorResponseFactory);
            return;
        }
        try {
            Set<String> collectUriHosts = collectUriHosts(list);
            URI uri = new URI(str);
            if (!collectUriHosts.contains(uri.getHost())) {
                this.log.debug("logout uri host is not within redirect_uris, logout_uri: {}, redirect_uris: {}", str, list);
                throwInvalidLogoutUri(errorResponseFactory);
            } else {
                if (!HTTPS.equalsIgnoreCase(uri.getScheme())) {
                    this.log.debug("logout uri schema is not https, logout_uri: {}", str);
                    throwInvalidLogoutUri(errorResponseFactory);
                }
            }
        } catch (Exception e) {
            this.log.debug(e.getMessage(), e);
            throwInvalidLogoutUri(errorResponseFactory);
        }
    }

    private void throwInvalidLogoutUri(ErrorResponseFactory errorResponseFactory) throws WebApplicationException {
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST.getStatusCode()).type(MediaType.APPLICATION_JSON_TYPE).entity(errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_LOGOUT_URI, "Failed to valide logout uri.")).cacheControl(ServerUtil.cacheControl(true, false)).header(DpopService.PRAGMA, DpopService.NO_CACHE).build());
    }

    private static Set<String> collectUriHosts(List<String> list) throws URISyntaxException {
        HashSet hashSet = new HashSet();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            hashSet.add(new URI(it.next()).getHost());
        }
        return hashSet;
    }

    public boolean checkIfThereIsPasswordGrantType(List<GrantType> list) {
        if (list != null) {
            return list.stream().anyMatch(grantType -> {
                return grantType == GrantType.RESOURCE_OWNER_PASSWORD_CREDENTIALS;
            });
        }
        return false;
    }
}
