package io.jans.as.server.register.ws.rs;

import com.google.common.base.Strings;
import io.jans.as.client.RegisterRequest;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.common.SoftwareStatementValidationType;
import io.jans.as.model.common.SubjectType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.CryptoProviderException;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.register.RegisterErrorResponseType;
import io.jans.as.model.register.RegisterRequestParam;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.model.util.Pair;
import io.jans.as.server.ciba.CIBARegisterParamsValidatorService;
import io.jans.as.server.model.common.AbstractToken;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.registration.RegisterParamsValidator;
import io.jans.as.server.service.external.ExternalDynamicClientRegistrationService;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.jetbrains.annotations.Nullable;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/register/ws/rs/RegisterValidator.class */
public class RegisterValidator {

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ExternalDynamicClientRegistrationService externalDynamicClientRegistrationService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private CIBARegisterParamsValidatorService cibaRegisterParamsValidatorService;

    @Inject
    private RegisterParamsValidator registerParamsValidator;

    public void validateNotBlank(String str, String str2) {
        if (StringUtils.isBlank(str)) {
            this.log.trace("Failed to perform client action, reason: {}", str2);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "");
        }
    }

    public void validateRequestObject(String str, JSONObject jSONObject, HttpServletRequest httpServletRequest) {
        try {
            if (BooleanUtils.isFalse(this.appConfiguration.getDcrSignatureValidationEnabled()) || BooleanUtils.isTrue(this.appConfiguration.getDcrSkipSignatureValidation())) {
                return;
            }
            Jwt parseOrThrow = Jwt.parseOrThrow(str);
            SignatureAlgorithm signatureAlgorithm = parseOrThrow.getHeader().getSignatureAlgorithm();
            if (AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
                String dcrSignatureValidationSharedSecret = this.appConfiguration.getDcrSignatureValidationSharedSecret();
                if (StringUtils.isBlank(dcrSignatureValidationSharedSecret)) {
                    dcrSignatureValidationSharedSecret = this.externalDynamicClientRegistrationService.getDcrHmacSecret(httpServletRequest, parseOrThrow);
                }
                if (StringUtils.isBlank(dcrSignatureValidationSharedSecret)) {
                    this.log.error("No hmacSecret provided in Dynamic Client Registration script (method getDcrHmacSecret didn't return actual secret). ");
                    throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "");
                }
                boolean verifySignature = this.cryptoProvider.verifySignature(parseOrThrow.getSigningInput(), parseOrThrow.getEncodedSignature(), (String) null, (JSONObject) null, dcrSignatureValidationSharedSecret, signatureAlgorithm);
                this.log.trace("Request object validation result: {}", Boolean.valueOf(verifySignature));
                if (!verifySignature) {
                    throw new InvalidJwtException("Invalid cryptographic segment in the request object.");
                }
            }
            String str2 = null;
            if (StringUtils.isNotBlank(this.appConfiguration.getDcrSignatureValidationSoftwareStatementJwksURIClaim())) {
                str2 = jSONObject.optString(this.appConfiguration.getDcrSignatureValidationSoftwareStatementJwksURIClaim());
            }
            if (StringUtils.isBlank(str2) && StringUtils.isNotBlank(this.appConfiguration.getDcrSignatureValidationJwksUri())) {
                str2 = this.appConfiguration.getDcrSignatureValidationJwksUri();
            }
            JSONObject jwks = getJwks(httpServletRequest, parseOrThrow, str2, getJwksString(jSONObject));
            this.log.trace("Validating request object with jwks: {} ...", jwks);
            boolean verifySignature2 = this.cryptoProvider.verifySignature(parseOrThrow.getSigningInput(), parseOrThrow.getEncodedSignature(), parseOrThrow.getHeader().getKeyId(), jwks, (String) null, signatureAlgorithm);
            this.log.trace("Request object validation result: {}", Boolean.valueOf(verifySignature2));
            if (!verifySignature2) {
                throw new InvalidJwtException("Invalid cryptographic segment in the request object.");
            }
        } catch (Exception e) {
            this.log.error("Unable to validate request object JWT.", e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Unable to validate request object JWT.");
        }
    }

    @Nullable
    private String getJwksString(JSONObject jSONObject) {
        if (StringUtils.isNotBlank(this.appConfiguration.getDcrSignatureValidationSoftwareStatementJwksClaim())) {
            return jSONObject.optString(this.appConfiguration.getDcrSignatureValidationSoftwareStatementJwksClaim());
        }
        if (StringUtils.isNotBlank(this.appConfiguration.getDcrSignatureValidationJwks())) {
            return this.appConfiguration.getDcrSignatureValidationJwks();
        }
        return null;
    }

    @Nullable
    private JSONObject getJwks(HttpServletRequest httpServletRequest, Jwt jwt, String str, String str2) {
        if (StringUtils.isNotBlank(str)) {
            return JwtUtil.getJSONWebKeys(str);
        }
        if (StringUtils.isNotBlank(str2)) {
            return new JSONObject(str2);
        }
        if (!this.externalDynamicClientRegistrationService.isEnabled()) {
            return null;
        }
        this.log.trace("No values are set for dcrSignatureValidationJwksUri and dcrSignatureValidationJwks, invoking script ...");
        if (this.externalDynamicClientRegistrationService.getDcrJwks(httpServletRequest, jwt) != null) {
            return null;
        }
        this.log.error("No jwks provided in Dynamic Client Registration script (method getDcrJwks didn't return actual jwks). ");
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "");
    }

    public JSONObject validateSoftwareStatement(HttpServletRequest httpServletRequest, JSONObject jSONObject) {
        if (!jSONObject.has(RegisterRequestParam.SOFTWARE_STATEMENT.toString())) {
            return null;
        }
        try {
            Jwt parseOrThrow = Jwt.parseOrThrow(jSONObject.getString(RegisterRequestParam.SOFTWARE_STATEMENT.toString()));
            SignatureAlgorithm signatureAlgorithm = parseOrThrow.getHeader().getSignatureAlgorithm();
            SoftwareStatementValidationType fromString = SoftwareStatementValidationType.fromString(this.appConfiguration.getSoftwareStatementValidationType());
            if (fromString == SoftwareStatementValidationType.NONE) {
                this.log.trace("software_statement validation was skipped due to `softwareStatementValidationType` configuration property set to none. (Not recommended.)");
                return parseOrThrow.getClaims().toJsonObject();
            }
            if (fromString == SoftwareStatementValidationType.SCRIPT) {
                return validateSoftwareStatementForScript(httpServletRequest, jSONObject, parseOrThrow, signatureAlgorithm);
            }
            if ((fromString == SoftwareStatementValidationType.JWKS_URI || fromString == SoftwareStatementValidationType.JWKS) && StringUtils.isBlank(this.appConfiguration.getSoftwareStatementValidationClaimName())) {
                this.log.error("softwareStatementValidationClaimName configuration property is not specified. Please specify claim name from software_statement which points to jwks (or jwks_uri).");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "Failed to validate software statement");
            }
            String str = null;
            if (fromString == SoftwareStatementValidationType.JWKS_URI) {
                str = parseOrThrow.getClaims().getClaimAsString(this.appConfiguration.getSoftwareStatementValidationClaimName());
            }
            String str2 = null;
            if (fromString == SoftwareStatementValidationType.JWKS) {
                str2 = parseOrThrow.getClaims().getClaimAsString(this.appConfiguration.getSoftwareStatementValidationClaimName());
            }
            if (StringUtils.isBlank(str) && StringUtils.isBlank(str2)) {
                String format = String.format("software_statement does not contain `%s` claim and thus is considered as invalid.", this.appConfiguration.getSoftwareStatementValidationClaimName());
                this.log.error(format);
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, format);
            }
            if (this.cryptoProvider.verifySignature(parseOrThrow.getSigningInput(), parseOrThrow.getEncodedSignature(), parseOrThrow.getHeader().getKeyId(), Strings.isNullOrEmpty(str) ? new JSONObject(str2) : JwtUtil.getJSONWebKeys(str), (String) null, signatureAlgorithm)) {
                return parseOrThrow.getClaims().toJsonObject();
            }
            throw new InvalidJwtException("Invalid cryptographic segment in the software statement");
        } catch (Exception e) {
            this.log.error("Invalid software_statement.", e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "Invalid software_statement.");
        }
    }

    @Nullable
    private JSONObject validateSoftwareStatementForScript(HttpServletRequest httpServletRequest, JSONObject jSONObject, Jwt jwt, SignatureAlgorithm signatureAlgorithm) throws CryptoProviderException, InvalidJwtException {
        if (!this.externalDynamicClientRegistrationService.isEnabled()) {
            this.log.error("Server is mis-configured. softwareStatementValidationType=script but there is no any Dynamic Client Registration script enabled.");
            return null;
        }
        if (AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
            String softwareStatementHmacSecret = this.externalDynamicClientRegistrationService.getSoftwareStatementHmacSecret(httpServletRequest, jSONObject, jwt);
            if (StringUtils.isBlank(softwareStatementHmacSecret)) {
                this.log.error("No hmacSecret provided in Dynamic Client Registration script (method getSoftwareStatementHmacSecret didn't return actual secret). ");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "");
            }
            if (this.cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), (String) null, (JSONObject) null, softwareStatementHmacSecret, signatureAlgorithm)) {
                return jwt.getClaims().toJsonObject();
            }
            throw new InvalidJwtException("Invalid signature in the software statement");
        }
        JSONObject softwareStatementJwks = this.externalDynamicClientRegistrationService.getSoftwareStatementJwks(httpServletRequest, jSONObject, jwt);
        if (softwareStatementJwks == null) {
            this.log.error("No jwks provided in Dynamic Client Registration script (method getSoftwareStatementJwks didn't return actual jwks). ");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_SOFTWARE_STATEMENT, "");
        }
        if (this.cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(), softwareStatementJwks, (String) null, signatureAlgorithm)) {
            return jwt.getClaims().toJsonObject();
        }
        throw new InvalidJwtException("Invalid signature in the software statement");
    }

    public void validateSubjectIdentifierAttribute(RegisterRequest registerRequest) {
        if (StringUtils.isNotBlank(registerRequest.getSubjectIdentifierAttribute())) {
            if (Boolean.FALSE.equals(this.appConfiguration.getPublicSubjectIdentifierPerClientEnabled())) {
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_PUBLIC_SUBJECT_IDENTIFIER_ATTRIBUTE, "The public subject identifier per client is disabled.");
            }
            if (registerRequest.getSubjectType() != SubjectType.PUBLIC) {
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_PUBLIC_SUBJECT_IDENTIFIER_ATTRIBUTE, "The custom subject identifier requires public subject type.");
            }
            if (!this.appConfiguration.getSubjectIdentifiersPerClientSupported().contains(registerRequest.getSubjectIdentifierAttribute())) {
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_PUBLIC_SUBJECT_IDENTIFIER_ATTRIBUTE, "Invalid subject identifier attribute.");
            }
        }
        if (StringUtils.isNotBlank(registerRequest.getRedirectUrisRegex()) && Boolean.FALSE.equals(this.appConfiguration.getRedirectUrisRegexEnabled())) {
            throw this.errorResponseFactory.createBadRequestException(RegisterErrorResponseType.INVALID_REDIRECT_URIS_REGEX, "The redirect URI's Regex is disabled.");
        }
    }

    public void validateAuthorizationAccessToken(String str, String str2) {
        if (BooleanUtils.isFalse(this.appConfiguration.getDcrAuthorizationWithClientCredentials())) {
            return;
        }
        if (StringUtils.isBlank(str) || StringUtils.isBlank(str2)) {
            this.log.trace("Access Token or clientId is blank.");
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token is not valid for the Client ID.")).build());
        }
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(str);
        if (authorizationGrantByAccessToken == null) {
            this.log.trace("Unable to find grant by access token: {}", str);
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token grant is not found.")).build());
        }
        AbstractToken accessToken = authorizationGrantByAccessToken.getAccessToken(str);
        if (accessToken == null || !accessToken.isValid()) {
            this.log.trace("Unable to find access token object or otherwise it's expired.");
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired.")).build());
        }
        if (str2.equals(authorizationGrantByAccessToken.getClientId())) {
            return;
        }
        this.log.trace("ClientId from request does not match to access token's client id.");
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(RegisterErrorResponseType.INVALID_TOKEN, "The Access Token object is not found or otherwise expired.")).build());
    }

    public void validateCiba(RegisterRequest registerRequest) {
        if (!this.cibaRegisterParamsValidatorService.validateParams(registerRequest.getBackchannelTokenDeliveryMode(), registerRequest.getBackchannelClientNotificationEndpoint(), registerRequest.getBackchannelAuthenticationRequestSigningAlg(), registerRequest.getGrantTypes(), registerRequest.getSubjectType(), registerRequest.getSectorIdentifierUri(), registerRequest.getJwks(), registerRequest.getJwksUri())) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "Invalid Client Metadata registering to use CIBA (Client Initiated Backchannel Authentication).");
        }
    }

    public void validateRedirectUris(RegisterRequest registerRequest) {
        if (!this.registerParamsValidator.validateRedirectUris(registerRequest.getGrantTypes(), registerRequest.getResponseTypes(), registerRequest.getApplicationType(), registerRequest.getSubjectType(), registerRequest.getRedirectUris(), registerRequest.getSectorIdentifierUri())) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_REDIRECT_URI, "Failed to validate redirect uris.");
        }
    }

    public void validateParamsClientRegister(RegisterRequest registerRequest) {
        Pair<Boolean, String> validateParamsClientRegister = this.registerParamsValidator.validateParamsClientRegister(registerRequest.getApplicationType(), registerRequest.getSubjectType(), registerRequest.getGrantTypes(), registerRequest.getResponseTypes(), registerRequest.getRedirectUris());
        if (BooleanUtils.isFalse((Boolean) validateParamsClientRegister.getFirst())) {
            this.log.trace("Client parameters are invalid, returns invalid_request error. Reason: {}", validateParamsClientRegister.getSecond());
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, (String) validateParamsClientRegister.getSecond());
        }
    }

    public void validateInitiateLoginUri(RegisterRequest registerRequest) {
        if (Strings.isNullOrEmpty(registerRequest.getInitiateLoginUri()) || this.registerParamsValidator.validateInitiateLoginUri(registerRequest.getInitiateLoginUri())) {
            return;
        }
        this.log.debug("The Initiate Login Uri is invalid. The initiate_login_uri must use the https schema: {}", registerRequest.getInitiateLoginUri());
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLIENT_METADATA, "The Initiate Login Uri is invalid. The initiate_login_uri must use the https schema.");
    }

    public void validateClaimsRedirectUris(RegisterRequest registerRequest) {
        if (registerRequest.getClaimsRedirectUris() == null || registerRequest.getClaimsRedirectUris().isEmpty() || this.registerParamsValidator.validateRedirectUris(registerRequest.getGrantTypes(), registerRequest.getResponseTypes(), registerRequest.getApplicationType(), registerRequest.getSubjectType(), registerRequest.getClaimsRedirectUris(), registerRequest.getSectorIdentifierUri())) {
            return;
        }
        this.log.debug("Value of one or more claims_redirect_uris is invalid, claims_redirect_uris: {}", registerRequest.getClaimsRedirectUris());
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, "Value of one or more claims_redirect_uris is invalid");
    }

    public void validatePasswordGrantType(RegisterRequest registerRequest) {
        if (BooleanUtils.isFalse(this.appConfiguration.getDynamicRegistrationPasswordGrantTypeEnabled()) && this.registerParamsValidator.checkIfThereIsPasswordGrantType(registerRequest.getGrantTypes())) {
            this.log.info("Password Grant Type is not allowed for Dynamic Client Registration.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "Password Grant Type is not allowed for Dynamic Client Registration.");
        }
    }

    public void validateDcrAuthorizationWithClientCredentials(RegisterRequest registerRequest) {
        if (!BooleanUtils.isTrue(this.appConfiguration.getDcrAuthorizationWithClientCredentials()) || registerRequest.getGrantTypes().contains(GrantType.CLIENT_CREDENTIALS)) {
            return;
        }
        this.log.info("Register request does not contain grant_type=client_credentials, however dcrAuthorizationWithClientCredentials=true which is forbidden.");
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, RegisterErrorResponseType.ACCESS_DENIED, "Client Credentials Grant Type is not present in Dynamic Client Registration request.");
    }
}
