package io.jans.as.server.auth;

import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.register.RegisterRequestParam;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.model.util.CertUtils;
import io.jans.as.model.util.HashUtil;
import io.jans.as.server.model.common.SessionId;
import io.jans.as.server.model.common.SessionIdState;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.external.ExternalDynamicClientRegistrationService;
import io.jans.as.server.service.external.context.DynamicClientRegistrationContext;
import jakarta.ejb.DependsOn;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.FilterChain;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.security.cert.X509Certificate;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

@ApplicationScoped
@DependsOn({"appInitializer"})
@Named
/* loaded from: input_file:io/jans/as/server/auth/MTLSService.class */
public class MTLSService {

    @Inject
    private Logger log;

    @Inject
    private Authenticator authenticator;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ExternalDynamicClientRegistrationService externalDynamicClientRegistrationService;

    public boolean processMTLS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Client client) throws Exception {
        this.log.debug("Trying to authenticate client {} via {} ...", client.getClientId(), client.getAuthenticationMethod());
        String header = httpServletRequest.getHeader("X-ClientCert");
        if (StringUtils.isBlank(header)) {
            this.log.debug("Client certificate is missed in `X-ClientCert` header, client_id: {}.", client.getClientId());
            return false;
        }
        X509Certificate x509CertificateFromPem = CertUtils.x509CertificateFromPem(header);
        if (x509CertificateFromPem == null) {
            this.log.debug("Failed to parse client certificate, client_id: {}.", client.getClientId());
            return false;
        }
        String cn = CertUtils.getCN(x509CertificateFromPem);
        String hash = HashUtil.getHash(cn, SignatureAlgorithm.HS512);
        if (StringUtils.isBlank(cn) || StringUtils.isBlank(hash) || (!cn.equals(client.getClientId()) && !hash.equals(HashUtil.getHash(client.getClientId(), SignatureAlgorithm.HS512)))) {
            if (this.log.isTraceEnabled()) {
                this.log.trace("Client certificate CN does not match clientId. Invoke registration script's isCertValidForClient, CN: {}, clientId: {}, hashedCn: {}", new Object[]{cn, client.getClientId(), hash});
            }
            if (!this.externalDynamicClientRegistrationService.isCertValidForClient(x509CertificateFromPem, new DynamicClientRegistrationContext(httpServletRequest, new JSONObject(), null, client))) {
                this.log.error("Reject request. isCertValidForClient returned false.");
                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(TokenErrorResponseType.INVALID_CLIENT, httpServletRequest.getParameter("state"), "")).build());
            }
        }
        if (client.getAuthenticationMethod() == AuthenticationMethod.TLS_CLIENT_AUTH) {
            this.log.debug("Authenticating with tls_client_auth ...");
            String tlsClientAuthSubjectDn = client.getAttributes().getTlsClientAuthSubjectDn();
            if (StringUtils.isBlank(tlsClientAuthSubjectDn)) {
                this.log.debug("SubjectDN is not set for client {} which is required to authenticate it via `tls_client_auth`.", client.getClientId());
                return false;
            }
            if (CertUtils.equalsRdn(tlsClientAuthSubjectDn, x509CertificateFromPem.getSubjectDN().getName())) {
                this.log.debug("Client {} authenticated via `tls_client_auth`.", client.getClientId());
                authenticatedSuccessfully(client, httpServletRequest);
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return true;
            }
            this.log.debug("Client's subject dn: {}, cert subject dn: {}", tlsClientAuthSubjectDn, x509CertificateFromPem.getSubjectDN().getName());
        }
        if (client.getAuthenticationMethod() == AuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH) {
            this.log.debug("Authenticating with self_signed_tls_client_auth ...");
            byte[] encoded = x509CertificateFromPem.getPublicKey().getEncoded();
            JSONObject jwks = CommonUtils.getJwks(client);
            if (jwks == null) {
                this.log.debug("Unable to load json web keys for client: {}, jwks_uri: {}, jks: {}", new Object[]{client.getClientId(), client.getJwksUri(), client.getJwks()});
                return false;
            }
            for (JSONWebKey jSONWebKey : JSONWebKeySet.fromJSONObject(jwks).getKeys()) {
                if (ArrayUtils.isEquals(encoded, this.cryptoProvider.getPublicKey(jSONWebKey.getKid(), jwks, (Algorithm) null).getEncoded())) {
                    this.log.debug("Client {} authenticated via `self_signed_tls_client_auth`, matched kid: {}.", client.getClientId(), jSONWebKey.getKid());
                    authenticatedSuccessfully(client, httpServletRequest);
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    return true;
                }
            }
        }
        this.log.debug("MTLS authentication failed.");
        return false;
    }

    private void authenticatedSuccessfully(Client client, HttpServletRequest httpServletRequest) {
        SessionId sessionId;
        this.authenticator.configureSessionClient(client);
        if (Prompt.fromString(httpServletRequest.getParameter("prompt"), " ").contains(Prompt.LOGIN) || (sessionId = this.sessionIdService.getSessionId(httpServletRequest)) == null || sessionId.getState() != SessionIdState.AUTHENTICATED) {
            return;
        }
        this.authenticator.authenticateBySessionId(sessionId);
    }

    public boolean processRegisterMTLS(HttpServletRequest httpServletRequest) {
        this.log.debug("Trying to authenticate client registration request via MTLS");
        String str = null;
        try {
            str = new JSONObject(IOUtils.toString(httpServletRequest.getReader())).optString(RegisterRequestParam.TLS_CLIENT_AUTH_SUBJECT_DN.toString());
        } catch (Exception e) {
            this.log.error("Error getting TLS_CLIENT_AUTH_SUBJECT_DN field from request registration body", e);
        }
        String header = httpServletRequest.getHeader("X-ClientCert");
        if (StringUtils.isBlank(header)) {
            this.log.debug("Client certificate is missed in `X-ClientCert` header");
            return false;
        }
        X509Certificate x509CertificateFromPem = CertUtils.x509CertificateFromPem(header);
        if (x509CertificateFromPem == null) {
            this.log.debug("Failed to parse client certificate");
            return false;
        }
        this.log.debug("MTLS client authentication tlsClientAuthSubjectDn = {}", str);
        return CertUtils.equalsRdn(str, x509CertificateFromPem.getSubjectDN().getName());
    }
}
