package io.jans.as.server.par.ws.rs;

import com.google.common.collect.Lists;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.authorize.CodeVerifier;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.error.IErrorType;
import io.jans.as.model.util.Util;
import io.jans.as.persistence.model.Par;
import io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceValidator;
import io.jans.as.server.authorize.ws.rs.AuthzRequestService;
import io.jans.as.server.model.authorize.Claim;
import io.jans.as.server.model.authorize.IdTokenMember;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.authorize.ScopeChecker;
import io.jans.as.server.service.RedirectUriResponse;
import io.jans.as.server.service.RequestParameterService;
import io.jans.as.server.util.ServerUtil;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.util.Date;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:io/jans/as/server/par/ws/rs/ParValidator.class */
public class ParValidator {

    @Inject
    private Logger log;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;

    @Inject
    private ScopeChecker scopeChecker;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private RequestParameterService requestParameterService;

    public void validateRequestUriIsAbsent(@Nullable String str) {
        validateRequestUriIsAbsent(str, AuthorizeErrorResponseType.INVALID_REQUEST);
    }

    public void validateRequestUriIsAbsent(@Nullable String str, @NotNull IErrorType iErrorType) {
        if (StringUtils.isBlank(str)) {
            return;
        }
        this.log.trace("request_uri parameter is not allowed at PAR endpoint. Return error.");
        throw this.errorResponseFactory.createBadRequestException(iErrorType, "");
    }

    public void validateRequestObject(RedirectUriResponse redirectUriResponse, Par par, Client client) {
        String request = par.getAttributes().getRequest();
        if (StringUtils.isBlank(request)) {
            return;
        }
        try {
            JwtAuthorizationRequest createJwtRequest = JwtAuthorizationRequest.createJwtRequest(request, null, client, redirectUriResponse, this.cryptoProvider, this.appConfiguration);
            if (createJwtRequest == null) {
                throw this.authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, "Failed to parse jwt.");
            }
            validateRequestUriIsAbsent(createJwtRequest.getJsonPayload().optString("request_uri"), AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            setStateIntoPar(redirectUriResponse, par, createJwtRequest);
            this.authorizeRestWebServiceValidator.validateRequestObject(createJwtRequest, redirectUriResponse);
            if (!createJwtRequest.getResponseTypes().isEmpty()) {
                par.getAttributes().setResponseType(createJwtRequest.getJsonPayload().optString("response_type"));
            }
            if (StringUtils.isNotBlank(createJwtRequest.getClientId())) {
                par.getAttributes().setClientId(createJwtRequest.getClientId());
            }
            if (createJwtRequest.getNbf() != null) {
                par.getAttributes().setNbf(createJwtRequest.getNbf());
            }
            if (createJwtRequest.getExp() != null) {
                par.setTtl(createJwtRequest.getExp());
                par.setExpirationDate(Util.createExpirationDate(createJwtRequest.getExp()));
            }
            if (createJwtRequest.getExp() != null) {
                par.setTtl(Integer.valueOf(ServerUtil.calculateTtl(createJwtRequest.getExp())));
                par.setExpirationDate(new Date(createJwtRequest.getExp().intValue() * 1000));
            }
            if (!createJwtRequest.getScopes().isEmpty()) {
                par.getAttributes().setScope(io.jans.as.model.util.StringUtils.implode(this.scopeChecker.checkScopesPolicy(client, Lists.newArrayList(createJwtRequest.getScopes())), " "));
            }
            if (StringUtils.isNotBlank(createJwtRequest.getRedirectUri())) {
                par.getAttributes().setRedirectUri(createJwtRequest.getRedirectUri());
            }
            if (StringUtils.isNotBlank(createJwtRequest.getNonce())) {
                par.getAttributes().setNonce(createJwtRequest.getNonce());
            }
            if (StringUtils.isNotBlank(createJwtRequest.getCodeChallenge())) {
                par.getAttributes().setCodeChallenge(createJwtRequest.getCodeChallenge());
            }
            if (StringUtils.isNotBlank(createJwtRequest.getCodeChallengeMethod())) {
                par.getAttributes().setCodeChallengeMethod(createJwtRequest.getCodeChallengeMethod());
            }
            if (createJwtRequest.getDisplay() != null && StringUtils.isNotBlank(createJwtRequest.getDisplay().getParamName())) {
                par.getAttributes().setDisplay(createJwtRequest.getDisplay().getParamName());
            }
            if (!createJwtRequest.getPrompts().isEmpty()) {
                par.getAttributes().setPrompt(createJwtRequest.getJsonPayload().optString("prompt"));
            }
            if (createJwtRequest.getResponseMode() != null) {
                redirectUriResponse.getRedirectUri().setResponseMode(createJwtRequest.getResponseMode());
                par.getAttributes().setResponseMode(createJwtRequest.getJsonPayload().optString("response_mode"));
            }
            setParAttributesFromIdTokenMember(par, createJwtRequest);
            this.requestParameterService.getCustomParameters(createJwtRequest, par.getAttributes().getCustomParameters());
        } catch (Exception e) {
            this.log.error("Invalid JWT authorization request. Message : " + e.getMessage(), e);
            throw this.authorizeRestWebServiceValidator.createInvalidJwtRequestException(redirectUriResponse, AuthzRequestService.INVALID_JWT_AUTHORIZATION_REQUEST);
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    private void setParAttributesFromIdTokenMember(@NotNull Par par, @NotNull JwtAuthorizationRequest jwtAuthorizationRequest) {
        IdTokenMember idTokenMember = jwtAuthorizationRequest.getIdTokenMember();
        if (idTokenMember == null) {
            return;
        }
        if (idTokenMember.getMaxAge() != null) {
            par.getAttributes().setMaxAge(idTokenMember.getMaxAge());
        }
        Claim claim = idTokenMember.getClaim("acr");
        if (claim == null || claim.getClaimValue() == null) {
            return;
        }
        par.getAttributes().setAcrValuesStr(claim.getClaimValue().getValueAsString());
    }

    private void setStateIntoPar(@NotNull RedirectUriResponse redirectUriResponse, @NotNull Par par, @NotNull JwtAuthorizationRequest jwtAuthorizationRequest) {
        if (StringUtils.isNotBlank(jwtAuthorizationRequest.getState())) {
            par.getAttributes().setState(jwtAuthorizationRequest.getState());
            redirectUriResponse.setState(jwtAuthorizationRequest.getState());
        }
        if (this.appConfiguration.isFapi() && StringUtils.isBlank(jwtAuthorizationRequest.getState())) {
            par.getAttributes().setState("");
            redirectUriResponse.setState("");
        }
    }

    public void validatePkce(String str, String str2, String str3) {
        if (this.appConfiguration.isFapi()) {
            if (StringUtils.isBlank(str2) || CodeVerifier.CodeChallengeMethod.fromString(str2) == CodeVerifier.CodeChallengeMethod.PLAIN) {
                this.log.error("code_challenge_method is invalid: {} (plain or blank method is not allowed)", str2);
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str3, "")).build());
            }
            if (StringUtils.isBlank(str)) {
                this.log.error("code_challenge is blank");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str3, "")).build());
            }
        }
    }
}
