package io.jans.as.server.service;

import io.jans.as.common.claims.Audience;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.token.JwtSigner;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.apache.commons.lang.BooleanUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
/* loaded from: input_file:io/jans/as/server/service/IntrospectionService.class */
public class IntrospectionService {

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private Logger log;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private ClientService clientService;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    public void validateIntrospectionScopePresence(AuthorizationGrant authorizationGrant) {
        if (!BooleanUtils.isTrue(this.appConfiguration.getIntrospectionAccessTokenMustHaveIntrospectionScope()) || authorizationGrant.getScopesAsString().contains("introspection")) {
            return;
        }
        this.log.trace("access_token used to access introspection endpoint does not have 'introspection' scope, however in AS configuration 'introspectionAccessTokenMustHaveIntrospectionScope' is true");
        throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.errorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, "access_token used to access introspection endpoint does not have 'introspection' scope, however in AS configuration 'introspectionAccessTokenMustHaveIntrospectionScope' is true")).type(MediaType.APPLICATION_JSON_TYPE).build());
    }

    public boolean isJwtResponse(String str, String str2) {
        return Boolean.TRUE.toString().equalsIgnoreCase(str) || "application/token-introspection+jwt".equalsIgnoreCase(str2);
    }

    public JwtSigner createResponseJwt(JSONObject jSONObject, AuthorizationGrant authorizationGrant) throws Exception {
        Client client = authorizationGrant.getClient();
        JwtSigner newJwtSigner = JwtSigner.newJwtSigner(this.appConfiguration, this.webKeysConfiguration, client, this.clientService.decryptSecret(client.getClientSecret()));
        fillPayload(newJwtSigner.newJwt(), jSONObject, authorizationGrant);
        return newJwtSigner;
    }

    public void fillPayload(Jwt jwt, JSONObject jSONObject, AuthorizationGrant authorizationGrant) throws InvalidJwtException {
        Audience.setAudience(jwt.getClaims(), authorizationGrant.getClient());
        jwt.getClaims().setIssuer(this.appConfiguration.getIssuer());
        jwt.getClaims().setIatNow();
        try {
            jwt.getClaims().setClaim("token_introspection", jSONObject);
        } catch (Exception e) {
            this.log.error("Failed to put claims into jwt. Key: token_introspection, response: " + jSONObject.toString(), e);
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("Response before signing: {}", jwt.getClaims().toJsonString());
        }
    }

    public String createResponseAsJwt(JSONObject jSONObject, AuthorizationGrant authorizationGrant) throws Exception {
        return createResponseJwt(jSONObject, authorizationGrant).sign().toString();
    }
}
