package io.jans.as.server.authorize.ws.rs;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.session.SessionId;
import io.jans.as.common.model.session.SessionIdState;
import io.jans.as.common.util.RedirectUri;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.ciba.BackchannelAuthenticationErrorResponseType;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.ResponseMode;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.server.model.authorize.AuthorizeParamsValidator;
import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
import io.jans.as.server.model.exception.AcrChangedException;
import io.jans.as.server.model.exception.InvalidRedirectUrlException;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.DeviceAuthorizationService;
import io.jans.as.server.service.RedirectUriResponse;
import io.jans.as.server.service.RedirectionUriService;
import io.jans.as.server.service.SessionIdService;
import io.jans.as.server.service.external.session.SessionEvent;
import io.jans.as.server.service.external.session.SessionEventType;
import io.jans.as.server.util.RedirectUtil;
import io.jans.as.server.util.ServerUtil;
import io.jans.orm.exception.EntryPersistenceException;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.ArrayList;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.TimeZone;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.class */
public class AuthorizeRestWebServiceValidator {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ClientService clientService;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private SessionIdService sessionIdService;

    @Inject
    private Identity identity;

    public Client validateClient(String str, String str2) {
        return validateClient(str, str2, false);
    }

    public Client validateClient(AuthzRequest authzRequest, boolean z) {
        Client validateClient = validateClient(authzRequest.getClientId(), authzRequest.getState(), z);
        authzRequest.setClient(validateClient);
        return validateClient;
    }

    public Client validateClient(String str, String str2, boolean z) {
        if (StringUtils.isBlank(str)) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str2, "client_id is empty or blank.")).type(MediaType.APPLICATION_JSON_TYPE).build());
        }
        try {
            Client client = this.clientService.getClient(str);
            if (client == null) {
                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str2, "Unable to find client.")).type(MediaType.APPLICATION_JSON_TYPE).build());
            }
            if (client.isDisabled()) {
                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.DISABLED_CLIENT, str2, "Client is disabled.")).type(MediaType.APPLICATION_JSON_TYPE).build());
            }
            if (z || !BooleanUtils.isTrue(client.getAttributes().getRequirePar())) {
                return client;
            }
            this.log.debug("Client can performa only PAR requests.");
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str2, "Client can performa only PAR requests.")).type(MediaType.APPLICATION_JSON_TYPE).build());
        } catch (EntryPersistenceException e) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str2, "Unable to find client on AS.")).type(MediaType.APPLICATION_JSON_TYPE).build());
        }
    }

    public boolean isAuthnMaxAgeValid(Integer num, SessionId sessionId, Client client) {
        if (num == null) {
            num = client.getDefaultMaxAge();
        }
        GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
        if (sessionId.getAuthenticationTime() != null) {
            gregorianCalendar.setTime(sessionId.getAuthenticationTime());
        }
        if (num == null) {
            return true;
        }
        gregorianCalendar.add(13, num.intValue());
        return gregorianCalendar.after(ServerUtil.now());
    }

    public void validateRequestJwt(String str, String str2, RedirectUriResponse redirectUriResponse) {
        if (this.appConfiguration.isFapi() && StringUtils.isBlank(str) && StringUtils.isBlank(str2)) {
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "request and request_uri are both not specified which is forbidden for FAPI.");
        }
        if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2)) {
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "Both request and request_uri are specified which is not allowed.");
        }
    }

    public void validate(AuthzRequest authzRequest, List<ResponseType> list, Client client) {
        ResponseMode responseModeEnum = authzRequest.getResponseModeEnum();
        String redirectUri = authzRequest.getRedirectUri();
        if (AuthorizeParamsValidator.validateParams(list, authzRequest.getPromptList(), authzRequest.getNonce(), this.appConfiguration.isFapi(), responseModeEnum)) {
            return;
        }
        if (redirectUri == null || this.redirectionUriService.validateRedirectionUri(client, redirectUri) == null) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST.getStatusCode()).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, authzRequest.getState(), "Invalid redirect uri.")).build());
        }
        RedirectUri redirectUri2 = new RedirectUri(redirectUri, list, responseModeEnum);
        redirectUri2.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, authzRequest.getState()));
        throw new WebApplicationException(RedirectUtil.getRedirectResponseBuilder(redirectUri2, authzRequest.getHttpRequest()).build());
    }

    public void validateRequestObject(JwtAuthorizationRequest jwtAuthorizationRequest, RedirectUriResponse redirectUriResponse) {
        if (!jwtAuthorizationRequest.getAud().isEmpty() && !jwtAuthorizationRequest.getAud().contains(this.appConfiguration.getIssuer())) {
            this.log.error("Failed to match aud to AS, aud: {}", jwtAuthorizationRequest.getAud());
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
        }
        if (this.appConfiguration.isFapi()) {
            if (jwtAuthorizationRequest.getNestedJwt() != null) {
                SignatureAlgorithm signatureAlgorithm = jwtAuthorizationRequest.getNestedJwt().getHeader().getSignatureAlgorithm();
                if (this.appConfiguration.isFapi() && (signatureAlgorithm == SignatureAlgorithm.RS256 || signatureAlgorithm == SignatureAlgorithm.NONE)) {
                    this.log.error("The Nested JWT signature algorithm is not valid.");
                    throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
                }
            }
            String redirectUri = jwtAuthorizationRequest.getRedirectUri();
            Client client = this.clientService.getClient(jwtAuthorizationRequest.getClientId());
            if (redirectUri != null && this.redirectionUriService.validateRedirectionUri(client, redirectUri) == null) {
                this.log.error(" unregistered redirect uri");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, jwtAuthorizationRequest.getState(), "The request has unregistered request_uri")).type(MediaType.APPLICATION_JSON_TYPE).build());
            }
            if (jwtAuthorizationRequest.getExp() == null) {
                this.log.error("The exp claim is not set");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            long intValue = jwtAuthorizationRequest.getExp().intValue() * 1000;
            long time = new Date().getTime();
            if (intValue < time) {
                this.log.error("Request object expired. Exp: {}, now: {}", Long.valueOf(intValue), Long.valueOf(time));
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            if (jwtAuthorizationRequest.getScopes() == null || jwtAuthorizationRequest.getScopes().isEmpty()) {
                this.log.error("Request object does not have scope claim.");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            if (StringUtils.isBlank(jwtAuthorizationRequest.getNonce())) {
                this.log.error("Request object does not have nonce claim.");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            if (StringUtils.isBlank(jwtAuthorizationRequest.getRedirectUri())) {
                this.log.error("Request object does not have redirect_uri claim.");
                if (redirectUriResponse.getRedirectUri().getBaseRedirectUri() == null) {
                    throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, jwtAuthorizationRequest.getState(), "Request object does not have redirect_uri claim.")).type(MediaType.APPLICATION_JSON_TYPE).build());
                }
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
        }
    }

    public void validateCibaRequestObject(JwtAuthorizationRequest jwtAuthorizationRequest, String str) {
        if (jwtAuthorizationRequest.getAud().isEmpty() || !jwtAuthorizationRequest.getAud().contains(this.appConfiguration.getIssuer())) {
            this.log.error("Failed to match aud to AS, aud: {}", jwtAuthorizationRequest.getAud());
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
        }
        if (this.appConfiguration.isFapi()) {
            if (jwtAuthorizationRequest.getExp() == null) {
                this.log.error("The exp claim is not set");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            long intValue = jwtAuthorizationRequest.getExp().intValue() * 1000;
            long time = new Date().getTime();
            if (intValue < time) {
                this.log.error("Request object expired. Exp: {}, now: {}", Long.valueOf(intValue), Long.valueOf(time));
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (jwtAuthorizationRequest.getScopes() == null || jwtAuthorizationRequest.getScopes().isEmpty()) {
                this.log.error("Request object does not have scope claim.");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (StringUtils.isEmpty(jwtAuthorizationRequest.getIss()) || !jwtAuthorizationRequest.getIss().equals(str)) {
                this.log.error("Request object has a wrong iss claim, iss: {}", jwtAuthorizationRequest.getIss());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (jwtAuthorizationRequest.getIat() == null || jwtAuthorizationRequest.getIat().intValue() == 0) {
                this.log.error("Request object has a wrong iat claim, iat: {}", jwtAuthorizationRequest.getIat());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            int intExact = Math.toIntExact(System.currentTimeMillis() / 1000);
            if (jwtAuthorizationRequest.getNbf() == null || jwtAuthorizationRequest.getNbf().intValue() > intExact || jwtAuthorizationRequest.getNbf().intValue() < intExact - this.appConfiguration.getCibaMaxExpirationTimeAllowedSec()) {
                this.log.error("Request object has a wrong nbf claim, nbf: {}", jwtAuthorizationRequest.getNbf());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (StringUtils.isEmpty(jwtAuthorizationRequest.getJti())) {
                this.log.error("Request object has a wrong jti claim, jti: {}", jwtAuthorizationRequest.getJti());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if ((StringUtils.isNotBlank(jwtAuthorizationRequest.getLoginHint()) ? 1 : 0) + (StringUtils.isNotBlank(jwtAuthorizationRequest.getLoginHintToken()) ? 1 : 0) + (StringUtils.isNotBlank(jwtAuthorizationRequest.getIdTokenHint()) ? 1 : 0) != 1) {
                this.log.error("Request object has too many hints or doesnt have any");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
        }
    }

    public String validateRedirectUri(@NotNull Client client, @Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable HttpServletRequest httpServletRequest) {
        return validateRedirectUri(client, str, str2, str3, httpServletRequest, AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI);
    }

    public String validateRedirectUri(@NotNull Client client, @Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable HttpServletRequest httpServletRequest, @NotNull AuthorizeErrorResponseType authorizeErrorResponseType) {
        String validateRedirectionUri;
        if (this.appConfiguration.isFapi()) {
            return str;
        }
        if (StringUtils.isNotBlank(str3)) {
            validateRedirectionUri = this.deviceAuthorizationService.getDeviceAuthorizationPage(this.deviceAuthorizationService.getDeviceAuthzByUserCode(str3), client, str2, httpServletRequest);
        } else {
            validateRedirectionUri = this.redirectionUriService.validateRedirectionUri(client, str);
        }
        if (StringUtils.isNotBlank(validateRedirectionUri)) {
            return validateRedirectionUri;
        }
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(authorizeErrorResponseType, str2, "")).build());
    }

    public void throwInvalidJwtRequestExceptionAsJwtMode(RedirectUriResponse redirectUriResponse, String str, String str2, HttpServletRequest httpServletRequest) {
        this.log.debug(str);
        this.log.debug("Invalid JWT authorization request.");
        redirectUriResponse.getRedirectUri().parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, str2));
        throw new WebApplicationException(RedirectUtil.getRedirectResponseBuilder(redirectUriResponse.getRedirectUri(), httpServletRequest).build());
    }

    public WebApplicationException createInvalidJwtRequestException(RedirectUriResponse redirectUriResponse, String str) {
        if (!this.appConfiguration.isFapi()) {
            return redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, str);
        }
        this.log.debug(str);
        return redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
    }

    public void validatePkce(String str, RedirectUriResponse redirectUriResponse) {
        if (BooleanUtils.isTrue(this.appConfiguration.getRequirePkce()) && Strings.isNullOrEmpty(str)) {
            this.log.error("PKCE is required but code_challenge is blank.");
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST);
        }
    }

    public void validateAcrs(AuthzRequest authzRequest, Client client) throws AcrChangedException {
        if (!client.getAttributes().getAuthorizedAcrValues().isEmpty() && !client.getAttributes().getAuthorizedAcrValues().containsAll(authzRequest.getAcrValuesList())) {
            throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "Restricted acr value request, please review the list of authorized acr values for this client");
        }
        checkAcrChanged(authzRequest, this.identity.getSessionId());
    }

    private void checkAcrChanged(AuthzRequest authzRequest, SessionId sessionId) throws AcrChangedException {
        try {
            this.sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(sessionId, authzRequest.getAcrValues());
        } catch (AcrChangedException e) {
            if (!e.isForceReAuthentication()) {
                throw e;
            }
            ArrayList newArrayList = Lists.newArrayList(authzRequest.getPromptList());
            if (newArrayList.contains(Prompt.LOGIN)) {
                return;
            }
            this.log.info("ACR is changed, adding prompt=login to prompts");
            newArrayList.add(Prompt.LOGIN);
            authzRequest.setPrompt(io.jans.as.model.util.StringUtils.implode(newArrayList, " "));
            sessionId.setState(SessionIdState.UNAUTHENTICATED);
            sessionId.getSessionAttributes().put("prompt", authzRequest.getPrompt());
            if (!this.sessionIdService.persistSessionId(sessionId)) {
                this.log.trace("Unable persist session_id, trying to update it.");
                this.sessionIdService.updateSessionId(sessionId);
            }
            this.sessionIdService.externalEvent(new SessionEvent(SessionEventType.UNAUTHENTICATED, sessionId));
        }
    }

    public void validateJwtRequest(String str, String str2, HttpServletRequest httpServletRequest, List<ResponseType> list, RedirectUriResponse redirectUriResponse, JwtAuthorizationRequest jwtAuthorizationRequest) {
        try {
            jwtAuthorizationRequest.validate();
            validateRequestObject(jwtAuthorizationRequest, redirectUriResponse);
            if (!jwtAuthorizationRequest.getResponseTypes().containsAll(list) || !list.containsAll(jwtAuthorizationRequest.getResponseTypes())) {
                throw createInvalidJwtRequestException(redirectUriResponse, "The responseType parameter is not the same in the JWT");
            }
            if (StringUtils.isBlank(jwtAuthorizationRequest.getClientId()) || !jwtAuthorizationRequest.getClientId().equals(str)) {
                throw createInvalidJwtRequestException(redirectUriResponse, "The clientId parameter is not the same in the JWT");
            }
        } catch (Exception e) {
            this.log.error("Unexpected exception. " + e.getMessage(), e);
        } catch (InvalidJwtException e2) {
            this.log.debug("Invalid JWT authorization request. {}", e2.getMessage());
            redirectUriResponse.getRedirectUri().parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT, str2));
            throw new WebApplicationException(RedirectUtil.getRedirectResponseBuilder(redirectUriResponse.getRedirectUri(), httpServletRequest).build());
        } catch (WebApplicationException | InvalidRedirectUrlException e3) {
            throw e3;
        }
    }

    public void checkSignedRequestRequired(AuthzRequest authzRequest) {
        if (Boolean.TRUE.equals(this.appConfiguration.getForceSignedRequestObject()) && StringUtils.isBlank(authzRequest.getRequest()) && StringUtils.isBlank(authzRequest.getRequestUri())) {
            throw createInvalidJwtRequestException(authzRequest.getRedirectUriResponse(), "A signed request object is required");
        }
    }
}
