package io.jans.as.server.ssa.ws.rs;

import io.jans.as.common.model.registration.Client;
import io.jans.as.common.model.ssa.Ssa;
import io.jans.as.common.model.ssa.SsaState;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.ssa.SsaErrorResponseType;
import io.jans.as.server.model.session.SessionClient;
import io.jans.as.server.security.Identity;
import io.jans.as.server.service.ScopeService;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.Calendar;
import java.util.List;
import java.util.Objects;
import java.util.TimeZone;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/ssa/ws/rs/SsaRestWebServiceValidator.class */
public class SsaRestWebServiceValidator {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private Identity identity;

    @Inject
    private ScopeService scopeService;

    @Inject
    private SsaService ssaService;

    public Client getClientFromSession() throws WebApplicationException {
        SessionClient sessionClient = this.identity.getSessionClient();
        if (sessionClient == null) {
            throw this.errorResponseFactory.createBadRequestException(SsaErrorResponseType.INVALID_CLIENT, "Invalid client");
        }
        this.log.debug("Client: {}, obtained from session", sessionClient.getClient().getClientId());
        return sessionClient.getClient();
    }

    public void checkScopesPolicy(Client client, String str) throws WebApplicationException {
        if (!this.scopeService.getScopeIdsByDns((List) Arrays.stream(client.getScopes()).collect(Collectors.toList())).contains(str)) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, SsaErrorResponseType.UNAUTHORIZED_CLIENT, "Unauthorized client");
        }
    }

    public void checkScopesPolicy(Client client, List<String> list) throws WebApplicationException {
        if (client == null || list == null || list.isEmpty()) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, SsaErrorResponseType.UNAUTHORIZED_CLIENT, "Unauthorized client");
        }
        List<String> scopeIdsByDns = this.scopeService.getScopeIdsByDns((List) Arrays.stream(client.getScopes()).collect(Collectors.toList()));
        Stream<String> stream = list.stream();
        Objects.requireNonNull(scopeIdsByDns);
        if (stream.noneMatch((v1) -> {
            return r1.contains(v1);
        })) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, SsaErrorResponseType.UNAUTHORIZED_CLIENT, "Unauthorized client");
        }
    }

    public Ssa getValidSsaByJti(String str) {
        Ssa findSsaByJti = this.ssaService.findSsaByJti(str);
        if (findSsaByJti != null && !Calendar.getInstance(TimeZone.getTimeZone("UTC")).getTime().after(findSsaByJti.getExpirationDate()) && findSsaByJti.getState().equals(SsaState.ACTIVE)) {
            return findSsaByJti;
        }
        this.log.warn("Ssa jti: '{}' is null or status (expired, used or revoked)", str);
        throw new WebApplicationException(Response.status(422).build());
    }
}
