package io.jans.as.server.auth;

import com.nimbusds.jose.jwk.JWKException;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.CryptoProviderException;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtType;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.DPoPJti;
import io.jans.as.server.util.ServerUtil;
import io.jans.service.CacheService;
import jakarta.ejb.DependsOn;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Date;
import java.util.UUID;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;

@DependsOn({"appInitializer"})
@Named
/* loaded from: input_file:io/jans/as/server/auth/DpopService.class */
public class DpopService {
    public static final String NO_CACHE = "no-cache";
    public static final String PRAGMA = "Pragma";
    public static final String DPOP_NONCE = "DPoP-Nonce";
    public static final String DPOP = "DPoP";

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private CacheService cacheService;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    public void validateDpopValuesCount(HttpServletRequest httpServletRequest) {
        validateDpopValuesCount(httpServletRequest.getParameterValues(DPOP));
    }

    public void validateDpopValuesCount(String[] strArr) {
        if (strArr == null || strArr.length <= 1) {
            return;
        }
        this.log.trace("Multiple DPoP header values are not allowed. Count: {}", Integer.valueOf(strArr.length));
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(TokenErrorResponseType.INVALID_DPOP_PROOF, "Multiple DPoP header values")).cacheControl(ServerUtil.cacheControl(true, false)).header(PRAGMA, NO_CACHE).build());
    }

    public boolean validateDpop(String str) {
        try {
            return validateDpop(Jwt.parseOrThrow(str));
        } catch (InvalidJwtException e) {
            this.log.error("Failed to validate dpop: " + str, e);
            return false;
        }
    }

    public boolean validateDpop(Jwt jwt) {
        try {
            validateDpopHeader(jwt);
            validateDpopPayload(jwt);
            JSONWebKey fromJSONObject = JSONWebKey.fromJSONObject(jwt.getHeader().getJwk());
            return validateDpopSignature(jwt, fromJSONObject, fromJSONObject.getJwkThumbprint());
        } catch (InvalidJwtException e) {
            this.log.error("Failed to validate dpop: " + jwt, e);
            return false;
        } catch (WebApplicationException e2) {
            throw e2;
        } catch (Exception e3) {
            this.log.error("Invalid dpop: " + jwt, e3);
            return false;
        }
    }

    private boolean validateDpopSignature(Jwt jwt, JSONWebKey jSONWebKey, String str) throws InvalidJwtException, CryptoProviderException {
        if (str == null) {
            throw new InvalidJwtException("Invalid DPoP Proof Header. The jwk header is not valid.");
        }
        JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
        jSONWebKeySet.getKeys().add(jSONWebKey);
        return this.cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), (String) null, jSONWebKeySet.toJSONObject(), (String) null, jwt.getHeader().getSignatureAlgorithm());
    }

    private void validateDpopPayload(Jwt jwt) throws InvalidJwtException {
        if (StringUtils.isBlank(jwt.getClaims().getClaimAsString("htm"))) {
            throw new InvalidJwtException("Invalid DPoP Proof Payload. The htm param is required.");
        }
        if (StringUtils.isBlank(jwt.getClaims().getClaimAsString("htu"))) {
            throw new InvalidJwtException("Invalid DPoP Proof Payload. The htu param is required");
        }
        if (jwt.getClaims().getClaimAsLong("iat") == null) {
            throw new InvalidJwtException("Invalid DPoP Proof Payload. The iat param is required.");
        }
        if (StringUtils.isBlank(jwt.getClaims().getClaimAsString("jti"))) {
            throw new InvalidJwtException("Invalid DPoP Proof Payload. The jti param is required");
        }
        String claimAsString = jwt.getClaims().getClaimAsString("jti");
        Long claimAsLong = jwt.getClaims().getClaimAsLong("iat");
        String claimAsString2 = jwt.getClaims().getClaimAsString("htu");
        String claimAsString3 = jwt.getClaims().getClaimAsString("nonce");
        String str = "dpop_jti_" + claimAsString;
        DPoPJti dPoPJti = (DPoPJti) this.cacheService.get(str);
        if ((new Date().getTime() - claimAsLong.longValue()) / 1000 > this.appConfiguration.getDpopTimeframe()) {
            throw new InvalidJwtException("The DPoP token has expired.");
        }
        if (dPoPJti != null) {
            throw new InvalidJwtException("Invalid DPoP Proof. The jti param has been used before.");
        }
        this.cacheService.put(this.appConfiguration.getDpopJtiCacheTime(), str, new DPoPJti(claimAsString, claimAsLong, claimAsString2));
        if (BooleanUtils.isTrue(this.appConfiguration.getDpopUseNonce())) {
            if (StringUtils.isBlank(claimAsString3)) {
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(TokenErrorResponseType.USE_DPOP_NONCE, "Nonce is not set")).cacheControl(ServerUtil.cacheControl(true, false)).header(PRAGMA, NO_CACHE).header(DPOP_NONCE, generateNonce()).build());
            }
            if (this.cacheService.get(claimAsString3) == null) {
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(TokenErrorResponseType.USE_NEW_DPOP_NONCE, "New nonce value is required")).cacheControl(ServerUtil.cacheControl(true, false)).header(PRAGMA, NO_CACHE).header(DPOP_NONCE, generateNonce()).build());
            }
        }
    }

    private String generateNonce() {
        String uuid = UUID.randomUUID().toString();
        this.cacheService.put(this.appConfiguration.getDpopNonceCacheTime(), uuid, uuid);
        return uuid;
    }

    private void validateDpopHeader(Jwt jwt) throws InvalidJwtException {
        if (jwt.getHeader().getType() != JwtType.DPOP_PLUS_JWT) {
            throw new InvalidJwtException("Invalid DPoP Proof Header. The typ header must be dpop+jwt.");
        }
        if (jwt.getHeader().getSignatureAlgorithm() == null) {
            throw new InvalidJwtException("Invalid DPoP Proof Header. The typ header must be dpop+jwt.");
        }
        if (jwt.getHeader().getJwk() == null) {
            throw new InvalidJwtException("Invalid DPoP Proof Header. The jwk header is required.");
        }
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header(PRAGMA, NO_CACHE);
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }

    private Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }

    public String getDpopJwkThumbprint(String str) throws InvalidJwtException, NoSuchAlgorithmException, JWKException, NoSuchProviderException {
        return JSONWebKey.fromJSONObject(Jwt.parseOrThrow(str).getHeader().getJwk()).getJwkThumbprint();
    }

    public String getDPoPJwkThumbprint(HttpServletRequest httpServletRequest, Client client, OAuth2AuditLog oAuth2AuditLog) {
        try {
            String header = httpServletRequest.getHeader(DPOP);
            boolean isBlank = StringUtils.isBlank(header);
            if (BooleanUtils.isTrue(client.getAttributes().getDpopBoundAccessToken()) && isBlank) {
                this.log.debug("Client requires DPoP bound access token. Invalid request - DPoP header is not set.");
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_DPOP_PROOF, "Invalid request - DPoP header is not set."), oAuth2AuditLog));
            }
            if (isBlank) {
                return null;
            }
            String dpopJwkThumbprint = getDpopJwkThumbprint(header);
            if (dpopJwkThumbprint == null) {
                throw new InvalidJwtException("Invalid DPoP Proof Header. The jwk header is not valid.");
            }
            return dpopJwkThumbprint;
        } catch (InvalidJwtException | JWKException | NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_DPOP_PROOF, e.getMessage()), oAuth2AuditLog));
        }
    }

    public void validateDpopThumprintIsPresent(String str, String str2) {
        if (BooleanUtils.isTrue(this.appConfiguration.getDpopJktForceForAuthorizationCode()) && StringUtils.isBlank(str)) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST.getStatusCode()).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str2, "dpop_jkt is absent")).build());
        }
    }

    public void validateDpopThumprint(String str, String str2) {
        if ((StringUtils.isBlank(str) && BooleanUtils.isFalse(this.appConfiguration.getDpopJktForceForAuthorizationCode())) || StringUtils.equals(str, str2)) {
            return;
        }
        this.log.debug("DPoP Thumprint between saved one '{}' and send in request '{}' does NOT match. Reject request.", str, str2);
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(TokenErrorResponseType.INVALID_DPOP_PROOF, "Thumprint does not match")).cacheControl(ServerUtil.cacheControl(true, false)).header(PRAGMA, NO_CACHE).build());
    }
}
