package io.jans.as.server.uma.service;

import com.google.common.base.Joiner;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.signature.RSAPublicKey;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwk.KeyType;
import io.jans.as.model.jws.RSASigner;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.uma.ClaimTokenFormatType;
import io.jans.as.model.uma.UmaErrorResponseType;
import io.jans.as.model.uma.UmaPermissionList;
import io.jans.as.model.uma.UmaScopeType;
import io.jans.as.model.uma.persistence.UmaPermission;
import io.jans.as.model.uma.persistence.UmaResource;
import io.jans.as.model.util.Util;
import io.jans.as.persistence.model.Scope;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.RedirectionUriService;
import io.jans.as.server.service.token.TokenService;
import io.jans.as.server.uma.authorization.UmaPCT;
import io.jans.as.server.uma.authorization.UmaRPT;
import io.jans.as.server.uma.authorization.UmaWebException;
import io.jans.as.server.util.ServerUtil;
import io.jans.orm.exception.EntryPersistenceException;
import io.jans.util.StringHelper;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/uma/service/UmaValidationService.class */
public class UmaValidationService {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private TokenService tokenService;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private UmaResourceService resourceService;

    @Inject
    private UmaScopeService umaScopeService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private UmaPermissionService permissionService;

    @Inject
    private UmaPctService pctService;

    @Inject
    private UmaRptService rptService;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private ClientService clientService;

    @Inject
    private UmaExpressionService expressionService;

    public AuthorizationGrant assertHasProtectionScope(String str) {
        return validateAuthorization(str, UmaScopeType.PROTECTION);
    }

    private AuthorizationGrant validateAuthorization(String str, UmaScopeType umaScopeType) {
        this.log.trace("Validate authorization: {}", str);
        if (StringHelper.isEmpty(str)) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.UNAUTHORIZED_CLIENT, "Authorization header is blank.");
        }
        String token = this.tokenService.getToken(str);
        if (StringHelper.isEmpty(token)) {
            this.log.debug("Token is invalid.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.UNAUTHORIZED_CLIENT, "Token is invalid.");
        }
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(token);
        if (authorizationGrantByAccessToken == null) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.ACCESS_DENIED, "Unable to find authorization grant by token.");
        }
        if (authorizationGrantByAccessToken.getScopes().contains(umaScopeType.getValue())) {
            return authorizationGrantByAccessToken;
        }
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.NOT_ACCEPTABLE, UmaErrorResponseType.INVALID_CLIENT_SCOPE, "Client does not have scope: " + umaScopeType.getValue());
    }

    public UmaRPT validateRPT(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        UmaRPT rPTByCode = this.rptService.getRPTByCode(str);
        if (rPTByCode == null) {
            this.log.error("RPT is null, rptCode: {}", str);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RPT, "RPT is null, rptCode: " + str);
        }
        rPTByCode.checkExpired();
        if (rPTByCode.isValid()) {
            return rPTByCode;
        }
        this.log.error("RPT is not valid. Revoked: {}, Expired: {}, rptCode: {}", new Object[]{Boolean.valueOf(rPTByCode.isRevoked()), Boolean.valueOf(rPTByCode.isExpired()), str});
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RPT, String.format("RPT is not valid. Revoked: %s, Expired: %s, rptCode: %s", Boolean.valueOf(rPTByCode.isRevoked()), Boolean.valueOf(rPTByCode.isExpired()), str));
    }

    public void validatePermissions(List<UmaPermission> list) {
        Iterator<UmaPermission> it = list.iterator();
        while (it.hasNext()) {
            validatePermission(it.next());
        }
    }

    public void validatePermission(UmaPermission umaPermission) {
        if (umaPermission == null || "invalidated".equalsIgnoreCase(umaPermission.getStatus())) {
            this.log.error("Permission is null or otherwise invalidated. Status: {}", umaPermission != null ? umaPermission.getStatus() : "No permissions.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_TICKET, "Permission is null or otherwise invalidated. Status: " + (umaPermission != null ? umaPermission.getStatus() : "No permissions."));
        }
        umaPermission.checkExpired();
        if (umaPermission.isValid()) {
            return;
        }
        this.log.error("Permission is not valid.");
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.EXPIRED_TICKET, "Permission is not valid.");
    }

    public void validatePermissions(UmaPermissionList umaPermissionList, Client client) {
        Iterator it = umaPermissionList.iterator();
        while (it.hasNext()) {
            validatePermission((io.jans.as.model.uma.UmaPermission) it.next(), client);
        }
    }

    public void validatePermission(io.jans.as.model.uma.UmaPermission umaPermission, Client client) {
        String resourceId = umaPermission.getResourceId();
        if (StringHelper.isEmpty(resourceId)) {
            this.log.error("Resource id is empty");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID, "Resource id is empty");
        }
        try {
            UmaResource resourceById = this.resourceService.getResourceById(resourceId);
            if (resourceById == null) {
                this.log.error("Resource isn't registered or there are two resources with same Id");
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID, "Resource is not registered.");
            }
            for (String str : umaPermission.getScopes()) {
                if (!resourceById.getScopes().contains(str) && this.umaScopeService.getOrCreate(client, str, Sets.newHashSet(this.umaScopeService.getScopeIdsByDns(resourceById.getScopes()))) == null) {
                    this.log.error("Scope isn't registered and is not allowed by spontaneous scopes. Scope: {}", str);
                    throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_SCOPE, "At least one of the scopes isn't registered");
                }
            }
        } catch (EntryPersistenceException e) {
            this.log.error(e.getMessage(), e);
            this.log.error("Resource isn't registered");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID, "Resource isn't registered");
        }
    }

    public void validateGrantType(String str) {
        this.log.trace("Validate grantType: {}", str);
        if (!GrantType.UMA_TICKET.getValue().equals(str)) {
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID, "No required grant_type: " + GrantType.UMA_TICKET.getValue());
        }
    }

    public List<UmaPermission> validateTicket(String str) {
        if (StringUtils.isBlank(str)) {
            this.log.error("Ticket is blank.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_TICKET, "Ticket is null or blank.");
        }
        List<UmaPermission> permissionsByTicket = this.permissionService.getPermissionsByTicket(str);
        if (permissionsByTicket != null && !permissionsByTicket.isEmpty()) {
            return permissionsByTicket;
        }
        if (this.log.isErrorEnabled()) {
            this.log.error("Unable to find permissions registered for given ticket: {}", Util.escapeLog(str));
        }
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_TICKET, "Unable to find permissions registered for given ticket:" + str);
    }

    public List<UmaPermission> validateTicketWithRedirect(String str, String str2, String str3) {
        if (StringUtils.isBlank(str)) {
            this.log.error("Ticket is null or blank.");
            throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_TICKET, str3);
        }
        List<UmaPermission> permissionsByTicket = this.permissionService.getPermissionsByTicket(str);
        if (permissionsByTicket != null && !permissionsByTicket.isEmpty()) {
            return permissionsByTicket;
        }
        if (this.log.isErrorEnabled()) {
            this.log.error("Unable to find permissions registered for given ticket:{}", Util.escapeLog(str));
        }
        throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_TICKET, str3);
    }

    public Jwt validateClaimToken(String str, String str2) {
        if (!StringUtils.isNotBlank(str)) {
            if (!StringUtils.isNotBlank(str2)) {
                return null;
            }
            this.log.error("claim_token is blank but claim_token_format is not blank. Both must be blank or both must be not blank");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN, "claim_token is blank but claim_token_format is not blank. Both must be blank or both must be not blank");
        }
        if (!ClaimTokenFormatType.isValueValid(str2)) {
            this.log.error("claim_token_format is unsupported. Supported format is http://openid.net/specs/openid-connect-core-1_0.html#IDToken");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN_FORMAT, "claim_token_format is unsupported. Supported format is http://openid.net/specs/openid-connect-core-1_0.html#IDToken");
        }
        try {
            Jwt parse = Jwt.parse(str);
            if (!BooleanUtils.isTrue(this.appConfiguration.getUmaValidateClaimToken()) || isIdTokenValid(parse)) {
                return parse;
            }
            this.log.error("claim_token validation failed.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN, "claim_token validation failed.");
        } catch (Exception e) {
            this.log.error("Failed to parse claim_token as valid id_token.", e);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN, "Failed to parse claim_token as valid id_token.");
        }
    }

    public boolean isIdTokenValid(Jwt jwt) {
        try {
            String claimAsString = jwt.getClaims().getClaimAsString("iss");
            Date claimAsDate = jwt.getClaims().getClaimAsDate("exp");
            Date date = new Date();
            if (date.after(claimAsDate)) {
                this.log.error("ID Token is expired. (It is after {}).", date);
                return false;
            }
            if (!claimAsString.equals(this.appConfiguration.getIssuer())) {
                this.log.error("ID Token issuer is invalid. Token issuer: {}, server issuer: {}", claimAsString, this.appConfiguration.getIssuer());
                return false;
            }
            String claimAsString2 = jwt.getHeader().getClaimAsString("kid");
            String claimAsString3 = jwt.getHeader().getClaimAsString("alg");
            RSAPublicKey publicKey = getPublicKey(claimAsString2);
            if (publicKey == null) {
                this.log.error("Failed to get RSA public key.");
                return false;
            }
            if (new RSASigner(SignatureAlgorithm.fromString(claimAsString3), publicKey).validate(jwt)) {
                this.log.debug("ID Token is successfully validated.");
                return true;
            }
            this.log.error("ID Token signature is invalid.");
            return false;
        } catch (Exception e) {
            this.log.error("Failed to validate id_token. Message: " + e.getMessage(), e);
            return false;
        }
    }

    private RSAPublicKey getPublicKey(String str) {
        JSONWebKey key = this.webKeysConfiguration.getKey(str);
        if (key == null || key.getKty() != KeyType.RSA) {
            return null;
        }
        return new RSAPublicKey(key.getN(), key.getE());
    }

    public UmaPCT validatePct(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        UmaPCT byCode = this.pctService.getByCode(str);
        if (byCode == null) {
            this.log.error("Failed to find PCT with pctCode: {}", str);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.INVALID_PCT, "Failed to find PCT with pctCode: " + str);
        }
        byCode.checkExpired();
        if (byCode.isValid()) {
            this.log.trace("PCT is validated successfully, pct: {}", str);
            return byCode;
        }
        this.log.error("PCT is not valid. Revoked: {}, Expired: {}, pctCode: {}", new Object[]{Boolean.valueOf(byCode.isRevoked()), Boolean.valueOf(byCode.isExpired()), str});
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.INVALID_PCT, "PCT is not valid. Revoked: " + byCode.isRevoked() + ", Expired: " + byCode.isExpired() + ", pctCode: " + str);
    }

    public Map<Scope, Boolean> validateScopes(String str, List<UmaPermission> list, Client client) {
        String urlDecode = ServerUtil.urlDecode(str);
        String[] split = StringUtils.isNotBlank(urlDecode) ? urlDecode.split(" ") : new String[0];
        HashMap hashMap = new HashMap();
        if (ArrayUtils.isNotEmpty(split)) {
            Set<String> resourceScopes = this.resourceService.getResourceScopes((Set) list.stream().map((v0) -> {
                return v0.getResourceId();
            }).collect(Collectors.toSet()));
            for (String str2 : split) {
                Scope orCreate = this.umaScopeService.getOrCreate(client, str2, resourceScopes);
                if (orCreate != null) {
                    hashMap.put(orCreate, true);
                } else {
                    this.log.trace("Skip requested scope because it's not allowed, scope: {}", str2);
                }
            }
        }
        Iterator<UmaPermission> it = list.iterator();
        while (it.hasNext()) {
            Iterator<Scope> it2 = this.umaScopeService.getScopesByDns(it.next().getScopeDns()).iterator();
            while (it2.hasNext()) {
                hashMap.put(it2.next(), false);
            }
        }
        if (hashMap.isEmpty()) {
            this.log.error("There are no any scopes requested in the request.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_SCOPE, "There are no any scopes requested in give request.");
        }
        if (this.log.isTraceEnabled()) {
            this.log.trace("CandidateGrantedScopes: {}", Joiner.on(", ").join(Iterables.transform(hashMap.keySet(), (v0) -> {
                return v0.getId();
            })));
        }
        return hashMap;
    }

    public void validateScopeExpression(String str) {
        if (!StringUtils.isNotBlank(str) || this.expressionService.isExpressionValid(str)) {
            return;
        }
        if (this.log.isErrorEnabled()) {
            this.log.error("Scope expression is invalid. Expression: {}", Util.escapeLog(str));
        }
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_SCOPE, "Scope expression is invalid. Expression: " + str);
    }

    public Client validateClientAndClaimsRedirectUri(String str, String str2, String str3) {
        if (StringUtils.isBlank(str)) {
            if (this.log.isErrorEnabled()) {
                this.log.error("Invalid clientId: {}", Util.escapeLog(str));
            }
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLIENT_ID, "Invalid clientId: " + str);
        }
        Client client = this.clientService.getClient(str);
        if (client == null) {
            if (this.log.isErrorEnabled()) {
                this.log.error("Failed to find client with client_id: {}", Util.escapeLog(str));
            }
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLIENT_ID, "Failed to find client with client_id:" + str);
        }
        if (!StringUtils.isNotBlank(str2)) {
            this.log.trace("claims_redirect_uri is blank");
            if (client.getClaimRedirectUris() != null && client.getClaimRedirectUris().length == 1) {
                this.log.trace("claims_redirect_uri is blank and only one claims_redirect_uri is registered.");
                return client;
            }
        } else {
            if (ArrayUtils.isEmpty(client.getClaimRedirectUris())) {
                if (this.log.isErrorEnabled()) {
                    this.log.error("Client does not have claims_redirect_uri specified, clientId: {}", Util.escapeLog(str));
                }
                throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, "Client does not have claims_redirect_uri specified, clientId: " + str);
            }
            String equalRedirectUri = getEqualRedirectUri(str2, client.getClaimRedirectUris());
            if (equalRedirectUri != null) {
                this.log.trace("Found match for claims_redirect_uri : {}", equalRedirectUri);
                return client;
            }
            if (this.log.isTraceEnabled()) {
                this.log.trace("Failed to find match for claims_redirect_uri : {}, client claimRedirectUris: {}", Util.escapeLog(str2), Arrays.toString(client.getClaimRedirectUris()));
            }
        }
        if (!StringUtils.isBlank(str2)) {
            throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, str3);
        }
        if (this.log.isErrorEnabled()) {
            this.log.error("claims_redirect_uri is blank and there is none or more then one registered claims_redirect_uri for clientId: {}", Util.escapeLog(str));
        }
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, "claims_redirect_uri is blank and there is none or more then one registered claims_redirect_uri for clientId: " + str);
    }

    private String getEqualRedirectUri(String str, String[] strArr) {
        String uriWithoutParams = RedirectionUriService.uriWithoutParams(str);
        for (String str2 : strArr) {
            this.log.debug("Comparing {} == {}", str2, str);
            if (str2.equals(str)) {
                return str;
            }
            String uriWithoutParams2 = RedirectionUriService.uriWithoutParams(str2);
            Map<String, String> params = RedirectionUriService.getParams(str2);
            if ((uriWithoutParams2.equals(uriWithoutParams) && params.size() == 0 && RedirectionUriService.getParams(str).size() == 0) || (uriWithoutParams2.equals(uriWithoutParams) && params.size() > 0 && RedirectionUriService.compareParams(str, str2))) {
                return str;
            }
        }
        return null;
    }

    public String[] validatesGatheringScriptNames(String str, String str2, String str3) {
        if (StringUtils.isNotBlank(str)) {
            String[] split = str.split(" ");
            if (ArrayUtils.isNotEmpty(split)) {
                return split;
            }
        }
        throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLAIMS_GATHERING_SCRIPT_NAME, str3);
    }

    public void validateRestrictedByClient(String str, String str2) {
        if (BooleanUtils.isTrue(this.appConfiguration.getUmaRestrictResourceToAssociatedClient())) {
            List clients = this.resourceService.getResourceById(str2).getClients();
            if (clients.contains(str)) {
                return;
            }
            this.log.error("Access to resource is denied because resource associated client does not match PAT client (it can be switched off if set umaRestrictResourceToAssociatedClient oxauth configuration property to false). Associated clients: {}, PAT client: {}", clients, str);
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.ACCESS_DENIED, "Access to resource is denied because resource associated client does not match PAT client (it can be switched off if set umaRestrictResourceToAssociatedClient oxauth configuration property to false).");
        }
    }

    public void validateResource(io.jans.as.model.uma.UmaResource umaResource) {
        validateScopeExpression(umaResource.getScopeExpression());
        if (this.umaScopeService.getScopeDNsByIdsAndAddToPersistenceIfNeeded(umaResource.getScopes()).isEmpty() && StringUtils.isBlank(umaResource.getScopeExpression())) {
            this.log.error("Invalid resource. Both `scope` and `scope_expression` are blank.");
            throw this.errorResponseFactory.createWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_SCOPE, "Invalid resource. Both `scope` and `scope_expression` are blank.");
        }
    }

    public Client validate(Client client) {
        if (client != null && !client.isDisabled()) {
            return client;
        }
        this.log.debug("Client is not found or otherwise disabled.");
        throw this.errorResponseFactory.createWebApplicationException(Response.Status.FORBIDDEN, UmaErrorResponseType.DISABLED_CLIENT, "Client is disabled.");
    }
}
