package io.jans.as.server.register.ws.rs;

import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.exception.CryptoProviderException;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtClaims;
import io.jans.as.model.register.RegisterRequestParam;
import io.jans.as.model.ssa.SsaValidationConfig;
import io.jans.as.model.ssa.SsaValidationType;
import io.jans.as.server.service.net.UriService;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.util.ArrayList;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/register/ws/rs/SsaValidationConfigService.class */
public class SsaValidationConfigService {

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private Logger log;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private UriService uriService;

    public List<SsaValidationConfig> getByIssuer(String str, SsaValidationType ssaValidationType) {
        return StringUtils.isBlank(str) ? new ArrayList() : (List) this.appConfiguration.getDcrSsaValidationConfigs().stream().filter(ssaValidationConfig -> {
            return ssaValidationConfig.getIssuers().contains(str) && ssaValidationConfig.getType() == ssaValidationType;
        }).collect(Collectors.toList());
    }

    public List<SsaValidationConfig> getByIssuer(Jwt jwt, SsaValidationType ssaValidationType) {
        return getByIssuer(jwt.getClaims().getClaimAsString("iss"), ssaValidationType);
    }

    public boolean isHmacValid(SsaValidationConfigContext ssaValidationConfigContext) {
        List<SsaValidationConfig> byIssuer = getByIssuer(ssaValidationConfigContext.getJwt(), ssaValidationConfigContext.getType());
        if (byIssuer.isEmpty()) {
            return false;
        }
        for (SsaValidationConfig ssaValidationConfig : byIssuer) {
            if (isHmacValid(ssaValidationConfigContext.getJwt(), ssaValidationConfig)) {
                ssaValidationConfigContext.setSuccessfulConfig(ssaValidationConfig);
                return true;
            }
        }
        return false;
    }

    private boolean isHmacValid(Jwt jwt, SsaValidationConfig ssaValidationConfig) {
        String sharedSecret = ssaValidationConfig.getSharedSecret();
        if (StringUtils.isBlank(sharedSecret)) {
            this.log.trace("No hmacSecret provided in SsaValidationConfig: {}", ssaValidationConfig);
            return false;
        }
        try {
            boolean verifySignature = this.cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), (String) null, (JSONObject) null, sharedSecret, jwt.getHeader().getSignatureAlgorithm());
            this.log.trace("Request object validation result: {}, SsaValidationConfig: {}", Boolean.valueOf(verifySignature), ssaValidationConfig);
            if (!verifySignature) {
                return false;
            }
            this.log.trace("Request object is validated successfully. SsaValidationConfig: {}", ssaValidationConfig);
            return true;
        } catch (CryptoProviderException | InvalidJwtException e) {
            this.log.trace("Unable to validate jwt with ssaValidationConfig: " + ssaValidationConfig, e);
            return false;
        }
    }

    public boolean hasValidSignature(SsaValidationConfigContext ssaValidationConfigContext) {
        List<SsaValidationConfig> byIssuer = getByIssuer(ssaValidationConfigContext.getJwt(), ssaValidationConfigContext.getType());
        if (byIssuer.isEmpty()) {
            return false;
        }
        for (SsaValidationConfig ssaValidationConfig : byIssuer) {
            if (isSignatureValid(ssaValidationConfigContext.getJwt(), ssaValidationConfig)) {
                ssaValidationConfigContext.setSuccessfulConfig(ssaValidationConfig);
                return true;
            }
        }
        return false;
    }

    private boolean isSignatureValid(Jwt jwt, SsaValidationConfig ssaValidationConfig) {
        try {
            JSONObject loadJwks = loadJwks(ssaValidationConfig);
            if (loadJwks == null || loadJwks.isEmpty()) {
                this.log.error("Unable to load jwks for ssaValidationConfig: {}", ssaValidationConfig);
                return false;
            }
            this.log.trace("Validating request object with jwks: {} ...", loadJwks);
            return this.cryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(), loadJwks, (String) null, jwt.getHeader().getSignatureAlgorithm());
        } catch (CryptoProviderException | InvalidJwtException e) {
            this.log.trace("Unable to validate jwt with ssaValidationConfig: " + ssaValidationConfig, e);
            return false;
        }
    }

    private JSONObject loadJwks(SsaValidationConfig ssaValidationConfig) {
        JSONObject jSONObject = null;
        if (StringUtils.isNotBlank(ssaValidationConfig.getJwksUri())) {
            jSONObject = this.uriService.loadJson(ssaValidationConfig.getJwksUri());
        }
        if (jSONObject == null && StringUtils.isNotBlank(ssaValidationConfig.getJwks())) {
            jSONObject = new JSONObject(ssaValidationConfig.getJwks());
        }
        if (jSONObject == null && StringUtils.isNotBlank(ssaValidationConfig.getConfigurationEndpoint()) && StringUtils.isNotBlank(ssaValidationConfig.getConfigurationEndpointClaim())) {
            String optString = this.uriService.loadJson(ssaValidationConfig.getConfigurationEndpoint()).optString(ssaValidationConfig.getConfigurationEndpointClaim());
            if (StringUtils.isNotBlank(optString)) {
                jSONObject = this.uriService.loadJson(optString);
            }
        }
        return jSONObject;
    }

    public JSONObject validateSsaForBuiltIn(Jwt jwt) throws InvalidJwtException {
        this.log.debug("Validating ssa with softwareStatementValidationType=builtin validation ...");
        List<SsaValidationConfig> byIssuer = getByIssuer(jwt, SsaValidationType.SSA);
        boolean equals = AlgorithmFamily.HMAC.equals(jwt.getHeader().getSignatureAlgorithm().getFamily());
        for (SsaValidationConfig ssaValidationConfig : byIssuer) {
            if (equals && isHmacValid(jwt, ssaValidationConfig)) {
                return prepareSsaJsonObject(jwt.getClaims(), ssaValidationConfig);
            }
            if (!equals && isSignatureValid(jwt, ssaValidationConfig)) {
                return prepareSsaJsonObject(jwt.getClaims(), ssaValidationConfig);
            }
        }
        return null;
    }

    public JSONObject prepareSsaJsonObject(JwtClaims jwtClaims, SsaValidationConfig ssaValidationConfig) throws InvalidJwtException {
        JSONObject jsonObject = jwtClaims.toJsonObject();
        if (!ssaValidationConfig.getScopes().isEmpty()) {
            this.log.trace("Set scopes from ssaValidationConfig: {}", ssaValidationConfig);
            jsonObject.putOpt(RegisterRequestParam.SCOPE.toString(), io.jans.as.model.util.StringUtils.implode(ssaValidationConfig.getScopes(), " "));
        }
        if (!ssaValidationConfig.getAllowedClaims().isEmpty()) {
            this.log.trace("Set claims from ssaValidationConfig: {}", ssaValidationConfig);
            jsonObject.putOpt(RegisterRequestParam.CLAIMS.toString(), io.jans.as.model.util.StringUtils.implode(ssaValidationConfig.getAllowedClaims(), " "));
        }
        return jsonObject;
    }
}
