package io.jans.as.server.model.authorize;

import com.google.common.collect.Lists;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.authorize.AuthorizeErrorResponseType;
import io.jans.as.model.common.Display;
import io.jans.as.model.common.Prompt;
import io.jans.as.model.common.ResponseMode;
import io.jans.as.model.common.ResponseType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm;
import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwe.Jwe;
import io.jans.as.model.jwe.JweDecrypterImpl;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtHeader;
import io.jans.as.model.util.Base64Util;
import io.jans.as.model.util.JwtUtil;
import io.jans.as.model.util.URLPatternList;
import io.jans.as.model.util.Util;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.DeviceAuthorizationService;
import io.jans.as.server.service.RedirectUriResponse;
import io.jans.as.server.service.RedirectionUriService;
import io.jans.as.server.service.stat.StatService;
import io.jans.service.cdi.util.CdiUtil;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.core.Response;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/as/server/model/authorize/JwtAuthorizationRequest.class */
public class JwtAuthorizationRequest {
    private static final Logger log = LoggerFactory.getLogger(JwtAuthorizationRequest.class);
    private static final int SIXTY_MINUTES_AS_SECONDS = 3600;
    private String type;
    private String algorithm;
    private String encryptionAlgorithm;
    private String keyId;
    private final List<ResponseType> responseTypes;
    private String clientId;
    private final List<String> scopes;
    private String redirectUri;
    private String nonce;
    private String state;
    private List<String> aud = Lists.newArrayList();
    private Display display;
    private final List<Prompt> prompts;
    private UserInfoMember userInfoMember;
    private IdTokenMember idTokenMember;
    private Integer exp;
    private String iss;
    private Integer iat;
    private Integer nbf;
    private String jti;
    private String clientNotificationToken;
    private String acrValues;
    private String loginHintToken;
    private String idTokenHint;
    private String loginHint;
    private String bindingMessage;
    private String userCode;
    private String codeChallenge;
    private String codeChallengeMethod;
    private String dpopJkt;
    private Integer requestedExpiry;
    private ResponseMode responseMode;
    private final String encodedJwt;
    private String payload;
    private JSONObject jsonPayload;
    private Jwt nestedJwt;
    private final AppConfiguration appConfiguration;

    public JwtAuthorizationRequest(AppConfiguration appConfiguration, AbstractCryptoProvider abstractCryptoProvider, String str, Client client) throws InvalidJwtException {
        JweDecrypterImpl jweDecrypterImpl;
        try {
            this.appConfiguration = appConfiguration;
            this.responseTypes = new ArrayList();
            this.scopes = new ArrayList();
            this.prompts = new ArrayList();
            this.encodedJwt = str;
            if (StringUtils.isEmpty(str)) {
                throw new InvalidJwtException("The JWT is null or empty");
            }
            String[] split = str.split("\\.");
            if (appConfiguration.getRequireRequestObjectEncryption().booleanValue() && split.length != 5) {
                throw new InvalidJwtException("Request object is not encrypted.");
            }
            if (split.length == 5) {
                JwtHeader jwtHeader = new JwtHeader(split[0]);
                this.keyId = jwtHeader.getKeyId();
                KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(jwtHeader.getClaimAsString("alg"));
                BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(jwtHeader.getClaimAsString("enc"));
                if (AlgorithmFamily.RSA.equals(fromName.getFamily())) {
                    PrivateKey privateKey = abstractCryptoProvider.getPrivateKey(this.keyId);
                    if (privateKey == null && StringUtils.isNotBlank(appConfiguration.getStaticDecryptionKid())) {
                        privateKey = abstractCryptoProvider.getPrivateKey(appConfiguration.getStaticDecryptionKid());
                    }
                    jweDecrypterImpl = new JweDecrypterImpl(privateKey);
                } else {
                    jweDecrypterImpl = new JweDecrypterImpl(((ClientService) CdiUtil.bean(ClientService.class)).decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8));
                }
                jweDecrypterImpl.setFapi(appConfiguration.getFapiCompatibility().booleanValue());
                jweDecrypterImpl.setKeyEncryptionAlgorithm(fromName);
                jweDecrypterImpl.setBlockEncryptionAlgorithm(fromName2);
                Jwe decrypt = jweDecrypterImpl.decrypt(str);
                this.nestedJwt = decrypt.getSignedJWTPayload();
                if (this.nestedJwt != null) {
                    this.keyId = this.nestedJwt.getHeader().getKeyId();
                    if (!validateSignature(abstractCryptoProvider, this.nestedJwt.getHeader().getSignatureAlgorithm(), client, this.nestedJwt.getSigningInput(), this.nestedJwt.getEncodedSignature())) {
                        throw new InvalidJwtException("The Nested JWT signature is not valid");
                    }
                }
                loadHeader(decrypt.getHeader().toJsonString());
                loadPayload(decrypt.getClaims().toJsonString());
            } else {
                if (split.length != 2 && split.length != 3) {
                    throw new InvalidJwtException("The JWT is not well formed");
                }
                String str2 = split[0];
                String str3 = split[1];
                String str4 = split.length == 3 ? split[2] : "";
                String str5 = str2 + "." + str3;
                String str6 = new String(Base64Util.base64urldecode(str2), StandardCharsets.UTF_8);
                String replace = new String(Base64Util.base64urldecode(str3), StandardCharsets.UTF_8).replace("\\", "");
                loadHeader(str6);
                SignatureAlgorithm fromString = SignatureAlgorithm.fromString(this.algorithm);
                if (fromString == null) {
                    throw new InvalidJwtException("The JWT algorithm is not supported");
                }
                if (!validateSignature(abstractCryptoProvider, fromString, client, str5, str4)) {
                    throw new InvalidJwtException("The JWT signature is not valid");
                }
                loadPayload(replace);
            }
        } catch (Exception e) {
            throw new InvalidJwtException(e);
        }
    }

    public String getEncodedJwt() {
        return this.encodedJwt;
    }

    private void loadHeader(String str) throws JSONException {
        JSONObject jSONObject = new JSONObject(str);
        if (jSONObject.has("typ")) {
            this.type = jSONObject.getString("typ");
        }
        if (jSONObject.has("alg")) {
            this.algorithm = jSONObject.getString("alg");
        }
        if (jSONObject.has("enc")) {
            this.encryptionAlgorithm = jSONObject.getString("enc");
        }
        if (jSONObject.has("kid")) {
            this.keyId = jSONObject.getString("kid");
        }
    }

    private void loadPayload(String str) throws JSONException, UnsupportedEncodingException {
        this.payload = str;
        this.jsonPayload = new JSONObject(str);
        if (this.jsonPayload.has("response_type")) {
            JSONArray optJSONArray = this.jsonPayload.optJSONArray("response_type");
            if (optJSONArray != null) {
                for (int i = 0; i < optJSONArray.length(); i++) {
                    this.responseTypes.add(ResponseType.fromString(optJSONArray.getString(i)));
                }
            } else {
                this.responseTypes.addAll(ResponseType.fromString(this.jsonPayload.getString("response_type"), " "));
            }
        }
        if (this.jsonPayload.has("exp")) {
            this.exp = Integer.valueOf(this.jsonPayload.getInt("exp"));
        }
        if (this.jsonPayload.has("aud")) {
            String optString = this.jsonPayload.optString("aud");
            if (StringUtils.isNotBlank(optString)) {
                this.aud.add(optString);
            }
            JSONArray optJSONArray2 = this.jsonPayload.optJSONArray("aud");
            if (optJSONArray2 != null && optJSONArray2.length() > 0) {
                this.aud.addAll(Util.asList(optJSONArray2));
            }
        }
        this.clientId = this.jsonPayload.optString("client_id", null);
        if (this.jsonPayload.has("scope")) {
            JSONArray optJSONArray3 = this.jsonPayload.optJSONArray("scope");
            if (optJSONArray3 != null) {
                for (int i2 = 0; i2 < optJSONArray3.length(); i2++) {
                    this.scopes.add(optJSONArray3.getString(i2));
                }
            } else {
                this.scopes.addAll(Util.splittedStringAsList(this.jsonPayload.getString("scope"), " "));
            }
        }
        if (this.jsonPayload.has("redirect_uri")) {
            this.redirectUri = URLDecoder.decode(this.jsonPayload.getString("redirect_uri"), "UTF-8");
        }
        this.nonce = this.jsonPayload.optString("nonce", null);
        this.state = this.jsonPayload.optString("state", null);
        if (this.jsonPayload.has("display")) {
            this.display = Display.fromString(this.jsonPayload.getString("display"));
        }
        if (this.jsonPayload.has("prompt")) {
            JSONArray optJSONArray4 = this.jsonPayload.optJSONArray("prompt");
            if (optJSONArray4 != null) {
                for (int i3 = 0; i3 < optJSONArray4.length(); i3++) {
                    this.prompts.add(Prompt.fromString(optJSONArray4.getString(i3)));
                }
            } else {
                this.prompts.addAll(Prompt.fromString(this.jsonPayload.getString("prompt"), " "));
            }
        }
        if (this.jsonPayload.has("claims")) {
            JSONObject jSONObject = this.jsonPayload.getJSONObject("claims");
            if (jSONObject.has("userinfo")) {
                this.userInfoMember = new UserInfoMember(jSONObject.getJSONObject("userinfo"));
            }
            if (jSONObject.has(StatService.ID_TOKEN_KEY)) {
                this.idTokenMember = new IdTokenMember(jSONObject.getJSONObject(StatService.ID_TOKEN_KEY));
            }
        }
        this.iss = this.jsonPayload.optString("iss", null);
        if (this.jsonPayload.has("exp")) {
            this.exp = Integer.valueOf(this.jsonPayload.getInt("exp"));
        }
        if (this.jsonPayload.has("iat")) {
            this.iat = Integer.valueOf(this.jsonPayload.getInt("iat"));
        }
        if (this.jsonPayload.has("nbf")) {
            this.nbf = Integer.valueOf(this.jsonPayload.getInt("nbf"));
        }
        this.jti = this.jsonPayload.optString("jti", null);
        this.clientNotificationToken = this.jsonPayload.optString("client_notification_token", null);
        this.acrValues = this.jsonPayload.optString("acr_values", null);
        this.loginHintToken = this.jsonPayload.optString("login_hint_token", null);
        this.idTokenHint = this.jsonPayload.optString("id_token_hint", null);
        this.loginHint = this.jsonPayload.optString("login_hint", null);
        this.bindingMessage = this.jsonPayload.optString("binding_message", null);
        this.userCode = this.jsonPayload.optString(DeviceAuthorizationService.SESSION_USER_CODE, null);
        this.codeChallenge = this.jsonPayload.optString("code_challenge", null);
        this.codeChallengeMethod = this.jsonPayload.optString("code_challenge_method", null);
        this.dpopJkt = this.jsonPayload.optString("dpop_jkt", null);
        if (this.jsonPayload.has("requested_expiry")) {
            if (this.jsonPayload.get("requested_expiry") instanceof Number) {
                this.requestedExpiry = Integer.valueOf(this.jsonPayload.getInt("requested_expiry"));
            } else {
                this.requestedExpiry = Integer.valueOf(Integer.parseInt(this.jsonPayload.getString("requested_expiry")));
            }
        }
        if (this.jsonPayload.has("response_mode")) {
            this.responseMode = ResponseMode.getByValue(this.jsonPayload.optString("response_mode"));
        }
    }

    private boolean validateSignature(@NotNull AbstractCryptoProvider abstractCryptoProvider, SignatureAlgorithm signatureAlgorithm, Client client, String str, String str2) throws Exception {
        String decryptSecret = ((ClientService) CdiUtil.bean(ClientService.class)).decryptSecret(client.getClientSecret());
        return abstractCryptoProvider.verifySignature(str, str2, this.keyId, CommonUtils.getJwks(client), decryptSecret, signatureAlgorithm);
    }

    public JSONObject getJsonPayload() {
        return this.jsonPayload;
    }

    public Jwt getNestedJwt() {
        return this.nestedJwt;
    }

    public String getEncryptionAlgorithm() {
        return this.encryptionAlgorithm;
    }

    public String getKeyId() {
        return this.keyId;
    }

    public String getType() {
        return this.type;
    }

    public String getAlgorithm() {
        return this.algorithm;
    }

    public List<ResponseType> getResponseTypes() {
        return this.responseTypes;
    }

    public String getClientId() {
        return this.clientId;
    }

    public List<String> getScopes() {
        return this.scopes;
    }

    public String getRedirectUri() {
        return this.redirectUri;
    }

    public String getNonce() {
        return this.nonce;
    }

    public String getState() {
        return this.state;
    }

    public Display getDisplay() {
        return this.display;
    }

    public List<Prompt> getPrompts() {
        return this.prompts;
    }

    public UserInfoMember getUserInfoMember() {
        return this.userInfoMember;
    }

    public IdTokenMember getIdTokenMember() {
        return this.idTokenMember;
    }

    public Integer getExp() {
        return this.exp;
    }

    public List<String> getAud() {
        if (this.aud == null) {
            this.aud = Lists.newArrayList();
        }
        return this.aud;
    }

    public String getPayload() {
        return this.payload;
    }

    public String getIss() {
        return this.iss;
    }

    public Integer getIat() {
        return this.iat;
    }

    public Integer getNbf() {
        return this.nbf;
    }

    public String getJti() {
        return this.jti;
    }

    public String getClientNotificationToken() {
        return this.clientNotificationToken;
    }

    public String getAcrValues() {
        return this.acrValues;
    }

    public String getLoginHintToken() {
        return this.loginHintToken;
    }

    public String getIdTokenHint() {
        return this.idTokenHint;
    }

    public String getLoginHint() {
        return this.loginHint;
    }

    public String getBindingMessage() {
        return this.bindingMessage;
    }

    public String getUserCode() {
        return this.userCode;
    }

    public Integer getRequestedExpiry() {
        return this.requestedExpiry;
    }

    public ResponseMode getResponseMode() {
        return this.responseMode;
    }

    public String getCodeChallenge() {
        return this.codeChallenge;
    }

    public String getCodeChallengeMethod() {
        return this.codeChallengeMethod;
    }

    public String getDpopJkt() {
        return this.dpopJkt;
    }

    public void setDpopJkt(String str) {
        this.dpopJkt = str;
    }

    /* JADX WARN: Finally extract failed */
    @Nullable
    private static String queryRequest(@Nullable String str, @Nullable RedirectUriResponse redirectUriResponse, AppConfiguration appConfiguration) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        boolean z = false;
        try {
            URI uri = new URI(str);
            String fragment = uri.getFragment();
            String str2 = uri.getScheme() + ":" + uri.getSchemeSpecificPart();
            jakarta.ws.rs.client.Client newClient = ClientBuilder.newClient();
            String str3 = null;
            try {
                Response invoke = newClient.target(str2).request().buildGet().invoke();
                if (invoke.getStatus() == 200) {
                    str3 = (String) invoke.readEntity(String.class);
                    z = (StringUtils.isBlank(fragment) || !appConfiguration.getRequestUriHashVerificationEnabled().booleanValue()) ? true : StringUtils.equals(fragment, Base64Util.base64urlencode(JwtUtil.getMessageDigestSHA256(str3)));
                }
                newClient.close();
                if (z || redirectUriResponse == null) {
                    return str3;
                }
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_URI, "Invalid request uri.");
            } catch (Throwable th) {
                newClient.close();
                throw th;
            }
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            return null;
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    public static JwtAuthorizationRequest createJwtRequest(String str, String str2, Client client, RedirectUriResponse redirectUriResponse, AbstractCryptoProvider abstractCryptoProvider, AppConfiguration appConfiguration) {
        validateRequestUri(str2, client, appConfiguration, redirectUriResponse != null ? redirectUriResponse.getState() : null);
        String queryRequest = queryRequest(str2, redirectUriResponse, appConfiguration);
        if (StringUtils.isNotBlank(queryRequest)) {
            str = queryRequest;
        }
        if (StringUtils.isBlank(str)) {
            return null;
        }
        try {
            return new JwtAuthorizationRequest(appConfiguration, abstractCryptoProvider, str, client);
        } catch (Exception e) {
            log.error("Invalid JWT authorization request. " + e.getMessage(), e);
            return null;
        } catch (WebApplicationException e2) {
            throw e2;
        }
    }

    public void validate() throws InvalidJwtException {
        if (this.appConfiguration.isFapi()) {
            validateFapi();
        }
    }

    private void validateFapi() throws InvalidJwtException {
        if (SignatureAlgorithm.fromString(this.algorithm) == SignatureAlgorithm.RS256) {
            throw new InvalidJwtException("RS256 algorithm is not allowed for FAPI");
        }
        if (SignatureAlgorithm.fromString(this.algorithm) == SignatureAlgorithm.NONE && this.appConfiguration.isFapi()) {
            throw new InvalidJwtException("None algorithm is not allowed for FAPI");
        }
        validateNbf(this.nbf);
        validateExp(this.exp);
    }

    public static void validateExp(Integer num) throws InvalidJwtException {
        if (num == null) {
            log.error("The exp claim is not set");
            throw new InvalidJwtException("exp claim is not set");
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (num.intValue() - currentTimeMillis > 3600) {
            log.error("exp claim is more then 60 minutes in the future, exp: {}, nowSecondsExp: {}", num, Long.valueOf(currentTimeMillis));
            throw new InvalidJwtException("exp claim is more then 60 in the future");
        }
    }

    public static void validateNbf(Integer num) throws InvalidJwtException {
        if (num == null || num.intValue() <= 0) {
            log.error("nbf claim is not set, nbf: {}", num);
            throw new InvalidJwtException("nbf claim is not set");
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (currentTimeMillis - num.intValue() > 3600) {
            log.error("nbf claim is more then 60 Minutes in the past, nbf: {}, nowSeconds: {}", num, Long.valueOf(currentTimeMillis));
            throw new InvalidJwtException("nbf claim is more then 60 in the past");
        }
    }

    public static void validateRequestUri(String str, Client client, AppConfiguration appConfiguration, String str2) {
        validateRequestUri(str, client, appConfiguration, str2, (ErrorResponseFactory) CdiUtil.bean(ErrorResponseFactory.class));
    }

    public static void validateRequestUri(String str, Client client, AppConfiguration appConfiguration, String str2, ErrorResponseFactory errorResponseFactory) {
        if (StringUtils.isBlank(str)) {
            return;
        }
        if (ArrayUtils.isNotEmpty(client.getRequestUris()) && !RedirectionUriService.isUriEqual(str, client.getRequestUris())) {
            log.debug("request_uri is forbidden by client request uris.");
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_URI, str2, "")).build());
        }
        List requestUriBlockList = appConfiguration.getRequestUriBlockList();
        if (requestUriBlockList.isEmpty() || !new URLPatternList(requestUriBlockList).isUrlListed(str)) {
            return;
        }
        log.debug("request_uri is forbidden by requestUriBlackList configuration.");
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_URI, str2, "")).build());
    }
}
