package io.jans.ca.server.op;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import io.jans.as.client.OpenIdConfigurationResponse;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.ECDSAPublicKey;
import io.jans.as.model.crypto.signature.RSAPublicKey;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.jws.AbstractJwsSigner;
import io.jans.as.model.jws.ECDSASigner;
import io.jans.as.model.jws.HMACSigner;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtClaimName;
import io.jans.ca.common.ErrorResponseCode;
import io.jans.ca.server.HttpException;
import io.jans.ca.server.RpServerConfiguration;
import io.jans.ca.server.service.PublicOpKeyService;
import io.jans.ca.server.service.Rp;
import io.jans.ca.server.service.StateService;
import java.security.SignatureException;
import java.util.Date;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/ca/server/op/Validator.class */
public class Validator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) Validator.class);
    private final OpenIdConfigurationResponse discoveryResponse;
    private RpServerConfiguration configuration;
    private AbstractJwsSigner jwsSigner;
    private final Jwt idToken;
    private OpClientFactory opClientFactory;
    private final PublicOpKeyService keyService;
    private final Rp rp;

    /* loaded from: input_file:io/jans/ca/server/op/Validator$Builder.class */
    public static class Builder {
        private OpenIdConfigurationResponse discoveryResponse;
        private RpServerConfiguration configuration;
        private Jwt idToken;
        private OpClientFactory opClientFactory;
        private PublicOpKeyService keyService;
        private Rp rp;

        public Builder discoveryResponse(OpenIdConfigurationResponse openIdConfigurationResponse) {
            this.discoveryResponse = openIdConfigurationResponse;
            return this;
        }

        public Builder rpServerConfiguration(RpServerConfiguration rpServerConfiguration) {
            this.configuration = rpServerConfiguration;
            return this;
        }

        public Builder idToken(Jwt jwt) {
            this.idToken = jwt;
            return this;
        }

        public Builder opClientFactory(OpClientFactory opClientFactory) {
            this.opClientFactory = opClientFactory;
            return this;
        }

        public Builder keyService(PublicOpKeyService publicOpKeyService) {
            this.keyService = publicOpKeyService;
            return this;
        }

        public Builder rp(Rp rp) {
            this.rp = rp;
            return this;
        }

        public Validator build() {
            Preconditions.checkNotNull(this.idToken);
            Preconditions.checkNotNull(this.discoveryResponse);
            return new Validator(this);
        }
    }

    public OpenIdConfigurationResponse getDiscoveryResponse() {
        return this.discoveryResponse;
    }

    public RpServerConfiguration getRpServerConfiguration() {
        return this.configuration;
    }

    public AbstractJwsSigner getJwsSigner() {
        return this.jwsSigner;
    }

    public OpClientFactory getOpClientFactory() {
        return this.opClientFactory;
    }

    public PublicOpKeyService getKeyService() {
        return this.keyService;
    }

    public Rp getRp() {
        return this.rp;
    }

    private Validator(Builder builder) {
        this.discoveryResponse = builder.discoveryResponse;
        this.configuration = builder.configuration;
        this.idToken = builder.idToken;
        this.opClientFactory = builder.opClientFactory;
        this.keyService = builder.keyService;
        this.rp = builder.rp;
        this.jwsSigner = createJwsSigner(this.idToken, this.discoveryResponse, this.keyService, this.opClientFactory, this.rp, this.configuration);
    }

    public void validateAccessToken(String str) {
        validateAccessToken(str, false);
    }

    public void validateAccessToken(String str, boolean z) {
        if (this.configuration.getIdTokenValidationAtHashRequired().booleanValue() && !Strings.isNullOrEmpty(str)) {
            String claimAsString = this.idToken.getClaims().getClaimAsString("at_hash");
            if (!Strings.isNullOrEmpty(claimAsString)) {
                if (this.jwsSigner.validateAccessToken(str, this.idToken)) {
                    return;
                }
                LOG.error("Hash from id_token does not match hash of the access_token (at_hash). access_token:" + str + ", idToken: " + this.idToken + ", at_hash:" + claimAsString);
                throw new HttpException(ErrorResponseCode.INVALID_ACCESS_TOKEN_BAD_HASH);
            }
            if (z) {
                LOG.error("`at_hash` is missing in `ID_TOKEN`.");
                throw new HttpException(ErrorResponseCode.AT_HASH_NOT_FOUND);
            }
            LOG.warn("Skip access_token validation because corresponding id_token does not have at_hash claim. access_token: " + str + ", id_token: " + this.idToken);
        }
    }

    public void validateState(String str) {
        if (this.configuration.getIdTokenValidationSHashRequired().booleanValue() && !Strings.isNullOrEmpty(str)) {
            String claimAsString = this.idToken.getClaims().getClaimAsString(JwtClaimName.STATE_HASH);
            if (Strings.isNullOrEmpty(claimAsString)) {
                LOG.error("`s_hash` is missing in `ID_TOKEN`.");
                throw new HttpException(ErrorResponseCode.S_HASH_NOT_FOUND);
            }
            if (this.jwsSigner.validateState(str, this.idToken)) {
                return;
            }
            LOG.error("Hash from id_token does not match hash of the state (s_hash). state:" + str + ", idToken: " + this.idToken + ", sHash:" + claimAsString);
            throw new HttpException(ErrorResponseCode.INVALID_STATE_BAD_HASH);
        }
    }

    public void validateAuthorizationCode(String str) {
        if (this.configuration.getIdTokenValidationCHashRequired().booleanValue() && !Strings.isNullOrEmpty(str)) {
            if (Strings.isNullOrEmpty(this.idToken.getClaims().getClaimAsString("c_hash"))) {
                LOG.error("`c_hash` is missing in `ID_TOKEN`.");
                throw new HttpException(ErrorResponseCode.C_HASH_NOT_FOUND);
            }
            if (this.jwsSigner.validateAuthorizationCode(str, this.idToken)) {
                return;
            }
            LOG.error("`Authorization code is invalid. Hash of authorization code does not match hash from id_token (c_hash).");
            throw new HttpException(ErrorResponseCode.INVALID_AUTHORIZATION_CODE_BAD_HASH);
        }
    }

    public static AbstractJwsSigner createJwsSigner(Jwt jwt, OpenIdConfigurationResponse openIdConfigurationResponse, PublicOpKeyService publicOpKeyService, OpClientFactory opClientFactory, Rp rp, RpServerConfiguration rpServerConfiguration) {
        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(jwt.getHeader().getClaimAsString("alg"));
        String jwksUri = openIdConfigurationResponse.getJwksUri();
        String claimAsString = jwt.getHeader().getClaimAsString("kid");
        if (fromString == null) {
            throw new HttpException(ErrorResponseCode.INVALID_ALGORITHM);
        }
        if (Strings.isNullOrEmpty(claimAsString) && (fromString.getFamily() == AlgorithmFamily.RSA || fromString.getFamily() == AlgorithmFamily.EC)) {
            LOG.warn("Warning:`kid` is missing in id_token header. oxd will throw error if RP is unable to determine the key to used for `id_token` validation.");
        }
        if (fromString == SignatureAlgorithm.NONE) {
            if (rpServerConfiguration.getAcceptIdTokenWithoutSignature().booleanValue()) {
                return new AbstractJwsSigner(fromString) { // from class: io.jans.ca.server.op.Validator.1
                    @Override // io.jans.as.model.jws.AbstractJwsSigner
                    public String generateSignature(String str) throws SignatureException {
                        return null;
                    }

                    @Override // io.jans.as.model.jws.AbstractJwsSigner
                    public boolean validateSignature(String str, String str2) throws SignatureException {
                        return true;
                    }
                };
            }
            LOG.error("`ID_TOKEN` without signature is not allowed. To allow `ID_TOKEN` without signature set `accept_id_token_without_signature` field to 'true' in client-api-server.yml.");
            throw new HttpException(ErrorResponseCode.ID_TOKEN_WITHOUT_SIGNATURE_NOT_ALLOWED);
        }
        if (fromString.getFamily() == AlgorithmFamily.RSA) {
            return opClientFactory.createRSASigner(fromString, (RSAPublicKey) publicOpKeyService.getPublicKey(jwksUri, claimAsString, fromString, Use.SIGNATURE));
        }
        if (fromString.getFamily() == AlgorithmFamily.HMAC) {
            return new HMACSigner(fromString, rp.getClientSecret());
        }
        if (fromString.getFamily() == AlgorithmFamily.EC) {
            return new ECDSASigner(fromString, (ECDSAPublicKey) publicOpKeyService.getPublicKey(jwksUri, claimAsString, fromString, Use.SIGNATURE));
        }
        throw new HttpException(ErrorResponseCode.ALGORITHM_NOT_SUPPORTED);
    }

    public void validateNonce(StateService stateService) {
        if (stateService.isExpiredObjectPresent(this.idToken.getClaims().getClaimAsString("nonce"))) {
            return;
        }
        LOG.error("Nonce value from `id_token` is not registered with oxd.");
        throw new HttpException(ErrorResponseCode.INVALID_NONCE);
    }

    public boolean isIdTokenValid(String str) {
        try {
            validateIdToken(str);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public void validateIdToken() {
        validateIdToken(null);
    }

    public void validateIdToken(String str) {
        try {
            String claimAsString = this.idToken.getClaims().getClaimAsString("iss");
            String claimAsString2 = this.idToken.getClaims().getClaimAsString("sub");
            String claimAsString3 = this.idToken.getClaims().getClaimAsString("nonce");
            String clientId = this.rp.getClientId();
            if (this.configuration.getFapiEnabled().booleanValue() && Strings.isNullOrEmpty(claimAsString3)) {
                LOG.error("Nonce is missing from id_token.");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_NO_NONCE);
            }
            if (!Strings.isNullOrEmpty(str) && !claimAsString3.endsWith(str)) {
                LOG.error("ID Token has invalid nonce. Expected nonce: " + str + ", nonce from token is: " + claimAsString3);
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_NONCE);
            }
            validateAudience(this.idToken, clientId);
            if (Strings.isNullOrEmpty(claimAsString2)) {
                LOG.error("ID Token is missing `sub` value.");
                throw new HttpException(ErrorResponseCode.NO_SUBJECT_IDENTIFIER);
            }
            Date claimAsDate = this.idToken.getClaims().getClaimAsDate("iat");
            if (claimAsDate == null) {
                LOG.error("`ISSUED_AT` date is either invalid or missing from `ID_TOKEN`.");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_ISSUED_AT);
            }
            Date date = new Date();
            if (this.configuration.getFapiEnabled().booleanValue() && TimeUnit.MILLISECONDS.toHours(date.getTime() - claimAsDate.getTime()) > this.configuration.getIatExpirationInHours()) {
                LOG.error("`ISSUED_AT` date too far in the past. iat : " + claimAsDate + " now : " + date + ").");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_OLD_ISSUED_AT);
            }
            Date claimAsDate2 = this.idToken.getClaims().getClaimAsDate("exp");
            if (claimAsDate2 == null) {
                LOG.error("EXPIRATION_TIME (`exp`) is either invalid or missing from `ID_TOKEN`.");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_EXPIRATION_TIME);
            }
            if (date.after(claimAsDate2)) {
                LOG.error("ID Token is expired. (" + claimAsDate2 + " is before " + date + ").");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_EXPIRED);
            }
            if (Strings.isNullOrEmpty(claimAsString)) {
                LOG.error("Issuer (`iss`) claim is missing from id_token.");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_NO_ISSUER);
            }
            if (!claimAsString.equals(this.discoveryResponse.getIssuer())) {
                LOG.error("ID Token issuer is invalid. Token issuer: " + claimAsString + ", discovery issuer: " + this.discoveryResponse.getIssuer());
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_ISSUER);
            }
            String claimAsString4 = this.idToken.getHeader().getClaimAsString("alg");
            SignatureAlgorithm fromString = SignatureAlgorithm.fromString(claimAsString4);
            if (!Strings.isNullOrEmpty(this.rp.getIdTokenSignedResponseAlg()) && SignatureAlgorithm.fromString(this.rp.getIdTokenSignedResponseAlg()) != fromString) {
                LOG.error("The algorithm used to sign the ID Token does not matches with `id_token_signed_response_alg` algorithm set during client registration.Expected: {}, Got: {}", this.rp.getIdTokenSignedResponseAlg(), claimAsString4);
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_INVALID_ALGORITHM);
            }
            if (fromString == SignatureAlgorithm.NONE || this.jwsSigner.validate(this.idToken)) {
                return;
            }
            LOG.error("ID Token signature is invalid.");
            throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_SIGNATURE);
        } catch (HttpException e) {
            throw e;
        } catch (Exception e2) {
            LOG.error(e2.getMessage(), (Throwable) e2);
            throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_UNKNOWN);
        }
    }

    public static void validateAudience(Jwt jwt, String str) {
        String claimAsString = jwt.getClaims().getClaimAsString("aud");
        if (Strings.isNullOrEmpty(claimAsString)) {
            LOG.error("The audience (`aud`) claim is missing from ID Token.");
            throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_NO_AUDIENCE);
        }
        if (str.equalsIgnoreCase(claimAsString)) {
            return;
        }
        List<String> claimAsStringList = jwt.getClaims().getClaimAsStringList("aud");
        if (claimAsStringList == null || claimAsStringList.isEmpty()) {
            return;
        }
        if (hasListAsElement(claimAsStringList)) {
            claimAsStringList = arrStringToList(claimAsStringList.get(0));
        }
        if (!claimAsStringList.stream().anyMatch(str2 -> {
            return str.equalsIgnoreCase(str2);
        })) {
            LOG.error("ID Token has invalid audience (string list). Expected audience: " + str + ", audience from token is: " + claimAsStringList);
            throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUDIENCE);
        }
        if (claimAsStringList.size() > 1) {
            String claimAsString2 = jwt.getClaims().getClaimAsString(JwtClaimName.AUTHORIZED_PARTY);
            if (Strings.isNullOrEmpty(claimAsString2)) {
                LOG.error("The ID Token has multiple audiences. Authorized party (`azp`) is missing in ID Token.");
                throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_NO_AUTHORIZED_PARTY);
            }
            if (Strings.isNullOrEmpty(claimAsString2) || claimAsString2.equalsIgnoreCase(str)) {
                return;
            }
            LOG.error("ID Token has invalid authorized party (string list). Expected authorized party: " + str + ", authorized party from token is: " + claimAsString2);
            throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUTHORIZED_PARTY);
        }
    }

    public static boolean hasListAsElement(List<String> list) {
        return list.size() == 1 && list.get(0).contains("[") && list.get(0).contains(DefaultExpressionEngine.DEFAULT_ATTRIBUTE_END);
    }

    public static List<String> arrStringToList(String str) {
        if (Strings.isNullOrEmpty(str)) {
            throw new HttpException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUDIENCE);
        }
        return Lists.newArrayList(str.replaceAll("\"", "").replaceAll("\\[", "").replaceAll("\\]", "").split("\\s*,\\s*"));
    }

    public Jwt getIdToken() {
        return this.idToken;
    }
}
