package io.jans.ca.server.service;

import com.google.common.base.Strings;
import io.jans.as.model.common.IntrospectionResponse;
import io.jans.ca.common.ErrorResponseCode;
import io.jans.ca.common.params.GetClientTokenParams;
import io.jans.ca.common.params.GetRpParams;
import io.jans.ca.common.params.HasRpIdParams;
import io.jans.ca.common.params.IParams;
import io.jans.ca.common.params.RegisterSiteParams;
import io.jans.ca.server.HttpException;
import io.jans.ca.server.configuration.ApiAppConfiguration;
import io.jans.ca.server.configuration.model.Rp;
import io.jans.ca.server.persistence.service.MainPersistenceService;
import io.jans.util.Pair;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:io/jans/ca/server/service/ValidationService.class */
public class ValidationService {
    private static final Logger LOG = LoggerFactory.getLogger(ValidationService.class);

    @Inject
    RpSyncService rpSyncService;

    @Inject
    RpService rpService;

    @Inject
    IntrospectionService introspectionService;

    @Inject
    MainPersistenceService jansConfigurationService;

    private ApiAppConfiguration getConfiguration() {
        return this.jansConfigurationService.find();
    }

    private void notNull(IParams iParams) {
        if (iParams == null) {
            throw new HttpException(ErrorResponseCode.INTERNAL_ERROR_NO_PARAMS);
        }
    }

    public void notBlankRpId(String str) {
        if (Strings.isNullOrEmpty(str)) {
            throw new HttpException(ErrorResponseCode.BAD_REQUEST_NO_RP_ID);
        }
    }

    public void notBlankOpHost(String str) {
        if (Strings.isNullOrEmpty(str)) {
            throw new HttpException(ErrorResponseCode.INVALID_OP_HOST);
        }
    }

    public void validateOpConfigurationEndpoint(String str) {
        if (Strings.isNullOrEmpty(str) || !str.contains(DiscoveryService.WELL_KNOWN_CONNECT_PATH)) {
            throw new HttpException(ErrorResponseCode.INVALID_OP_CONFIGURATION_ENDPOINT);
        }
    }

    public void isOpHostAllowed(String str) {
        List<String> allowedOpHosts = getConfiguration().getAllowedOpHosts();
        if (!Strings.isNullOrEmpty(str) && !allowedOpHosts.isEmpty() && !allowedOpHosts.stream().anyMatch(str2 -> {
            try {
                return new URL(str2).equals(new URL(str));
            } catch (MalformedURLException e) {
                throw new HttpException(ErrorResponseCode.INVALID_ALLOWED_OP_HOST_URL);
            }
        })) {
            throw new HttpException(ErrorResponseCode.RESTRICTED_OP_HOST);
        }
    }

    public Pair<Rp, Boolean> validate(IParams iParams) {
        Rp rp;
        Rp rp2;
        notNull(iParams);
        if (isInstanceOfGetRpParamsWithList(iParams)) {
            return new Pair<>((Object) null, true);
        }
        if (iParams instanceof HasRpIdParams) {
            validate((HasRpIdParams) iParams);
        }
        if (!(iParams instanceof RegisterSiteParams) && (iParams instanceof HasRpIdParams)) {
            try {
                String rpId = ((HasRpIdParams) iParams).getRpId();
                if (StringUtils.isNotBlank(rpId) && (rp2 = this.rpSyncService.getRp(rpId)) != null) {
                    return new Pair<>(rp2, false);
                }
            } catch (HttpException e) {
            } catch (Exception e2) {
                LOG.error("Failed to identify RP. Message: " + e2.getMessage(), e2);
            }
        }
        if (iParams instanceof GetClientTokenParams) {
            Rp rpByClientId = this.rpService.getRpByClientId(((GetClientTokenParams) iParams).getClientId());
            if (rpByClientId != null) {
                return new Pair<>(rpByClientId, false);
            }
        }
        if (!(iParams instanceof GetRpParams)) {
            return null;
        }
        GetRpParams getRpParams = (GetRpParams) iParams;
        String rpId2 = getRpParams.getRpId();
        if (!StringUtils.isNotBlank(rpId2)) {
            return null;
        }
        if ((getRpParams.getList() == null || !getRpParams.getList().booleanValue()) && (rp = this.rpSyncService.getRp(rpId2)) != null) {
            return new Pair<>(rp, true);
        }
        return null;
    }

    public void validateAccessToken(String str, String str2) {
        if (StringUtils.isBlank(str)) {
            throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
        }
        Rp rp = this.rpSyncService.getRp(str2);
        IntrospectionResponse introspect = introspect(str, str2);
        LOG.trace("access_token: " + str + ", introspection: " + introspect + ", clientId: " + rp.getClientId());
        if (StringUtils.isBlank(introspect.getClientId())) {
            LOG.error("AS returned introspection response with empty/blank client_id which is required by jans_client_api. Please check your AS installation and make sure AS return client_id for introspection call (CE 3.1.0 or later).");
            throw new HttpException(ErrorResponseCode.NO_CLIENT_ID_IN_INTROSPECTION_RESPONSE);
        }
        if (!introspect.getScope().contains("jans_client_api")) {
            LOG.error("access_token does not have `jans_client_api` scope. Make sure a) scope exists on AS b) register_site is registered with 'jans_client_api' scope c) get_client_token has 'jans_client_api' scope in request");
            throw new HttpException(ErrorResponseCode.ACCESS_TOKEN_INSUFFICIENT_SCOPE);
        }
        if (introspect.getClientId().equals(rp.getClientId())) {
            return;
        }
        LOG.error("No access token provided in Authorization header. Forbidden.");
        throw new HttpException(ErrorResponseCode.INVALID_ACCESS_TOKEN);
    }

    public IntrospectionResponse introspect(String str, String str2) {
        if (StringUtils.isBlank(str)) {
            LOG.debug("access_token is blank. Command is protected by access_token, please provide valid token or otherwise switch off protection in configuration with protect_commands_with_access_token=false");
            throw new HttpException(ErrorResponseCode.BLANK_ACCESS_TOKEN);
        }
        LOG.trace("Introspect token with rp: " + this.rpSyncService.getRp(str2));
        IntrospectionResponse introspectToken = this.introspectionService.introspectToken(str2, str);
        if (introspectToken.isActive()) {
            return introspectToken;
        }
        LOG.error("access_token is not active.");
        throw new HttpException(ErrorResponseCode.INACTIVE_ACCESS_TOKEN);
    }

    public void validate(HasRpIdParams hasRpIdParams) {
        notNull(hasRpIdParams);
        notBlankRpId(hasRpIdParams.getRpId());
    }

    public Rp validate(Rp rp) {
        if (rp == null) {
            throw new HttpException(ErrorResponseCode.INVALID_RP_ID);
        }
        notBlankRpId(rp.getRpId());
        notBlankOpHost(rp.getOpHost());
        isOpHostAllowed(rp.getOpHost());
        return rp;
    }

    private static boolean isInstanceOfGetRpParamsWithList(IParams iParams) {
        if (!(iParams instanceof GetRpParams)) {
            return false;
        }
        GetRpParams getRpParams = (GetRpParams) iParams;
        return getRpParams.getList() != null && getRpParams.getList().booleanValue();
    }
}
