package io.jans.lock.service.filter.openid;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.jans.as.client.OpenIdConfigurationResponse;
import io.jans.as.client.service.ClientFactory;
import io.jans.as.client.service.IntrospectionService;
import io.jans.as.model.common.IntrospectionResponse;
import io.jans.as.model.crypto.AuthCryptoProvider;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtClaims;
import io.jans.lock.service.OpenIdService;
import io.jans.lock.service.filter.ProtectionService;
import io.jans.service.security.api.ProtectedApi;
import jakarta.annotation.PostConstruct;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.lang.annotation.Annotation;
import java.lang.reflect.AnnotatedElement;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:io/jans/lock/service/filter/openid/OpenIdProtectionService.class */
public class OpenIdProtectionService implements ProtectionService {

    @Inject
    private Logger log;

    @Inject
    private OpenIdService openIdService;
    private IntrospectionService introspectionService;
    private OpenIdConfigurationResponse oidcConfig;
    private ObjectMapper mapper;

    @Override // io.jans.lock.service.filter.ProtectionService
    public Response processAuthorization(HttpHeaders httpHeaders, ResourceInfo resourceInfo) {
        try {
            String headerString = httpHeaders.getHeaderString("Authorization");
            boolean isNotEmpty = StringUtils.isNotEmpty(headerString);
            this.log.info("Authorization header {} found", isNotEmpty ? "" : "not");
            if (!isNotEmpty) {
                this.log.info("Request is missing authorization header");
                return simpleResponse(Response.Status.UNAUTHORIZED, "No authorization header found");
            }
            String replaceFirst = headerString.replaceFirst("Bearer\\s+", "");
            this.log.debug("Validating token {}", replaceFirst);
            List<String> requestedScopes = getRequestedScopes(resourceInfo);
            this.log.info("Call requires scopes: {}", requestedScopes);
            Jwt jwt = tokenAsJwt(replaceFirst);
            if (jwt == null) {
                IntrospectionResponse introspectionResponse = null;
                try {
                    introspectionResponse = this.introspectionService.introspectToken("Bearer " + replaceFirst, replaceFirst);
                } catch (Exception e) {
                    this.log.error(e.getMessage());
                }
                return processIntrospectionResponse(introspectionResponse, requestedScopes);
            }
            JwtClaims claims = jwt.getClaims();
            if (!this.oidcConfig.getIssuer().equals(claims.getClaimAsString("iss"))) {
                return simpleResponse(Response.Status.FORBIDDEN, "Invalid token issuer");
            }
            if (1000 * ((Integer) Optional.ofNullable(claims.getClaimAsInteger("exp")).orElse(0)).intValue() < System.currentTimeMillis()) {
                return simpleResponse(Response.Status.FORBIDDEN, "Expired token");
            }
            AuthCryptoProvider authCryptoProvider = new AuthCryptoProvider((String) null, (String) null, (String) null, true);
            SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
            if (AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
                return simpleResponse(Response.Status.INTERNAL_SERVER_ERROR, "HMAC algorithm not allowed for token signature. Please use an algorithm in the EC, ED, or RSA family for signing");
            }
            boolean verifySignature = authCryptoProvider.verifySignature(jwt.getSigningInput(), jwt.getEncodedSignature(), jwt.getHeader().getKeyId(), new JSONObject((Map) this.mapper.readValue(new URL(this.oidcConfig.getJwksUri()), Map.class)), (String) null, signatureAlgorithm);
            List claimAsStringList = claims.getClaimAsStringList("scope");
            if (verifySignature && claimAsStringList.containsAll(requestedScopes)) {
                return null;
            }
            this.log.error("{}. Token scopes: {}", "Invalid token signature or insufficient scopes", claimAsStringList);
            return simpleResponse(Response.Status.FORBIDDEN, "Invalid token signature or insufficient scopes");
        } catch (Exception e2) {
            this.log.error(e2.getMessage(), e2);
            return simpleResponse(Response.Status.INTERNAL_SERVER_ERROR, e2.getMessage());
        }
    }

    public Response processIntrospectionResponse(IntrospectionResponse introspectionResponse, List<String> list) {
        Response response = null;
        List list2 = (List) Optional.ofNullable(introspectionResponse).map((v0) -> {
            return v0.getScope();
        }).orElse(null);
        if (list2 == null || !introspectionResponse.isActive() || !list2.containsAll(list)) {
            this.log.error("{}. Token scopes: {}", "Invalid token or insufficient scopes", list2);
            response = simpleResponse(Response.Status.FORBIDDEN, "Invalid token or insufficient scopes");
        }
        return response;
    }

    private Jwt tokenAsJwt(String str) {
        Jwt jwt = null;
        try {
            jwt = Jwt.parse(str);
            this.log.trace("This looks like a JWT token");
        } catch (InvalidJwtException e) {
            this.log.trace("Not a JWT token");
        }
        return jwt;
    }

    private List<String> getRequestedScopes(ResourceInfo resourceInfo) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(getScopesFromAnnotation(resourceInfo.getResourceClass()));
        arrayList.addAll(getScopesFromAnnotation(resourceInfo.getResourceMethod()));
        return arrayList;
    }

    private List<String> getScopesFromAnnotation(AnnotatedElement annotatedElement) {
        return (List) optAnnnotation(annotatedElement, ProtectedApi.class).map((v0) -> {
            return v0.scopes();
        }).map((v0) -> {
            return Arrays.asList(v0);
        }).orElse(Collections.emptyList());
    }

    private static <T extends Annotation> Optional<T> optAnnnotation(AnnotatedElement annotatedElement, Class<T> cls) {
        return Optional.ofNullable(annotatedElement.getAnnotation(cls));
    }

    @PostConstruct
    private void init() {
        try {
            this.mapper = new ObjectMapper();
            this.oidcConfig = this.openIdService.getOpenIdConfiguration();
            this.introspectionService = ClientFactory.instance().createIntrospectionService(this.oidcConfig.getIntrospectionEndpoint(), ClientFactory.instance().createEngine());
        } catch (Exception e) {
            this.log.error(e.getMessage(), e);
        }
    }

    public Response simpleResponse(Response.Status status, String str) {
        return Response.status(status).entity(str).build();
    }
}
