package org.gluu.oxauth.authorize.ws.rs;

import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.TimeZone;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.model.authorize.AuthorizeErrorResponseType;
import org.gluu.oxauth.model.authorize.AuthorizeParamsValidator;
import org.gluu.oxauth.model.authorize.JwtAuthorizationRequest;
import org.gluu.oxauth.model.ciba.BackchannelAuthenticationErrorResponseType;
import org.gluu.oxauth.model.common.Prompt;
import org.gluu.oxauth.model.common.ResponseMode;
import org.gluu.oxauth.model.common.ResponseType;
import org.gluu.oxauth.model.common.SessionId;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.error.ErrorResponseFactory;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.service.DeviceAuthorizationService;
import org.gluu.oxauth.service.RedirectUriResponse;
import org.gluu.oxauth.service.RedirectionUriService;
import org.gluu.oxauth.util.RedirectUri;
import org.gluu.oxauth.util.RedirectUtil;
import org.gluu.oxauth.util.ServerUtil;
import org.gluu.persist.exception.EntryPersistenceException;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:org/gluu/oxauth/authorize/ws/rs/AuthorizeRestWebServiceValidator.class */
public class AuthorizeRestWebServiceValidator {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ClientService clientService;

    @Inject
    private RedirectionUriService redirectionUriService;

    @Inject
    private DeviceAuthorizationService deviceAuthorizationService;

    @Inject
    private AppConfiguration appConfiguration;

    public Client validateClient(String str, String str2) {
        if (StringUtils.isBlank(str)) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str2, "client_id is empty or blank.")).type(MediaType.APPLICATION_JSON_TYPE).build());
        }
        try {
            Client client = this.clientService.getClient(str);
            if (client == null) {
                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str2, "Unable to find client.")).type(MediaType.APPLICATION_JSON_TYPE).build());
            }
            if (client.isDisabled()) {
                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.DISABLED_CLIENT, str2, "Client is disabled.")).type(MediaType.APPLICATION_JSON_TYPE).build());
            }
            return client;
        } catch (EntryPersistenceException e) {
            throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.UNAUTHORIZED_CLIENT, str2, "Unable to find client on AS.")).type(MediaType.APPLICATION_JSON_TYPE).build());
        }
    }

    public boolean validateAuthnMaxAge(Integer num, SessionId sessionId, Client client) {
        if (num == null) {
            num = client.getDefaultMaxAge();
        }
        GregorianCalendar gregorianCalendar = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
        if (sessionId.getAuthenticationTime() != null) {
            gregorianCalendar.setTime(sessionId.getAuthenticationTime());
        }
        if (num == null) {
            return true;
        }
        gregorianCalendar.add(13, num.intValue());
        return gregorianCalendar.after(ServerUtil.now());
    }

    public void validateRequestJwt(String str, String str2, RedirectUriResponse redirectUriResponse) {
        if (this.appConfiguration.getFapiCompatibility().booleanValue() && StringUtils.isBlank(str) && StringUtils.isBlank(str2)) {
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "request and request_uri are both not specified which is forbidden for FAPI.");
        }
        if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2)) {
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "Both request and request_uri are specified which is not allowed.");
        }
    }

    public void validate(List<ResponseType> list, List<Prompt> list2, String str, String str2, String str3, HttpServletRequest httpServletRequest, Client client, ResponseMode responseMode) {
        if (AuthorizeParamsValidator.validateParams(list, list2, str, this.appConfiguration.getFapiCompatibility().booleanValue())) {
            return;
        }
        if (str3 == null || this.redirectionUriService.validateRedirectionUri(client, str3) == null) {
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST.getStatusCode()).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, str2, "Invalid redirect uri.")).build());
        }
        RedirectUri redirectUri = new RedirectUri(str3, list, responseMode);
        redirectUri.parseQueryString(this.errorResponseFactory.getErrorAsQueryString(AuthorizeErrorResponseType.INVALID_REQUEST, str2));
        throw new WebApplicationException(RedirectUtil.getRedirectResponseBuilder(redirectUri, httpServletRequest).build());
    }

    public void validateRequestObject(JwtAuthorizationRequest jwtAuthorizationRequest, RedirectUriResponse redirectUriResponse) {
        if (!jwtAuthorizationRequest.getAud().isEmpty() && !jwtAuthorizationRequest.getAud().contains(this.appConfiguration.getIssuer())) {
            this.log.error("Failed to match aud to AS, aud: " + jwtAuthorizationRequest.getAud());
            throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
        }
        if (this.appConfiguration.getFapiCompatibility().booleanValue()) {
            if (jwtAuthorizationRequest.getExp() == null) {
                this.log.error("The exp claim is not set");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            long intValue = jwtAuthorizationRequest.getExp().intValue() * 1000;
            long time = new Date().getTime();
            if (intValue < time) {
                this.log.error("Request object expired. Exp:" + intValue + ", now: " + time);
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            if (jwtAuthorizationRequest.getScopes() == null || jwtAuthorizationRequest.getScopes().isEmpty()) {
                this.log.error("Request object does not have scope claim.");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            if (StringUtils.isBlank(jwtAuthorizationRequest.getNonce())) {
                this.log.error("Request object does not have nonce claim.");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
            if (StringUtils.isBlank(jwtAuthorizationRequest.getRedirectUri())) {
                this.log.error("Request object does not have redirect_uri claim.");
                throw redirectUriResponse.createWebException(AuthorizeErrorResponseType.INVALID_REQUEST_OBJECT);
            }
        }
    }

    public void validateCibaRequestObject(JwtAuthorizationRequest jwtAuthorizationRequest, String str) {
        if (jwtAuthorizationRequest.getAud().isEmpty() || !jwtAuthorizationRequest.getAud().contains(this.appConfiguration.getIssuer())) {
            this.log.error("Failed to match aud to AS, aud: " + jwtAuthorizationRequest.getAud());
            throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
        }
        if (this.appConfiguration.getFapiCompatibility().booleanValue()) {
            if (jwtAuthorizationRequest.getExp() == null) {
                this.log.error("The exp claim is not set");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            long intValue = jwtAuthorizationRequest.getExp().intValue() * 1000;
            long time = new Date().getTime();
            if (intValue < time) {
                this.log.error("Request object expired. Exp:" + intValue + ", now: " + time);
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (jwtAuthorizationRequest.getScopes() == null || jwtAuthorizationRequest.getScopes().isEmpty()) {
                this.log.error("Request object does not have scope claim.");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (StringUtils.isEmpty(jwtAuthorizationRequest.getIss()) || !jwtAuthorizationRequest.getIss().equals(str)) {
                this.log.error("Request object has a wrong iss claim, iss: " + jwtAuthorizationRequest.getIss());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (jwtAuthorizationRequest.getIat() == null || jwtAuthorizationRequest.getIat().intValue() == 0) {
                this.log.error("Request object has a wrong iat claim, iat: " + jwtAuthorizationRequest.getIat());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            int intExact = Math.toIntExact(System.currentTimeMillis() / 1000);
            if (jwtAuthorizationRequest.getNbf() == null || jwtAuthorizationRequest.getNbf().intValue() > intExact || jwtAuthorizationRequest.getNbf().intValue() < intExact - this.appConfiguration.getCibaMaxExpirationTimeAllowedSec()) {
                this.log.error("Request object has a wrong nbf claim, nbf: " + jwtAuthorizationRequest.getNbf());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if (StringUtils.isEmpty(jwtAuthorizationRequest.getJti())) {
                this.log.error("Request object has a wrong jti claim, jti: " + jwtAuthorizationRequest.getJti());
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
            if ((StringUtils.isNotBlank(jwtAuthorizationRequest.getLoginHint()) ? 1 : 0) + (StringUtils.isNotBlank(jwtAuthorizationRequest.getLoginHintToken()) ? 1 : 0) + (StringUtils.isNotBlank(jwtAuthorizationRequest.getIdTokenHint()) ? 1 : 0) != 1) {
                this.log.error("Request object has too many hints or doesnt have any");
                throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(BackchannelAuthenticationErrorResponseType.INVALID_REQUEST)).build());
            }
        }
    }

    public String validateRedirectUri(@NotNull Client client, @Nullable String str, String str2, String str3, HttpServletRequest httpServletRequest) {
        String validateRedirectionUri;
        if (StringUtils.isNotBlank(str3)) {
            validateRedirectionUri = this.deviceAuthorizationService.getDeviceAuthorizationPage(this.deviceAuthorizationService.getDeviceAuthzByUserCode(str3), client, str2, httpServletRequest);
        } else {
            validateRedirectionUri = this.redirectionUriService.validateRedirectionUri(client, str);
        }
        if (StringUtils.isNotBlank(validateRedirectionUri)) {
            return validateRedirectionUri;
        }
        throw new WebApplicationException(Response.status(Response.Status.BAD_REQUEST).entity(this.errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST_REDIRECT_URI, str2, "")).build());
    }
}
