package org.xdi.oxauth.uma.service;

import com.google.common.base.Joiner;
import java.util.Arrays;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import javax.ws.rs.core.Response;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.gluu.persist.exception.EntryPersistenceException;
import org.python.google.common.base.Function;
import org.python.google.common.collect.Iterables;
import org.slf4j.Logger;
import org.xdi.oxauth.model.common.AuthorizationGrant;
import org.xdi.oxauth.model.common.AuthorizationGrantList;
import org.xdi.oxauth.model.common.GrantType;
import org.xdi.oxauth.model.config.WebKeysConfiguration;
import org.xdi.oxauth.model.configuration.AppConfiguration;
import org.xdi.oxauth.model.crypto.signature.RSAPublicKey;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.error.ErrorResponseFactory;
import org.xdi.oxauth.model.jwk.JSONWebKey;
import org.xdi.oxauth.model.jwk.KeyType;
import org.xdi.oxauth.model.jws.RSASigner;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.uma.ClaimTokenFormatType;
import org.xdi.oxauth.model.uma.UmaErrorResponseType;
import org.xdi.oxauth.model.uma.UmaPermissionList;
import org.xdi.oxauth.model.uma.UmaScopeType;
import org.xdi.oxauth.model.uma.persistence.UmaPermission;
import org.xdi.oxauth.model.uma.persistence.UmaResource;
import org.xdi.oxauth.model.uma.persistence.UmaScopeDescription;
import org.xdi.oxauth.service.ClientService;
import org.xdi.oxauth.service.RedirectionUriService;
import org.xdi.oxauth.service.token.TokenService;
import org.xdi.oxauth.uma.authorization.UmaPCT;
import org.xdi.oxauth.uma.authorization.UmaRPT;
import org.xdi.oxauth.uma.authorization.UmaWebException;
import org.xdi.oxauth.util.ServerUtil;
import org.xdi.util.StringHelper;

@Named
@Stateless
/* loaded from: input_file:org/xdi/oxauth/uma/service/UmaValidationService.class */
public class UmaValidationService {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private TokenService tokenService;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    @Inject
    private UmaResourceService resourceService;

    @Inject
    private UmaScopeService umaScopeService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private UmaPermissionService permissionService;

    @Inject
    private UmaPctService pctService;

    @Inject
    private UmaRptService rptService;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private ClientService clientService;

    @Inject
    private UmaExpressionService expressionService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xdi.oxauth.uma.service.UmaValidationService$2, reason: invalid class name */
    /* loaded from: input_file:org/xdi/oxauth/uma/service/UmaValidationService$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$xdi$oxauth$model$jwk$KeyType = new int[KeyType.values().length];

        static {
            try {
                $SwitchMap$org$xdi$oxauth$model$jwk$KeyType[KeyType.RSA.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    public AuthorizationGrant assertHasProtectionScope(String str) {
        return validateAuthorization(str, UmaScopeType.PROTECTION);
    }

    private AuthorizationGrant validateAuthorization(String str, UmaScopeType umaScopeType) {
        this.log.trace("Validate authorization: {}", str);
        if (StringHelper.isEmpty(str)) {
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.UNAUTHORIZED_CLIENT);
        }
        String tokenFromAuthorizationParameter = this.tokenService.getTokenFromAuthorizationParameter(str);
        if (StringHelper.isEmpty(tokenFromAuthorizationParameter)) {
            this.log.debug("Token is invalid");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.UNAUTHORIZED_CLIENT);
        }
        AuthorizationGrant authorizationGrantByAccessToken = this.authorizationGrantList.getAuthorizationGrantByAccessToken(tokenFromAuthorizationParameter);
        if (authorizationGrantByAccessToken == null) {
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.ACCESS_DENIED);
        }
        if (!authorizationGrantByAccessToken.isValid()) {
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.INVALID_TOKEN);
        }
        if (!authorizationGrantByAccessToken.getScopes().contains(umaScopeType.getValue())) {
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.NOT_ACCEPTABLE, UmaErrorResponseType.INVALID_CLIENT_SCOPE);
        }
        return authorizationGrantByAccessToken;
    }

    public UmaRPT validateRPT(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        UmaRPT rPTByCode = this.rptService.getRPTByCode(str);
        if (rPTByCode != null) {
            rPTByCode.checkExpired();
            if (rPTByCode.isValid()) {
                return rPTByCode;
            }
            this.log.error("RPT is not valid. Revoked: " + rPTByCode.isRevoked() + ", Expired: " + rPTByCode.isExpired() + ", rptCode: " + str);
        } else {
            this.log.error("RPT is null, rptCode: " + str);
        }
        this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RPT);
        return null;
    }

    public void validatePermissions(List<UmaPermission> list) {
        Iterator<UmaPermission> it = list.iterator();
        while (it.hasNext()) {
            validatePermission(it.next());
        }
    }

    public void validatePermission(UmaPermission umaPermission) {
        if (umaPermission == null || "invalidated".equalsIgnoreCase(umaPermission.getStatus())) {
            this.log.error("Permission is null or otherwise invalidated. Status: " + (umaPermission != null ? umaPermission.getStatus() : ""));
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_TICKET);
        }
        umaPermission.checkExpired();
        if (umaPermission.isValid()) {
            return;
        }
        this.log.error("Permission is not valid.");
        this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.EXPIRED_TICKET);
    }

    public void validatePermissions(UmaPermissionList umaPermissionList) {
        Iterator it = umaPermissionList.iterator();
        while (it.hasNext()) {
            validatePermission((org.xdi.oxauth.model.uma.UmaPermission) it.next());
        }
    }

    public void validatePermission(org.xdi.oxauth.model.uma.UmaPermission umaPermission) {
        UmaResource resourceById;
        String resourceId = umaPermission.getResourceId();
        if (StringHelper.isEmpty(resourceId)) {
            this.log.error("Resource id is empty");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID);
        }
        try {
            resourceById = this.resourceService.getResourceById(resourceId);
        } catch (EntryPersistenceException e) {
            this.log.error(e.getMessage(), e);
        }
        if (resourceById == null) {
            this.log.error("Resource isn't registered or there are two resources with same Id");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID);
        } else {
            if (this.umaScopeService.getScopeIdsByDns(resourceById.getScopes()).containsAll(umaPermission.getScopes())) {
                return;
            }
            this.log.error("At least one of the scope isn't registered");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_SCOPE);
            this.log.error("Resource isn't registered");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID);
        }
    }

    public void validateGrantType(String str) {
        this.log.trace("Validate grantType: {}", str);
        if (GrantType.OXAUTH_UMA_TICKET.getValue().equals(str)) {
            return;
        }
        this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_RESOURCE_ID);
    }

    public List<UmaPermission> validateTicket(String str) {
        if (StringUtils.isBlank(str)) {
            this.log.error("Ticket is null or blank.");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_TICKET);
        }
        List<UmaPermission> permissionsByTicket = this.permissionService.getPermissionsByTicket(str);
        if (permissionsByTicket == null || permissionsByTicket.isEmpty()) {
            this.log.error("Unable to find permissions registered for given ticket:" + str);
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_TICKET);
        }
        return permissionsByTicket;
    }

    public List<UmaPermission> validateTicketWithRedirect(String str, String str2, String str3) {
        if (StringUtils.isBlank(str)) {
            this.log.error("Ticket is null or blank.");
            throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_TICKET, str3);
        }
        List<UmaPermission> permissionsByTicket = this.permissionService.getPermissionsByTicket(str);
        if (permissionsByTicket != null && !permissionsByTicket.isEmpty()) {
            return permissionsByTicket;
        }
        this.log.error("Unable to find permissions registered for given ticket:" + str);
        throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_TICKET, str3);
    }

    public Jwt validateClaimToken(String str, String str2) {
        if (!StringUtils.isNotBlank(str)) {
            if (!StringUtils.isNotBlank(str2)) {
                return null;
            }
            this.log.error("claim_token is blank but claim_token_format is not blank. Both must be blank or both must be not blank");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN);
            return null;
        }
        if (!ClaimTokenFormatType.isValueValid(str2)) {
            this.log.error("claim_token_format is unsupported. Supported format is http://openid.net/specs/openid-connect-core-1_0.html#IDToken");
            this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN_FORMAT);
        }
        try {
            Jwt parse = Jwt.parse(str);
            if (parse != null) {
                if (ServerUtil.isTrue(this.appConfiguration.getUmaValidateClaimToken()) && !isIdTokenValid(parse)) {
                    this.log.error("claim_token validation failed.");
                    this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN);
                }
                return parse;
            }
        } catch (Exception e) {
            this.log.error("Failed to parse claim_token as valid id_token.", e);
        }
        this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.BAD_REQUEST, UmaErrorResponseType.INVALID_CLAIM_TOKEN);
        return null;
    }

    public boolean isIdTokenValid(Jwt jwt) {
        try {
            String claimAsString = jwt.getClaims().getClaimAsString("iss");
            Date claimAsDate = jwt.getClaims().getClaimAsDate("exp");
            Date date = new Date();
            if (date.after(claimAsDate)) {
                this.log.error("ID Token is expired. (It is after " + date + ").");
                return false;
            }
            if (!claimAsString.equals(this.appConfiguration.getIssuer())) {
                this.log.error("ID Token issuer is invalid. Token issuer: " + claimAsString + ", server issuer: " + this.appConfiguration.getIssuer());
                return false;
            }
            String claimAsString2 = jwt.getHeader().getClaimAsString("kid");
            String claimAsString3 = jwt.getHeader().getClaimAsString("alg");
            RSAPublicKey publicKey = getPublicKey(claimAsString2);
            if (publicKey == null) {
                this.log.error("Failed to get RSA public key.");
                return false;
            }
            if (new RSASigner(SignatureAlgorithm.fromString(claimAsString3), publicKey).validate(jwt)) {
                this.log.debug("ID Token is successfully validated.");
                return true;
            }
            this.log.error("ID Token signature is invalid.");
            return false;
        } catch (Exception e) {
            this.log.error("Failed to validate id_token. Message: " + e.getMessage(), e);
            return false;
        }
    }

    private RSAPublicKey getPublicKey(String str) {
        JSONWebKey key = this.webKeysConfiguration.getKey(str);
        if (key == null) {
            return null;
        }
        switch (AnonymousClass2.$SwitchMap$org$xdi$oxauth$model$jwk$KeyType[key.getKty().ordinal()]) {
            case 1:
                return new RSAPublicKey(key.getN(), key.getE());
            default:
                return null;
        }
    }

    public UmaPCT validatePct(String str) {
        if (!StringUtils.isNotBlank(str)) {
            return null;
        }
        UmaPCT byCode = this.pctService.getByCode(str);
        if (byCode != null) {
            byCode.checkExpired();
            if (byCode.isValid()) {
                this.log.trace("PCT is validated successfully, pct: " + str);
                return byCode;
            }
            this.log.error("PCT is not valid. Revoked: " + byCode.isRevoked() + ", Expired: " + byCode.isExpired() + ", pctCode: " + str);
        } else {
            this.log.error("Failed to find PCT with pctCode: " + str);
        }
        this.errorResponseFactory.throwUmaWebApplicationException(Response.Status.UNAUTHORIZED, UmaErrorResponseType.INVALID_PCT);
        return null;
    }

    public Map<UmaScopeDescription, Boolean> validateScopes(String str, List<UmaPermission> list) {
        String urlDecode = ServerUtil.urlDecode(str);
        String[] split = StringUtils.isNotBlank(urlDecode) ? urlDecode.split(" ") : new String[0];
        HashMap hashMap = new HashMap();
        if (ArrayUtils.isNotEmpty(split)) {
            Iterator<UmaScopeDescription> it = this.umaScopeService.getScopesByIds(Arrays.asList(split)).iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), true);
            }
        }
        Iterator<UmaPermission> it2 = list.iterator();
        while (it2.hasNext()) {
            Iterator<UmaScopeDescription> it3 = this.umaScopeService.getScopesByDns(it2.next().getScopeDns()).iterator();
            while (it3.hasNext()) {
                hashMap.put(it3.next(), false);
            }
        }
        if (hashMap.isEmpty()) {
            this.log.error("There are no any scopes requested in give request.");
            throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_RESOURCE_SCOPE);
        }
        this.log.trace("CandidateGrantedScopes: " + Joiner.on(", ").join(Iterables.transform(hashMap.keySet(), new Function<UmaScopeDescription, String>() { // from class: org.xdi.oxauth.uma.service.UmaValidationService.1
            public String apply(UmaScopeDescription umaScopeDescription) {
                return umaScopeDescription.getId();
            }
        })));
        return hashMap;
    }

    public void validateScopeExpression(String str) {
        if (!StringUtils.isNotBlank(str) || this.expressionService.isExpressionValid(str)) {
            return;
        }
        this.log.error("Scope expression is invalid. Expression: " + str);
        throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_RESOURCE_SCOPE);
    }

    public Client validateClientAndClaimsRedirectUri(String str, String str2, String str3) {
        if (StringUtils.isBlank(str)) {
            this.log.error("Invalid clientId: {}", str);
            throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLIENT_ID);
        }
        Client client = this.clientService.getClient(str);
        if (client == null) {
            this.log.error("Failed to find client with client_id: {}", str);
            throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLIENT_ID);
        }
        if (!StringUtils.isNotBlank(str2)) {
            this.log.trace("claims_redirect_uri is blank");
            if (client.getClaimRedirectUris() != null && client.getClaimRedirectUris().length == 1) {
                this.log.trace("claims_redirect_uri is blank and only one claims_redirect_uri is registered.");
                return client;
            }
        } else {
            if (ArrayUtils.isEmpty(client.getClaimRedirectUris())) {
                this.log.error("Client does not have claims_redirect_uri specified, clientId: " + str);
                throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLAIMS_REDIRECT_URI);
            }
            String equalRedirectUri = getEqualRedirectUri(str2, client.getClaimRedirectUris());
            if (equalRedirectUri != null) {
                this.log.trace("Found match for claims_redirect_uri : " + equalRedirectUri);
                return client;
            }
            this.log.trace("Failed to find match for claims_redirect_uri : " + str2 + ", client claimRedirectUris: " + Arrays.toString(client.getClaimRedirectUris()));
        }
        if (!StringUtils.isBlank(str2)) {
            throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLAIMS_REDIRECT_URI, str3);
        }
        this.log.error("claims_redirect_uri is blank and there is none or more then one registered claims_redirect_uri for clientId: " + str);
        throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLAIMS_REDIRECT_URI);
    }

    private String getEqualRedirectUri(String str, String[] strArr) {
        String uriWithoutParams = RedirectionUriService.uriWithoutParams(str);
        for (String str2 : strArr) {
            this.log.debug("Comparing {} == {}", str2, str);
            if (str2.equals(str)) {
                return str;
            }
            String uriWithoutParams2 = RedirectionUriService.uriWithoutParams(str2);
            Map<String, String> params = RedirectionUriService.getParams(str2);
            if ((uriWithoutParams2.equals(uriWithoutParams) && params.size() == 0 && RedirectionUriService.getParams(str).size() == 0) || (uriWithoutParams2.equals(uriWithoutParams) && params.size() > 0 && RedirectionUriService.compareParams(str, str2))) {
                return str;
            }
        }
        return null;
    }

    public String[] validatesGatheringScriptNames(String str, String str2, String str3) {
        if (StringUtils.isNotBlank(str)) {
            String[] split = str.split(" ");
            if (ArrayUtils.isNotEmpty(split)) {
                return split;
            }
        }
        throw new UmaWebException(str2, this.errorResponseFactory, UmaErrorResponseType.INVALID_CLAIMS_GATHERING_SCRIPT_NAME, str3);
    }

    public void validateResource(org.xdi.oxauth.model.uma.UmaResource umaResource) {
        validateScopeExpression(umaResource.getScopeExpression());
        if (this.umaScopeService.getScopeDNsByIdsAndAddToLdapIfNeeded(umaResource.getScopes()).isEmpty() && StringUtils.isBlank(umaResource.getScopeExpression())) {
            this.log.error("Invalid resource. Both `scope` and `scope_expression` are blank.");
            throw new UmaWebException(Response.Status.BAD_REQUEST, this.errorResponseFactory, UmaErrorResponseType.INVALID_RESOURCE_SCOPE);
        }
    }
}
