package io.mosip.kernel.authcodeflowproxy.api.validator;

import com.auth0.jwk.JwkException;
import com.auth0.jwk.UrlJwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.mosip.kernel.core.util.DateUtils;
import io.mosip.kernel.core.util.EmptyCheckUtils;
import io.mosip.kernel.openid.bridge.api.constants.AuthErrorCode;
import io.mosip.kernel.openid.bridge.api.constants.Errors;
import io.mosip.kernel.openid.bridge.api.exception.ServiceException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.PublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.LocalDateTime;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:io/mosip/kernel/authcodeflowproxy/api/validator/ValidateTokenUtil.class */
public class ValidateTokenUtil {
    private static final Logger LOGGER = LoggerFactory.getLogger(ValidateTokenUtil.class);
    private Map<String, PublicKey> publicKeys = new HashMap();

    @Value("${mosip.iam.certs_endpoint:}")
    private String certsPathUrl;

    @Value("${auth.server.admin.issuer.domain.validate:true}")
    private boolean validateIssuerDomain;

    @Value("${auth.server.admin.audience.claim.validate:true}")
    private boolean validateAudClaim;
    private List<String> allowedAudience;

    @Autowired
    private Environment environment;

    @PostConstruct
    private void init() {
        this.allowedAudience = (List) this.environment.getProperty("auth.server.admin.allowed.audience." + getApplicationName(), List.class, (List) this.environment.getProperty("auth.server.admin.allowed.audience", List.class, Collections.EMPTY_LIST));
    }

    private String getApplicationName() {
        String property = this.environment.getProperty("spring.application.name");
        if (EmptyCheckUtils.isNullEmpty(property)) {
            throw new RuntimeException("property spring.application.name not found");
        }
        return (String) ((List) Stream.of((Object[]) property.split(",")).collect(Collectors.toList())).get(0);
    }

    public void validateToken(String str) {
        if (!((Boolean) isTokenValid(str).getKey()).booleanValue()) {
            throw new ServiceException(Errors.INVALID_TOKEN.getErrorCode(), Errors.INVALID_TOKEN.getErrorMessage());
        }
    }

    public ImmutablePair<Boolean, AuthErrorCode> isTokenValid(String str) {
        return isTokenValid(JWT.decode(str));
    }

    public ImmutablePair<Boolean, AuthErrorCode> isTokenValid(DecodedJWT decodedJWT) {
        getPublicKey(decodedJWT);
        LocalDateTime convertUTCToLocalDateTime = DateUtils.convertUTCToLocalDateTime(DateUtils.getUTCTimeFromDate(decodedJWT.getExpiresAt()));
        String asString = decodedJWT.getClaim("preferred_username").asString();
        if (!DateUtils.before(DateUtils.getUTCCurrentDateTime(), convertUTCToLocalDateTime)) {
            LOGGER.error("Provided Auth Token expired. Throwing Authentication Exception. UserName: " + asString);
            return ImmutablePair.of(Boolean.FALSE, AuthErrorCode.UNAUTHORIZED);
        }
        if (this.validateIssuerDomain && !getTokenIssuerDomain(decodedJWT)) {
            LOGGER.error("Provided Auth Token Issue domain does not match. Throwing Authentication Exception. UserName: " + asString);
            return ImmutablePair.of(Boolean.FALSE, AuthErrorCode.UNAUTHORIZED);
        }
        ImmutablePair<Boolean, AuthErrorCode> verifyJWTSignagure = verifyJWTSignagure(decodedJWT);
        if (!((Boolean) verifyJWTSignagure.getLeft()).booleanValue()) {
            return verifyJWTSignagure;
        }
        if (!this.validateAudClaim || validateAudience(decodedJWT)) {
            return ImmutablePair.of(Boolean.TRUE, (Object) null);
        }
        LOGGER.error("Provided Client Id does not match with Aud/AZP. Throwing Authorizaion Exception. UserName: " + asString);
        return ImmutablePair.of(Boolean.FALSE, AuthErrorCode.FORBIDDEN);
    }

    /* JADX WARN: Removed duplicated region for block: B:8:0x0031  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean validateAudience(com.auth0.jwt.interfaces.DecodedJWT r5) {
        /*
            r4 = this;
            r0 = r5
            java.util.List r0 = r0.getAudience()
            r7 = r0
            r0 = r7
            if (r0 == 0) goto L2b
            r0 = r7
            java.util.stream.Stream r0 = r0.stream()
            r1 = r4
            java.util.List<java.lang.String> r1 = r1.allowedAudience
            r2 = r1
            java.lang.Object r2 = java.util.Objects.requireNonNull(r2)
            boolean r1 = (v1) -> { // java.util.function.Predicate.test(java.lang.Object):boolean
                return r1.contains(v1);
            }
            boolean r0 = r0.anyMatch(r1)
            if (r0 == 0) goto L2b
            r0 = 1
            goto L2c
        L2b:
            r0 = 0
        L2c:
            r6 = r0
            r0 = r6
            if (r0 != 0) goto L70
            r0 = r5
            java.lang.String r1 = "azp"
            com.auth0.jwt.interfaces.Claim r0 = r0.getClaim(r1)
            r8 = r0
            r0 = r8
            if (r0 == 0) goto L6e
            r0 = r8
            boolean r0 = r0 instanceof com.auth0.jwt.impl.NullClaim
            if (r0 != 0) goto L6e
            r0 = r4
            java.util.List<java.lang.String> r0 = r0.allowedAudience
            java.util.stream.Stream r0 = r0.stream()
            r1 = r8
            java.lang.String r1 = r1.asString()
            r2 = r1
            java.lang.Object r2 = java.util.Objects.requireNonNull(r2)
            boolean r1 = r1::equalsIgnoreCase
            boolean r0 = r0.anyMatch(r1)
            if (r0 == 0) goto L6e
            r0 = 1
            goto L6f
        L6e:
            r0 = 0
        L6f:
            r6 = r0
        L70:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: io.mosip.kernel.authcodeflowproxy.api.validator.ValidateTokenUtil.validateAudience(com.auth0.jwt.interfaces.DecodedJWT):boolean");
    }

    private boolean getTokenIssuerDomain(DecodedJWT decodedJWT) {
        try {
            return new URI(decodedJWT.getClaim("iss").asString()).getHost().equalsIgnoreCase(new URI(this.certsPathUrl).getHost());
        } catch (URISyntaxException e) {
            LOGGER.error("Unable to parse domain from issuer.", e);
            return false;
        }
    }

    public PublicKey getPublicKey(DecodedJWT decodedJWT) {
        LOGGER.info("offline verification for environment profile. UserName: " + decodedJWT.getClaim("preferred_username").asString());
        String keyId = decodedJWT.getKeyId();
        PublicKey publicKey = this.publicKeys.get(keyId);
        if (Objects.isNull(publicKey)) {
            publicKey = getIssuerPublicKey(keyId);
            this.publicKeys.put(keyId, publicKey);
        }
        return publicKey;
    }

    public ImmutablePair<Boolean, AuthErrorCode> verifyJWTSignagure(DecodedJWT decodedJWT) {
        try {
            getVerificationAlgorithm(decodedJWT.getAlgorithm(), getPublicKey(decodedJWT)).verify(decodedJWT);
            return ImmutablePair.of(Boolean.TRUE, (Object) null);
        } catch (SignatureVerificationException e) {
            LOGGER.error("Signature validation failed for User Info, Throwing Authentication Exception.", e);
            return ImmutablePair.of(Boolean.FALSE, AuthErrorCode.UNAUTHORIZED);
        }
    }

    private PublicKey getIssuerPublicKey(String str) {
        try {
            return new UrlJwkProvider(new URI(this.certsPathUrl).normalize().toURL()).get(str).getPublicKey();
        } catch (JwkException | MalformedURLException | URISyntaxException e) {
            LOGGER.error("Error downloading Public key from server".concat(e.getMessage()));
            return null;
        }
    }

    private Algorithm getVerificationAlgorithm(String str, PublicKey publicKey) {
        boolean z = -1;
        switch (str.hashCode()) {
            case 78251122:
                if (str.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (str.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (str.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Algorithm.RSA256((RSAPublicKey) publicKey, (RSAPrivateKey) null);
            case true:
                return Algorithm.RSA384((RSAPublicKey) publicKey, (RSAPrivateKey) null);
            case true:
                return Algorithm.RSA512((RSAPublicKey) publicKey, (RSAPrivateKey) null);
            default:
                return Algorithm.RSA256((RSAPublicKey) publicKey, (RSAPrivateKey) null);
        }
    }
}
