package io.jans.as.server.token.ws.rs;

import io.jans.as.common.claims.Audience;
import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.common.ExchangeTokenType;
import io.jans.as.model.common.TokenType;
import io.jans.as.model.config.WebKeysConfiguration;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm;
import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.exception.InvalidJweException;
import io.jans.as.model.jwe.Jwe;
import io.jans.as.model.jwe.JweEncrypterImpl;
import io.jans.as.model.jwk.Algorithm;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwk.KeyOpsType;
import io.jans.as.model.jwk.Use;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtType;
import io.jans.as.model.token.JsonWebResponse;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.auth.DpopService;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.AuthorizationGrantList;
import io.jans.as.server.model.common.ExecutionContext;
import io.jans.as.server.model.common.TxToken;
import io.jans.as.server.model.common.TxTokenGrant;
import io.jans.as.server.model.token.JwtSigner;
import io.jans.as.server.service.ClientService;
import io.jans.as.server.service.ServerCryptoProvider;
import io.jans.as.server.service.stat.StatService;
import io.jans.as.server.util.ServerUtil;
import io.jans.util.security.StringEncrypter;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.util.Calendar;
import java.util.Date;
import java.util.UUID;
import org.apache.commons.lang3.StringUtils;
import org.json.JSONObject;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TxTokenService.class */
public class TxTokenService {

    @Inject
    private Logger log;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private TxTokenValidator txTokenValidator;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ClientService clientService;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private AuthorizationGrantList authorizationGrantList;

    public Response processTxToken(ExecutionContext executionContext) throws Exception {
        String jSONObject = process(executionContext).toString();
        this.log.trace("Created TxToken: {}", jSONObject);
        return response(Response.ok().entity(jSONObject), executionContext.getAuditLog());
    }

    private JSONObject process(ExecutionContext executionContext) throws Exception {
        String parameter = executionContext.getHttpRequest().getParameter("requested_token_type");
        String parameter2 = executionContext.getHttpRequest().getParameter("subject_token");
        String parameter3 = executionContext.getHttpRequest().getParameter("subject_token_type");
        String parameter4 = executionContext.getHttpRequest().getParameter("audience");
        String parameter5 = executionContext.getHttpRequest().getParameter("rctx");
        String parameter6 = executionContext.getHttpRequest().getParameter("scope");
        Client client = executionContext.getClient();
        this.txTokenValidator.validateRequestedTokenType(parameter, executionContext.getAuditLog());
        AuthorizationGrant validateSubjectToken = this.txTokenValidator.validateSubjectToken(parameter2, this.txTokenValidator.validateSubjectTokenType(parameter3, executionContext.getAuditLog()), executionContext.getAuditLog());
        TxTokenGrant createTxTokenGrant = this.authorizationGrantList.createTxTokenGrant(new User(), client);
        createTxTokenGrant.checkScopesPolicy(parameter6);
        executionContext.setGrant(createTxTokenGrant);
        String jsonWebResponse = createTxTokenJwr(parameter4, parameter5, executionContext, validateSubjectToken).toString();
        TxToken txToken = new TxToken(getTxTokenLifetime(client));
        txToken.setCode(jsonWebResponse);
        createTxTokenGrant.persist(createTxTokenGrant.asToken(txToken));
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("issued_token_type", ExchangeTokenType.TX_TOKEN.getName());
        jSONObject.put("token_type", TokenType.TX_TOKEN.getName());
        jSONObject.put(StatService.ACCESS_TOKEN_KEY, jsonWebResponse);
        return jSONObject;
    }

    private JsonWebResponse createTxTokenJwr(String str, String str2, ExecutionContext executionContext, AuthorizationGrant authorizationGrant) throws Exception {
        Client client = executionContext.getClient();
        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(client.getAttributes().getTxTokenEncryptedResponseAlg());
        BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(client.getAttributes().getTxTokenEncryptedResponseEnc());
        if (fromName != null && fromName2 != null) {
            this.log.trace("Preparing encrypted TxToken with keyEncryptionAlgorithm {}, blockEncryptionAlgorithm: {}", fromName, fromName2);
            Jwe jwe = new Jwe();
            jwe.getHeader().setType(JwtType.TX_TOKEN);
            jwe.getHeader().setAlgorithm(fromName);
            jwe.getHeader().setEncryptionMethod(fromName2);
            fillPayload(jwe, str, str2, executionContext, authorizationGrant);
            Jwt newJwt = newJwtSigner(client).newJwt();
            newJwt.setClaims(jwe.getClaims());
            jwe.setSignedJWTPayload(signJwt(newJwt, client));
            if (fromName == KeyEncryptionAlgorithm.RSA_OAEP || fromName == KeyEncryptionAlgorithm.RSA1_5) {
                JSONObject jwks = CommonUtils.getJwks(client);
                String keyId = new ServerCryptoProvider(this.cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jwks), Algorithm.fromString(fromName.getName()), Use.ENCRYPTION, KeyOpsType.CONNECT);
                PublicKey publicKey = this.cryptoProvider.getPublicKey(keyId, jwks, (Algorithm) null);
                jwe.getHeader().setKeyId(keyId);
                if (publicKey == null) {
                    throw new InvalidJweException("The public key is not valid");
                }
                return new JweEncrypterImpl(fromName, fromName2, publicKey).encrypt(jwe);
            }
            if (fromName == KeyEncryptionAlgorithm.A128KW || fromName == KeyEncryptionAlgorithm.A256KW) {
                return new JweEncrypterImpl(fromName, fromName2, this.clientService.decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8)).encrypt(jwe);
            }
        }
        this.log.trace("Preparing signed TxToken, client {}", client.getClientId());
        JwtSigner newJwtSigner = newJwtSigner(client);
        fillPayload(newJwtSigner.newJwt(), str, str2, executionContext, authorizationGrant);
        return newJwtSigner.sign();
    }

    private void fillPayload(JsonWebResponse jsonWebResponse, String str, String str2, ExecutionContext executionContext, AuthorizationGrant authorizationGrant) {
        Client client = executionContext.getClient();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, getTxTokenLifetime(client));
        Date time2 = calendar.getTime();
        jsonWebResponse.getClaims().setIssuer(this.appConfiguration.getIssuer());
        jsonWebResponse.getClaims().setExpirationTime(time2);
        jsonWebResponse.getClaims().setIssuedAt(time);
        jsonWebResponse.setClaim("txn", UUID.randomUUID().toString());
        jsonWebResponse.setClaim("sub_id", UUID.randomUUID().toString());
        Audience.setAudience(jsonWebResponse.getClaims(), client);
        if (StringUtils.isNotBlank(str)) {
            jsonWebResponse.getClaims().addAudience(str);
        }
        if (StringUtils.isNotBlank(str2)) {
            jsonWebResponse.getClaims().setClaim("req_ctx", new JSONObject(str2));
        }
        if (authorizationGrant != null) {
            jsonWebResponse.setClaim("sub_id", authorizationGrant.getSub());
        }
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("client_id", client.getClientId());
        jsonWebResponse.getClaims().setClaim("azd", jSONObject);
    }

    private int getTxTokenLifetime(Client client) {
        if (client.getAttributes().getTxTokenLifetime() == null || client.getAttributes().getTxTokenLifetime().intValue() <= 0) {
            return this.appConfiguration.getTxTokenLifetime();
        }
        this.log.trace("Override TxToken lifetime with value {} from client: {}", client.getAttributes().getTxTokenLifetime(), client.getClientId());
        return client.getAttributes().getTxTokenLifetime().intValue();
    }

    private Jwt signJwt(Jwt jwt, Client client) throws Exception {
        JwtSigner newJwtSigner = newJwtSigner(client);
        newJwtSigner.setJwt(jwt);
        newJwtSigner.sign();
        return jwt;
    }

    private JwtSigner newJwtSigner(Client client) throws StringEncrypter.EncryptionException {
        SignatureAlgorithm fromString = SignatureAlgorithm.fromString(this.appConfiguration.getDefaultSignatureAlgorithm());
        if (client.getAttributes().getTxTokenSignedResponseAlg() != null) {
            fromString = SignatureAlgorithm.fromString(client.getAttributes().getTxTokenSignedResponseAlg());
        }
        return new JwtSigner(this.appConfiguration, this.webKeysConfiguration, fromString, client.getClientId(), this.clientService.decryptSecret(client.getClientSecret()));
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header(DpopService.PRAGMA, DpopService.NO_CACHE);
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }

    public boolean isTxTokenFlow(HttpServletRequest httpServletRequest) {
        return isTxTokenFlow(httpServletRequest.getParameter("requested_token_type"));
    }

    public static boolean isTxTokenFlow(String str) {
        return ExchangeTokenType.fromString(str) == ExchangeTokenType.TX_TOKEN;
    }

    public Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }
}
