package pl.edu.icm.unity.oauth.as.token.introspection;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.TokenIntrospectionRequest;
import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.oauth.as.token.BaseOAuthResource;
import pl.edu.icm.unity.oauth.client.HttpRequestConfigurer;
import pl.edu.icm.unity.oauth.oidc.metadata.OAuthDiscoveryMetadataCache;
import pl.edu.icm.unity.oauth.oidc.metadata.OAuthJWKSetCache;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/introspection/RemoteTokenIntrospectionService.class */
public class RemoteTokenIntrospectionService {
    private static final Logger log = Log.getLogger("unity.server.oauth", RemoteTokenIntrospectionService.class);
    private IntrospectionServiceContextProvider introspectionServiceProvider;
    private HttpRequestConfigurer httpRequestConfigurer;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/introspection/RemoteTokenIntrospectionService$RemoteIntrospectionServiceFactory.class */
    public static class RemoteIntrospectionServiceFactory {
        private OAuthDiscoveryMetadataCache oAuthDiscoveryMetadataCache;
        private OAuthJWKSetCache keyResourceCache;
        private PKIManagement pkiManagement;

        @Autowired
        public RemoteIntrospectionServiceFactory(OAuthDiscoveryMetadataCache oAuthDiscoveryMetadataCache, OAuthJWKSetCache oAuthJWKSetCache, @Qualifier("insecure") PKIManagement pKIManagement) {
            this.oAuthDiscoveryMetadataCache = oAuthDiscoveryMetadataCache;
            this.keyResourceCache = oAuthJWKSetCache;
            this.pkiManagement = pKIManagement;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public RemoteTokenIntrospectionService getService(List<TrustedUpstreamConfiguration> list) {
            return new RemoteTokenIntrospectionService(new IntrospectionServiceContextProvider(this.oAuthDiscoveryMetadataCache, this.keyResourceCache, this.pkiManagement, list));
        }
    }

    RemoteTokenIntrospectionService(IntrospectionServiceContextProvider introspectionServiceContextProvider, HttpRequestConfigurer httpRequestConfigurer) {
        this.introspectionServiceProvider = introspectionServiceContextProvider;
        this.httpRequestConfigurer = httpRequestConfigurer;
    }

    RemoteTokenIntrospectionService(IntrospectionServiceContextProvider introspectionServiceContextProvider) {
        this(introspectionServiceContextProvider, new HttpRequestConfigurer());
    }

    public Response processRemoteIntrospection(SignedJWTWithIssuer signedJWTWithIssuer) {
        log.debug("Remote token introspection, token {}", BaseOAuthResource.tokenToLog(signedJWTWithIssuer.signedJWT.toString()));
        return (Response) proxyRequestToRemoteService(signedJWTWithIssuer).map(tokenIntrospectionResponse -> {
            return mapRemoteResponse(tokenIntrospectionResponse);
        }).orElse(Response.ok(TokenIntrospectionResource.getInactiveResponse().toJSONString()).build());
    }

    private Response mapRemoteResponse(TokenIntrospectionResponse tokenIntrospectionResponse) {
        log.debug("Remote token instrospection response {}", tokenIntrospectionResponse.toHTTPResponse().getBody());
        return Response.ok(tokenIntrospectionResponse.indicatesSuccess() ? tokenIntrospectionResponse.toSuccessResponse().toJSONObject().toJSONString() : TokenIntrospectionResource.getInactiveResponse().toJSONString()).build();
    }

    private Optional<TokenIntrospectionResponse> proxyRequestToRemoteService(SignedJWTWithIssuer signedJWTWithIssuer) {
        Optional<RemoteIntrospectionServiceContext> remoteServiceContext = this.introspectionServiceProvider.getRemoteServiceContext(signedJWTWithIssuer.issuer);
        if (remoteServiceContext.isEmpty()) {
            log.debug("Remote introspection configuration is unknown for token issued by {}", signedJWTWithIssuer.issuer);
            return Optional.empty();
        }
        RemoteIntrospectionServiceContext remoteIntrospectionServiceContext = remoteServiceContext.get();
        try {
            verifySignature(signedJWTWithIssuer.signedJWT, remoteIntrospectionServiceContext.verifier);
            return getRemoteIntrospectionResponse(remoteIntrospectionServiceContext, signedJWTWithIssuer);
        } catch (Exception e) {
            log.error("Invalid sign of token " + BaseOAuthResource.tokenToLog(signedJWTWithIssuer.signedJWT.toString()), e);
            return Optional.empty();
        }
    }

    private Optional<TokenIntrospectionResponse> getRemoteIntrospectionResponse(RemoteIntrospectionServiceContext remoteIntrospectionServiceContext, SignedJWTWithIssuer signedJWTWithIssuer) {
        try {
            HTTPRequest secureRequest = this.httpRequestConfigurer.secureRequest(new TokenIntrospectionRequest(remoteIntrospectionServiceContext.url.toURI(), new ClientSecretBasic(new ClientID(remoteIntrospectionServiceContext.clientId), new Secret(remoteIntrospectionServiceContext.clientSecret)), new BearerAccessToken(signedJWTWithIssuer.signedJWT.serialize())).toHTTPRequest(), remoteIntrospectionServiceContext.validator, remoteIntrospectionServiceContext.hostnameCheckingMode);
            try {
                log.debug("Get token instrospection response from {}", remoteIntrospectionServiceContext.url);
                return Optional.of(TokenIntrospectionResponse.parse(secureRequest.send()));
            } catch (ParseException e) {
                log.error("Can not parse token instrospection response", e);
                return Optional.empty();
            } catch (IOException e2) {
                log.error("Can not send introspection request", e2);
                return Optional.empty();
            }
        } catch (Exception e3) {
            log.error("Invalid remote introspection service configuration", e3);
            return Optional.empty();
        }
    }

    void verifySignature(SignedJWT signedJWT, JWSVerifier jWSVerifier) throws JOSEException, java.text.ParseException {
        if (jWSVerifier == null) {
            throw new JOSEException("Can not verify signature");
        }
        log.trace("Verify token sign");
        if (!signedJWT.verify(jWSVerifier)) {
            throw new JOSEException("JWT signature is invalid");
        }
        if (new Date().after(signedJWT.getJWTClaimsSet().getExpirationTime())) {
            throw new JOSEException("JWT is expired");
        }
    }
}
