package uk.gov.di.ipv.cri.common.library.service;

import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.id.JWTID;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.oauth2.sdk.token.Tokens;
import java.net.URI;
import java.util.List;
import java.util.Map;
import java.util.Set;
import uk.gov.di.ipv.cri.common.library.annotations.ExcludeFromGeneratedCoverageReport;
import uk.gov.di.ipv.cri.common.library.exception.AccessTokenRequestException;
import uk.gov.di.ipv.cri.common.library.exception.AccessTokenValidationException;
import uk.gov.di.ipv.cri.common.library.exception.ClientConfigurationException;
import uk.gov.di.ipv.cri.common.library.exception.SessionValidationException;
import uk.gov.di.ipv.cri.common.library.persistence.item.SessionItem;

/* loaded from: input_file:uk/gov/di/ipv/cri/common/library/service/AccessTokenService.class */
public class AccessTokenService {
    public static final String CODE = "code";
    public static final String GRANT_TYPE = "grant_type";
    public static final String CLIENT_ASSERTION_TYPE = "client_assertion_type";
    public static final String CLIENT_ASSERTION = "client_assertion";
    public static final String AUTHORISATION_CODE = "authorization_code";
    public static final String REDIRECT_URI = "redirect_uri";
    private final ConfigurationService configurationService;
    private final JWTVerifier jwtVerifier;

    public AccessTokenService(ConfigurationService configurationService, JWTVerifier jWTVerifier) {
        this.configurationService = configurationService;
        this.jwtVerifier = jWTVerifier;
    }

    @ExcludeFromGeneratedCoverageReport
    public AccessTokenService() {
        this(new ConfigurationService(), new JWTVerifier());
    }

    public String getAuthorizationCode(TokenRequest tokenRequest) {
        return tokenRequest.getAuthorizationGrant().getAuthorizationCode().getValue();
    }

    public AccessTokenResponse createToken(TokenRequest tokenRequest) {
        return new AccessTokenResponse(new Tokens(new BearerAccessToken(this.configurationService.getBearerAccessTokenTtl(), tokenRequest.getScope()), (RefreshToken) null)).toSuccessResponse();
    }

    public void updateSessionAccessToken(SessionItem sessionItem, AccessTokenResponse accessTokenResponse) {
        sessionItem.setAccessToken(accessTokenResponse.getTokens().getBearerAccessToken().toAuthorizationHeader());
        sessionItem.setAccessTokenExpiryDate(this.configurationService.getBearerAccessTokenExpirationEpoch());
        sessionItem.setAuthorizationCode(null);
    }

    public TokenRequest createTokenRequest(String str) throws AccessTokenValidationException {
        try {
            HTTPRequest hTTPRequest = new HTTPRequest(HTTPRequest.Method.POST, URI.create("https://gds"));
            hTTPRequest.setQuery(str);
            hTTPRequest.setContentType(ContentType.APPLICATION_URLENCODED.getType());
            if (!hTTPRequest.getQueryParameters().keySet().containsAll(Set.of(CODE, CLIENT_ASSERTION_TYPE, CLIENT_ASSERTION, REDIRECT_URI, GRANT_TYPE))) {
                throw new AccessTokenValidationException(OAuth2Error.INVALID_REQUEST.getCode());
            }
            if (hTTPRequest.getQueryParameters().values().stream().noneMatch(list -> {
                return list.contains(AUTHORISATION_CODE);
            })) {
                throw new AccessTokenValidationException("unsupported_grant_type");
            }
            return TokenRequest.parse(hTTPRequest);
        } catch (ParseException e) {
            throw new AccessTokenValidationException((Throwable) e);
        }
    }

    public TokenRequest validateTokenRequest(TokenRequest tokenRequest, SessionItem sessionItem) throws AccessTokenValidationException {
        try {
            PrivateKeyJWT privateKeyJWT = (PrivateKeyJWT) tokenRequest.getClientAuthentication();
            AuthorizationCodeGrant authorizationCodeGrant = (AuthorizationCodeGrant) tokenRequest.getAuthorizationGrant();
            ClientID clientID = tokenRequest.getClientAuthentication().getClientID();
            validateTokenRequestToRecord(privateKeyJWT, authorizationCodeGrant, clientID, sessionItem);
            this.jwtVerifier.verifyAccessTokenJWT(getClientAuthenticationConfig(clientID.getValue()), privateKeyJWT.getClientAssertion(), clientID);
            return tokenRequest;
        } catch (AccessTokenRequestException | ClientConfigurationException | SessionValidationException e) {
            throw new AccessTokenValidationException((Throwable) e);
        }
    }

    private Map<String, String> getClientAuthenticationConfig(String str) throws SessionValidationException {
        Map<String, String> parametersForPath = this.configurationService.getParametersForPath(String.format("/clients/%s/jwtAuthentication", str));
        if (parametersForPath == null || parametersForPath.isEmpty()) {
            throw new SessionValidationException(String.format("no configuration for client id '%s'", str));
        }
        return parametersForPath;
    }

    private void validateTokenRequestToRecord(PrivateKeyJWT privateKeyJWT, AuthorizationCodeGrant authorizationCodeGrant, ClientID clientID, SessionItem sessionItem) throws AccessTokenValidationException, AccessTokenRequestException, SessionValidationException {
        if (!authorizationCodeGrant.getAuthorizationCode().getValue().equals(sessionItem.getAuthorizationCode())) {
            throw new AccessTokenRequestException("Authorisation code does not match with authorization Code for Address Session Item", OAuth2Error.INVALID_GRANT);
        }
        verifyRequestUri(sessionItem.getRedirectUri(), getClientAuthenticationConfig(clientID.getValue()));
        verifyPrivateKeyJWTAttributes(privateKeyJWT, clientID, sessionItem);
    }

    private void verifyRequestUri(URI uri, Map<String, String> map) throws AccessTokenValidationException {
        URI create = URI.create(map.get("redirectUri"));
        if (uri == null || !uri.equals(create)) {
            throw new AccessTokenValidationException("redirect uri " + uri + " does not match configuration uri " + create);
        }
    }

    private void verifyPrivateKeyJWTAttributes(PrivateKeyJWT privateKeyJWT, ClientID clientID, SessionItem sessionItem) throws AccessTokenValidationException {
        Issuer issuer = privateKeyJWT.getJWTAuthenticationClaimsSet().getIssuer();
        Subject subject = privateKeyJWT.getJWTAuthenticationClaimsSet().getSubject();
        List<Audience> audience = privateKeyJWT.getJWTAuthenticationClaimsSet().getAudience();
        JWTID jwtid = privateKeyJWT.getJWTAuthenticationClaimsSet().getJWTID();
        verifyIfAudiencePresent(audience);
        verifyIfJWTIdPresent(jwtid);
        verifyIfIssuerMatchesSubject(issuer, subject);
        verifyIfIssuerMatchesTokenRequestClientID(issuer, clientID);
        verifyIssuerMatchesClientIDOnRecord(issuer, sessionItem);
    }

    private void verifyIssuerMatchesClientIDOnRecord(Issuer issuer, SessionItem sessionItem) throws AccessTokenValidationException {
        if (issuer.getValue().equals(sessionItem.getClientId())) {
            return;
        }
        throwValidationException("request client id and saved client id do not match");
    }

    private void verifyIfIssuerMatchesTokenRequestClientID(Issuer issuer, ClientID clientID) throws AccessTokenValidationException {
        if (issuer.getValue().equals(clientID.getValue())) {
            return;
        }
        throwValidationException("issuer does not match clientID");
    }

    private void verifyIfIssuerMatchesSubject(Issuer issuer, Subject subject) throws AccessTokenValidationException {
        if (issuer.getValue().equals(subject.getValue())) {
            return;
        }
        throwValidationException("issuer does not match subject");
    }

    private void verifyIfJWTIdPresent(JWTID jwtid) throws AccessTokenValidationException {
        if (jwtid == null) {
            throwValidationException("jti is missing");
        }
    }

    private void verifyIfAudiencePresent(List<Audience> list) throws AccessTokenValidationException {
        if (list.isEmpty()) {
            throwValidationException("audience is missing");
        }
    }

    private void throwValidationException(String str) throws AccessTokenValidationException {
        throw new AccessTokenValidationException(str);
    }
}
