package de.adorsys.ledgers.oba.service.impl.service;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import de.adorsys.ledgers.oba.service.api.domain.ConsentReference;
import de.adorsys.ledgers.oba.service.api.domain.ConsentType;
import de.adorsys.ledgers.oba.service.api.domain.exception.ObaErrorCode;
import de.adorsys.ledgers.oba.service.api.domain.exception.ObaException;
import de.adorsys.ledgers.oba.service.api.service.ConsentReferencePolicy;
import de.adorsys.ledgers.util.Ids;
import java.text.ParseException;
import java.util.Date;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.time.DateUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:de/adorsys/ledgers/oba/service/impl/service/DefaultConsentReferencePolicy.class */
public class DefaultConsentReferencePolicy implements ConsentReferencePolicy {
    private static final Logger log = LoggerFactory.getLogger(DefaultConsentReferencePolicy.class);
    private static final String CONSENT_TYPE_JWT_CLAIM_NAME = "consent-type";
    private static final String REDIRECT_ID_JWT_CLAIM_NAME = "redirect-id";
    private static final String ENC_CONSENT_ID_JWT_CLAIM_NAME = "enc-consent-id";
    private static final String AUTH_ID_JWT_CLAIM_NAME = "auth-id";

    @Value("${online-banking.sca.jwt.hs256.secret}")
    private String hmacSecret;

    public ConsentReference fromURL(String str, ConsentType consentType, String str2) {
        ConsentReference consentReference = new ConsentReference();
        consentReference.setRedirectId(str);
        consentReference.setConsentType(consentType);
        consentReference.setEncryptedConsentId(str2);
        consentReference.setCookieString(toClaim(consentReference));
        return consentReference;
    }

    public ConsentReference fromRequest(String str, String str2, String str3, boolean z) {
        return verifyParseJWT(str, str2, str3, z);
    }

    private String toClaim(ConsentReference consentReference) {
        Date date = new Date();
        return signJWT(new JWTClaimsSet.Builder().jwtID(Ids.id()).claim(REDIRECT_ID_JWT_CLAIM_NAME, consentReference.getRedirectId()).claim(CONSENT_TYPE_JWT_CLAIM_NAME, consentReference.getConsentType().name()).claim(ENC_CONSENT_ID_JWT_CLAIM_NAME, consentReference.getEncryptedConsentId()).claim(AUTH_ID_JWT_CLAIM_NAME, consentReference.getAuthorizationId()).expirationTime(DateUtils.addSeconds(date, 300)).issueTime(date).build());
    }

    private String signJWT(JWTClaimsSet jWTClaimsSet) {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.HS256).keyID(Ids.id()).build(), jWTClaimsSet);
        try {
            signedJWT.sign(new MACSigner(this.hmacSecret));
            return signedJWT.serialize();
        } catch (JOSEException e) {
            throw new IllegalStateException("Error signing user token", e);
        }
    }

    private ConsentReference verifyParseJWT(String str, String str2, String str3, boolean z) {
        Date date = new Date();
        try {
            SignedJWT parse = SignedJWT.parse(str3);
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            Object claim = jWTClaimsSet.getClaim(AUTH_ID_JWT_CLAIM_NAME);
            if (z && claim == null) {
                throw invalidConsent(String.format("Wrong jwt. CSRF allert. Missing claim %s for jwt with redirectId %s", AUTH_ID_JWT_CLAIM_NAME, jWTClaimsSet.getClaim(REDIRECT_ID_JWT_CLAIM_NAME)));
            }
            if (claim != null && !StringUtils.equalsIgnoreCase(claim.toString(), str2)) {
                throw invalidConsent(String.format("Wrong jwt. CSRF allert. Wrong %s for token with redirectId %s", AUTH_ID_JWT_CLAIM_NAME, jWTClaimsSet.getClaim(REDIRECT_ID_JWT_CLAIM_NAME)));
            }
            Object claim2 = jWTClaimsSet.getClaim(ENC_CONSENT_ID_JWT_CLAIM_NAME);
            if (claim2 == null || !StringUtils.equalsIgnoreCase(claim2.toString(), str)) {
                throw invalidConsent(String.format("Wrong jwt. CSRF allert. Wrong %s for token with redirectId %s", ENC_CONSENT_ID_JWT_CLAIM_NAME, jWTClaimsSet.getClaim(REDIRECT_ID_JWT_CLAIM_NAME)));
            }
            if (!JWSAlgorithm.HS256.equals(parse.getHeader().getAlgorithm())) {
                throw invalidConsent(String.format("Wrong jws algo for token with subject : %s", jWTClaimsSet.getSubject()));
            }
            if (jWTClaimsSet.getExpirationTime() == null || jWTClaimsSet.getExpirationTime().before(date)) {
                throw invalidConsent(String.format("Token with subject %s is expired at %s and reference time is %s : ", jWTClaimsSet.getSubject(), jWTClaimsSet.getExpirationTime(), date));
            }
            if (parse.verify(new MACVerifier(this.hmacSecret))) {
                return consentReference(str, str2, jWTClaimsSet);
            }
            throw invalidConsent(String.format("Could not verify signature of token with subject %s: ", jWTClaimsSet.getSubject()));
        } catch (ParseException | JOSEException e) {
            throw invalidConsent(e.getMessage());
        }
    }

    private ConsentReference consentReference(String str, String str2, JWTClaimsSet jWTClaimsSet) {
        ConsentReference consentReference = new ConsentReference();
        consentReference.setConsentType(ConsentType.valueOf(jWTClaimsSet.getClaim(CONSENT_TYPE_JWT_CLAIM_NAME).toString()));
        consentReference.setRedirectId(jWTClaimsSet.getClaim(REDIRECT_ID_JWT_CLAIM_NAME).toString());
        consentReference.setEncryptedConsentId(str);
        consentReference.setAuthorizationId(str2);
        consentReference.setCookieString(toClaim(consentReference));
        return consentReference;
    }

    private ObaException invalidConsent(String str) {
        log.warn(str);
        return ObaException.builder().obaErrorCode(ObaErrorCode.ACCESS_FORBIDDEN).devMessage(str).build();
    }
}
