package org.cloudfoundry.identity.uaa.util;

import com.fasterxml.jackson.core.type.TypeReference;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.oauth.TokenRevokedException;
import org.cloudfoundry.identity.uaa.oauth.client.ClientConstants;
import org.cloudfoundry.identity.uaa.oauth.jwt.Jwt;
import org.cloudfoundry.identity.uaa.oauth.jwt.JwtHelper;
import org.cloudfoundry.identity.uaa.oauth.token.ClaimConstants;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableToken;
import org.cloudfoundry.identity.uaa.oauth.token.RevocableTokenProvisioning;
import org.cloudfoundry.identity.uaa.user.UaaUser;
import org.cloudfoundry.identity.uaa.util.JsonUtils;
import org.flywaydb.core.internal.util.StringUtils;
import org.springframework.dao.EmptyResultDataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.jwt.crypto.sign.InvalidSignatureException;
import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.NoSuchClientException;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.1.0.jar:org/cloudfoundry/identity/uaa/util/TokenValidation.class */
public class TokenValidation {
    private static final Log logger = LogFactory.getLog(TokenValidation.class);
    private final Map<String, Object> claims;
    private final Jwt tokenJwt;
    private final String token;
    private final boolean decoded;
    private final List<RuntimeException> validationErrors;
    private Optional<List<String>> scopes;

    public static TokenValidation validate(String str) {
        return new TokenValidation(str);
    }

    private TokenValidation(String str) {
        Jwt jwt;
        Map<String, Object> map;
        this.validationErrors = new ArrayList();
        this.scopes = null;
        this.token = str;
        try {
            jwt = JwtHelper.decode(str);
        } catch (Exception e) {
            jwt = null;
            this.validationErrors.add(new InvalidTokenException("Invalid token (could not decode): " + str, e));
        }
        this.tokenJwt = jwt;
        if (jwt != null) {
            String claims = jwt.getClaims();
            if (StringUtils.hasText(claims)) {
                try {
                    map = (Map) JsonUtils.readValue(claims, new TypeReference<Map<String, Object>>() { // from class: org.cloudfoundry.identity.uaa.util.TokenValidation.1
                    });
                } catch (JsonUtils.JsonUtilException e2) {
                    map = null;
                    this.validationErrors.add(new InvalidTokenException("Invalid token (cannot read token claims): " + str, e2));
                }
                this.claims = map;
                this.decoded = isValid();
            }
        }
        this.claims = new HashMap();
        this.decoded = isValid();
    }

    public boolean isValid() {
        return this.validationErrors.size() == 0;
    }

    public List<RuntimeException> getValidationErrors() {
        return this.validationErrors;
    }

    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public TokenValidation m2810clone() {
        return new TokenValidation(this);
    }

    private TokenValidation(TokenValidation tokenValidation) {
        this.validationErrors = new ArrayList();
        this.scopes = null;
        this.claims = tokenValidation.claims == null ? null : new HashMap(tokenValidation.claims);
        this.tokenJwt = tokenValidation.tokenJwt;
        this.token = tokenValidation.token;
        this.decoded = tokenValidation.decoded;
        this.scopes = tokenValidation.scopes;
    }

    public TokenValidation checkSignature(SignatureVerifier signatureVerifier) {
        if (!this.decoded) {
            return this;
        }
        try {
            this.tokenJwt.verifySignature(signatureVerifier);
        } catch (Exception e) {
            logger.debug("Invalid token (could not verify signature)", e);
            addError("Could not verify token signature.", new InvalidSignatureException(this.token));
        }
        return this;
    }

    public TokenValidation checkIssuer(String str) {
        if (str == null) {
            return this;
        }
        if (!this.decoded || !this.claims.containsKey(ClaimConstants.ISS)) {
            addError("Token does not bear an ISS claim.");
            return this;
        }
        if (!equals(str, this.claims.get(ClaimConstants.ISS))) {
            addError("Invalid issuer (" + this.claims.get(ClaimConstants.ISS) + ") for token did not match expected: " + str);
        }
        return this;
    }

    public TokenValidation checkExpiry(Instant instant) {
        if (!this.decoded || !this.claims.containsKey("exp")) {
            addError("Token does not bear an EXP claim.");
            return this;
        }
        try {
            long intValue = ((Integer) this.claims.get("exp")).intValue();
            if (instant.getEpochSecond() > intValue) {
                addError("Token expired at " + intValue);
            }
        } catch (ClassCastException e) {
            addError("Token bears an invalid or unparseable EXP claim.", e);
        }
        return this;
    }

    public TokenValidation checkExpiry() {
        return checkExpiry(Instant.now());
    }

    protected TokenValidation checkUser(Function<String, UaaUser> function) {
        UaaUser uaaUser;
        if (!this.decoded || !UaaTokenUtils.isUserToken(this.claims)) {
            addError("Token is not a user token.");
            return this;
        }
        if (!this.claims.containsKey("user_id")) {
            addError("Token does not bear a USER_ID claim.");
            return this;
        }
        try {
            String str = (String) this.claims.get("user_id");
            if (str == null) {
                addError("Token has a null USER_ID claim.");
            } else {
                try {
                    uaaUser = function.apply(str);
                    Assert.notNull(uaaUser);
                } catch (UsernameNotFoundException e) {
                    uaaUser = null;
                    addError("Token bears a non-existent user ID: " + str, e);
                } catch (InvalidTokenException e2) {
                    uaaUser = null;
                    this.validationErrors.add(e2);
                }
                if (uaaUser == null) {
                    addError("Found no data for user ID: " + str);
                } else {
                    List<? extends GrantedAuthority> authorities = uaaUser.getAuthorities();
                    if (authorities == null) {
                        addError("Invalid token (all scopes have been revoked)");
                    } else {
                        checkScopesWithin((List) authorities.stream().map((v0) -> {
                            return v0.getAuthority();
                        }).collect(Collectors.toList()));
                    }
                }
            }
            return this;
        } catch (ClassCastException e3) {
            addError("Token bears an invalid or unparseable USER_ID claim.", e3);
            return this;
        }
    }

    public TokenValidation checkScopesInclude(String... strArr) {
        return checkScopesInclude(Arrays.asList(strArr));
    }

    public TokenValidation checkScopesInclude(Collection<String> collection) {
        getScopes().ifPresent(list -> {
            String str = (String) collection.stream().filter(str2 -> {
                return !list.contains(str2);
            }).collect(Collectors.joining(" "));
            if (StringUtils.hasText(str)) {
                this.validationErrors.add(new InsufficientScopeException("Some expected scopes are missing: " + str));
            }
        });
        return this;
    }

    public TokenValidation checkScopesWithin(String... strArr) {
        return checkScopesWithin(Arrays.asList(strArr));
    }

    public TokenValidation checkScopesWithin(Collection<String> collection) {
        getScopes().ifPresent(list -> {
            Set<Pattern> constructWildcards = UaaStringUtils.constructWildcards(collection);
            List list = (List) list.stream().filter(str -> {
                return !constructWildcards.stream().anyMatch(pattern -> {
                    return pattern.matcher(str).matches();
                });
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                return;
            }
            this.validationErrors.add(new InvalidTokenException("Some scopes have been revoked: " + ((String) list.stream().collect(Collectors.joining(" ")))));
        });
        return this;
    }

    public TokenValidation checkClientAndUser(ClientDetails clientDetails, UaaUser uaaUser) {
        TokenValidation checkClient = checkClient(str -> {
            if (equals(str, clientDetails.getClientId())) {
                return clientDetails;
            }
            throw new InvalidTokenException("Token's client ID does not match expected value: " + clientDetails.getClientId());
        });
        return UaaTokenUtils.isUserToken(this.claims) ? checkClient.checkUser(str2 -> {
            if (uaaUser == null) {
                throw new InvalidTokenException("Unable to validate user, no user found.");
            }
            if (equals(str2, uaaUser.getId())) {
                return uaaUser;
            }
            throw new InvalidTokenException("Token does not have expected user ID.");
        }).checkRequiredUserGroups((Collection) Optional.ofNullable((Collection) clientDetails.getAdditionalInformation().get(ClientConstants.REQUIRED_USER_GROUPS)).orElse(Collections.emptySet()), AuthorityUtils.authorityListToSet(uaaUser.getAuthorities())) : checkClient;
    }

    protected TokenValidation checkRequiredUserGroups(Collection<String> collection, Collection<String> collection2) {
        if (!UaaTokenUtils.hasRequiredUserGroups(collection, collection2)) {
            addError("User does not meet the client's required group criteria.");
        }
        return this;
    }

    protected TokenValidation checkClient(Function<String, ClientDetails> function) {
        if (!this.decoded || !this.claims.containsKey(ClaimConstants.CID)) {
            addError("Token bears no client ID.");
            return this;
        }
        if (this.claims.containsKey("client_id") && !equals(this.claims.get(ClaimConstants.CID), this.claims.get("client_id"))) {
            addError("Token bears conflicting client ID claims.");
            return this;
        }
        try {
            String str = (String) this.claims.get(ClaimConstants.CID);
            try {
                ClientDetails apply = function.apply(str);
                checkScopesWithin(null == this.claims.get("user_id") ? (Collection) Optional.ofNullable(apply.getAuthorities()).map(collection -> {
                    return (List) collection.stream().map((v0) -> {
                        return v0.getAuthority();
                    }).collect(Collectors.toList());
                }).orElse(Collections.emptyList()) : apply.getScope());
            } catch (InvalidTokenException e) {
                this.validationErrors.add(e);
            } catch (NoSuchClientException e2) {
                addError("The token refers to a non-existent client: " + str, e2);
            }
            return this;
        } catch (ClassCastException e3) {
            addError("Token bears an invalid or unparseable CID claim.", e3);
            return this;
        }
    }

    public TokenValidation checkRevocationSignature(List<String> list) {
        if (!this.decoded) {
            addError("Token does not bear a revocation hash.");
            return this;
        }
        if (!this.claims.containsKey(ClaimConstants.REVOCATION_SIGNATURE)) {
            return this;
        }
        try {
            String str = (String) this.claims.get(ClaimConstants.REVOCATION_SIGNATURE);
            boolean z = false;
            Iterator<String> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (str.equals(it.next())) {
                    z = true;
                    break;
                }
            }
            if (str == null || !z) {
                this.validationErrors.add(new TokenRevokedException("revocable signature mismatch"));
            }
            return this;
        } catch (ClassCastException e) {
            addError("Token bears an invalid or unparseable revocation signature.", e);
            return this;
        }
    }

    public TokenValidation checkAudience(String... strArr) {
        return checkAudience(Arrays.asList(strArr));
    }

    public TokenValidation checkAudience(Collection<String> collection) {
        List list;
        if (!this.decoded || !this.claims.containsKey("aud")) {
            addError("The token does not bear an AUD claim.");
            return this;
        }
        Object obj = this.claims.get("aud");
        if (obj instanceof String) {
            list = Collections.singletonList((String) obj);
        } else if (obj == null) {
            list = Collections.emptyList();
        } else {
            try {
                list = (List) ((List) obj).stream().map(obj2 -> {
                    return (String) obj2;
                }).collect(Collectors.toList());
            } catch (ClassCastException e) {
                addError("The token's audience claim is invalid or unparseable.", e);
                return this;
            }
        }
        List list2 = list;
        String str = (String) collection.stream().filter(str2 -> {
            return !list2.contains(str2);
        }).collect(Collectors.joining(", "));
        if (StringUtils.hasText(str)) {
            addError("Some parties were not in the token audience: " + str);
        }
        return this;
    }

    public TokenValidation checkRevocableTokenStore(RevocableTokenProvisioning revocableTokenProvisioning) {
        if (!this.decoded) {
            addError("The token could not be checked for revocation.");
            return this;
        }
        try {
            if (this.claims.containsKey(ClaimConstants.REVOCABLE) && ((Boolean) this.claims.get(ClaimConstants.REVOCABLE)).booleanValue()) {
                String str = (String) this.claims.get("jti");
                if (str == null) {
                    addError("The token does not bear a token ID (JTI).");
                    return this;
                }
                RevocableToken revocableToken = null;
                try {
                    revocableToken = revocableTokenProvisioning.retrieve(str);
                } catch (EmptyResultDataAccessException e) {
                }
                if (revocableToken == null) {
                    this.validationErrors.add(new TokenRevokedException("The token has been revoked: " + str));
                }
            }
            return this;
        } catch (ClassCastException e2) {
            addError("The token's revocability or JTI claim is invalid or unparseable.", e2);
            return this;
        }
    }

    private boolean addError(String str, Exception exc) {
        return this.validationErrors.add(new InvalidTokenException(str, exc));
    }

    private boolean addError(String str) {
        return addError(str, null);
    }

    private static boolean equals(Object obj, Object obj2) {
        return obj == null ? obj2 == null : obj.equals(obj2);
    }

    private Optional<List<String>> getScopes() {
        if (this.scopes != null) {
            return this.scopes;
        }
        if (!this.decoded || !this.claims.containsKey("scope")) {
            addError("The token does not bear a SCOPE claim.");
            Optional<List<String>> empty = Optional.empty();
            this.scopes = empty;
            return empty;
        }
        Object obj = this.claims.get("scope");
        if (obj == null) {
            obj = new ArrayList();
        }
        try {
            Optional<List<String>> of = Optional.of(((List) obj).stream().map(obj2 -> {
                return (String) obj2;
            }).collect(Collectors.toList()));
            this.scopes = of;
            return of;
        } catch (ClassCastException e) {
            addError("The token's scope claim is invalid or unparseable.", e);
            Optional<List<String>> empty2 = Optional.empty();
            this.scopes = empty2;
            return empty2;
        }
    }

    public TokenValidation throwIfInvalid() {
        if (isValid()) {
            return this;
        }
        throw this.validationErrors.get(0);
    }

    public Jwt getJwt() {
        return this.tokenJwt;
    }

    public Map<String, Object> getClaims() {
        return this.claims;
    }
}
