package com.adobe.granite.auth.ims.impl.token;

import com.adobe.granite.auth.ims.impl.cert.IMSCertificateProvider;
import com.adobe.granite.auth.ims.impl.jwt.IMSJwsValidator;
import com.adobe.granite.auth.ims.impl.jwt.IMSJwtValidator;
import com.adobe.granite.auth.oauth.ExtendedTokenValidator;
import com.adobe.granite.auth.oauth.TokenValidator;
import java.security.PublicKey;
import java.util.Optional;
import org.apache.oltu.jose.jws.JWS;
import org.apache.oltu.jose.jws.io.JWSReader;
import org.apache.oltu.oauth2.jwt.JWT;
import org.apache.oltu.oauth2.jwt.io.JWTReader;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {ExtendedTokenValidator.class, TokenValidator.class}, property = {"service.description=Offline validator for IMS access tokens. It exhaustively validates signature, expiration, environment and format of IMS access tokens.", "auth.token.validator.type=com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl"}, configurationPolicy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:com/adobe/granite/auth/ims/impl/token/OfflineValidatorImpl.class */
public class OfflineValidatorImpl implements ExtendedTokenValidator, TokenValidator {
    static final String SERVICE_DESCRIPTION = "Offline validator for IMS access tokens. It exhaustively validates signature, expiration, environment and format of IMS access tokens.";
    public static final String VALIDATOR_TYPE = "com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl";
    private static final Logger log = LoggerFactory.getLogger(OfflineValidatorImpl.class);
    private final IMSCertificateProvider imsCertificateProvider;
    private final IMSJwsValidator jwsValidator;
    private final IMSJwtValidator jwtValidator;
    private final boolean enabled;
    private final String expectedAsClaim;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl$1, reason: invalid class name */
    /* loaded from: input_file:com/adobe/granite/auth/ims/impl/token/OfflineValidatorImpl$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult = new int[ExtendedTokenValidator.ValidationResult.values().length];

        static {
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_FORMAT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_RECOGNIZED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.PUBLIC_KEY_NOT_AVAILABLE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.SIGNATURE_FAIL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_TYPE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.EXPIRED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.FUTURE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_ENVIRONMENT.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            $SwitchMap$com$adobe$granite$auth$ims$impl$jwt$IMSJwtValidator$ValidationResult = new int[IMSJwtValidator.ValidationResult.values().length];
            try {
                $SwitchMap$com$adobe$granite$auth$ims$impl$jwt$IMSJwtValidator$ValidationResult[IMSJwtValidator.ValidationResult.INVALID.ordinal()] = 1;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$ims$impl$jwt$IMSJwtValidator$ValidationResult[IMSJwtValidator.ValidationResult.EXPIRED.ordinal()] = 2;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$ims$impl$jwt$IMSJwtValidator$ValidationResult[IMSJwtValidator.ValidationResult.FUTURE.ordinal()] = 3;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$ims$impl$jwt$IMSJwtValidator$ValidationResult[IMSJwtValidator.ValidationResult.VALID.ordinal()] = 4;
            } catch (NoSuchFieldError e12) {
            }
        }
    }

    @ObjectClassDefinition(name = "Adobe Granite IMS Access Token Offline Validator", description = OfflineValidatorImpl.SERVICE_DESCRIPTION)
    /* loaded from: input_file:com/adobe/granite/auth/ims/impl/token/OfflineValidatorImpl$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Enable Offline Token Validation", description = "Enable the Offline Validator. Disabling this validator should be only done temporarily for troubleshooting purposes since it makes AEM vulnerable to DoS attacks. Disabling this validator will make the token validation to be always SUCCESSFUL, relegating the validation responsibility to the online validator.")
        boolean ims_offline_token_validator_enable() default false;

        @AttributeDefinition(name = "IMS environment base URL", description = "The IMS base URL should be provided in this setting so the validator can infer the IMS environment that will be accepted. Tokens from other environments will be discarded. Accepted values are \"https://ims-na1.adobelogin.com\" and \"https://ims-na1-stg1.adobelogin.com\".")
        String ims_environment_base_url();

        @AttributeDefinition(name = "Override IMS environment detection", description = "To use only during development or as an emergency workaround. Override the IMS environment base URL and directly specify the IMS environment AS claim identifier this instance is accepting. Use this option only if you're using other environments than prod or stage, or as a workaround if the \"IMS environment base URL\" detection is not working well.")
        String ims_offline_token_validator_environment_as_claim_override();
    }

    @Activate
    public OfflineValidatorImpl(@Reference IMSCertificateProvider iMSCertificateProvider, @Reference IMSJwsValidator iMSJwsValidator, @Reference IMSJwtValidator iMSJwtValidator, Config config) {
        this.jwsValidator = iMSJwsValidator;
        this.jwtValidator = iMSJwtValidator;
        this.imsCertificateProvider = iMSCertificateProvider;
        this.expectedAsClaim = expectedAsClaimInitialization(config.ims_environment_base_url(), config.ims_offline_token_validator_environment_as_claim_override());
        if (this.expectedAsClaim == null) {
            log.error("OfflineValidatorImpl: Unable to recognize the IMS environment, disabling the validator.");
            log.error("OfflineValidatorImpl: Please review Offline Validator configuration.");
            this.enabled = false;
        } else {
            this.enabled = config.ims_offline_token_validator_enable();
            if (this.enabled) {
                log.info("IMS Offline Token Validator successfully initialized, effective AS claim accepted: {}.", this.expectedAsClaim);
            } else {
                log.warn("IMS Offline Token Validator disabled by configuration, use only as temporary workaround.");
            }
        }
    }

    @Nullable
    protected static String expectedAsClaimInitialization(@Nullable String str, @Nullable String str2) {
        if (str2 != null) {
            String trim = str2.trim();
            if (!trim.equalsIgnoreCase("")) {
                return trim;
            }
        }
        if (str == null) {
            return null;
        }
        String lowerCase = str.trim().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1374637484:
                if (lowerCase.equals("https://ims-na1-stg1.adobelogin.com")) {
                    z = true;
                    break;
                }
                break;
            case 62696394:
                if (lowerCase.equals("https://ims-na1.adobelogin.com")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "ims-na1";
            case true:
                return "ims-na1-stg1";
            default:
                return null;
        }
    }

    @NotNull
    public ExtendedTokenValidator.ValidationResult validate(@NotNull String str) {
        if (!this.enabled) {
            log.warn("validate: Offline token validation is DISABLED, offline token validation is ALWAYS SUCCESSFUL.");
            return ExtendedTokenValidator.ValidationResult.VALID;
        }
        try {
            JWS jws = (JWS) new JWSReader().read(str);
            JWT jwt = (JWT) new JWTReader().read(str);
            String x509url = jws.getHeader().getX509url();
            if (x509url == null) {
                log.debug("validate: The x5u claim is null.");
                return ExtendedTokenValidator.ValidationResult.NOT_RECOGNIZED;
            }
            String str2 = (String) jwt.getClaimsSet().getCustomField("as", String.class);
            if (str2 == null) {
                log.debug("validate: No \"as\" claim in token.");
                return ExtendedTokenValidator.ValidationResult.NOT_RECOGNIZED;
            }
            if (!str2.equalsIgnoreCase(this.expectedAsClaim)) {
                log.debug("validate: Invalid as claim, expected: {}, received: {}.", this.expectedAsClaim, str2);
                return ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_ENVIRONMENT;
            }
            Optional<PublicKey> cert = this.imsCertificateProvider.getCert(str2, x509url);
            if (!cert.isPresent()) {
                log.error("validate: IMS public key is not available to validate access token.");
                return ExtendedTokenValidator.ValidationResult.PUBLIC_KEY_NOT_AVAILABLE;
            }
            if (!this.jwsValidator.validateSignature(jws, cert.get())) {
                log.info("validate: IMS access token signature validation failed.");
                return ExtendedTokenValidator.ValidationResult.SIGNATURE_FAIL;
            }
            switch (this.jwtValidator.validateLifetime(jwt, System.currentTimeMillis())) {
                case INVALID:
                    return ExtendedTokenValidator.ValidationResult.NOT_RECOGNIZED;
                case EXPIRED:
                    return ExtendedTokenValidator.ValidationResult.EXPIRED;
                case FUTURE:
                    return ExtendedTokenValidator.ValidationResult.FUTURE;
                case VALID:
                default:
                    if (this.jwtValidator.isAccessToken(jwt)) {
                        return ExtendedTokenValidator.ValidationResult.VALID;
                    }
                    log.debug("validate: Received token is not an access token.");
                    return ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_TYPE;
            }
        } catch (IllegalArgumentException e) {
            log.debug("validate: Token is not a valid JWS: ", e);
            return ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_FORMAT;
        }
    }

    public boolean isValid(@NotNull String str) {
        if (!this.enabled) {
            log.warn("isValid: Offline token validation is DISABLED, offline token validation is ALWAYS SUCCESSFUL.");
            return true;
        }
        ExtendedTokenValidator.ValidationResult validate = validate(str);
        log.debug("isValid: Offline token validator returned: {}", validate);
        switch (AnonymousClass1.$SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[validate.ordinal()]) {
            case 1:
                log.debug("isValid: The extracted token is not a JWT.");
                return false;
            case 2:
                log.debug("isValid: The extracted token is not an IMS token.");
                return false;
            case 3:
                log.warn("isValid: Unable to download the IMS public key.Please correct this error so offline verification can take place.");
                return false;
            case 4:
                log.debug("isValid: The token signature is not valid.");
                return false;
            case 5:
                log.debug("isValid: The token is not an access token.");
                return false;
            case 6:
                log.debug("isValid: The token has expired.");
                return false;
            case 7:
                log.warn("isValid: The token has been issued in the future. System configuration error?");
                return false;
            case 8:
                log.debug("isValid: The token has been issued for a different environment.");
                return false;
            default:
                log.debug("isValid: Token has been validated offline successfully.");
                return true;
        }
    }
}
