package dev.fitko.fitconnect.core.routing;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.MapperFeature;
import com.fasterxml.jackson.databind.SerializationFeature;
import com.fasterxml.jackson.databind.json.JsonMapper;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import dev.fitko.fitconnect.api.domain.model.route.Route;
import dev.fitko.fitconnect.api.domain.validation.ValidationResult;
import dev.fitko.fitconnect.api.exceptions.internal.InvalidKeyException;
import dev.fitko.fitconnect.api.exceptions.internal.RestApiException;
import dev.fitko.fitconnect.api.exceptions.internal.ValidationException;
import dev.fitko.fitconnect.api.services.keys.KeyService;
import dev.fitko.fitconnect.api.services.routing.RoutingVerificationService;
import dev.fitko.fitconnect.api.services.validation.ValidationService;
import dev.fitko.fitconnect.core.utils.Strings;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:dev/fitko/fitconnect/core/routing/RouteVerifier.class */
public class RouteVerifier implements RoutingVerificationService {
    private static final JsonMapper MAPPER = getConfiguredJsonMapper();
    private final KeyService keyService;
    private final ValidationService validationService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:dev/fitko/fitconnect/core/routing/RouteVerifier$RouteService.class */
    public static class RouteService {
        private final List<String> regionIds;
        private final List<String> serviceIds;

        protected RouteService(Map<String, List<String>> map) {
            this.regionIds = (List) map.getOrDefault("gebietIDs", Collections.emptyList()).stream().map(str -> {
                return RouteVerifier.getIdFromIdentifier(str);
            }).collect(Collectors.toList());
            this.serviceIds = (List) map.getOrDefault("leistungIDs", Collections.emptyList()).stream().map(str2 -> {
                return RouteVerifier.getIdFromIdentifier(str2);
            }).collect(Collectors.toList());
        }

        public boolean hasMatchingRegionAndService(String str, String str2) {
            return hasMatchingRegion(str) && hasMatchingService(str2);
        }

        public boolean hasMatchingRegion(String str) {
            Stream<String> stream = this.regionIds.stream();
            Objects.requireNonNull(str);
            return stream.anyMatch((v1) -> {
                return r1.contains(v1);
            });
        }

        public boolean hasMatchingService(String str) {
            return this.serviceIds.contains(str);
        }
    }

    public RouteVerifier(KeyService keyService, ValidationService validationService) {
        this.keyService = keyService;
        this.validationService = validationService;
    }

    @Override // dev.fitko.fitconnect.api.services.routing.RoutingVerificationService
    public ValidationResult validateRouteDestinations(List<Route> list, String str, String str2) {
        return (ValidationResult) list.stream().map(route -> {
            return validateRoute(route, str, str2);
        }).filter((v0) -> {
            return v0.hasError();
        }).findFirst().orElse(ValidationResult.ok());
    }

    private ValidationResult validateRoute(Route route, String str, String str2) {
        try {
            validateDestinationSignature(route, str, str2);
            validateDestinationParameterSignature(route);
            return ValidationResult.ok();
        } catch (InvalidKeyException e) {
            return ValidationResult.error(new ValidationException("Public signature key is invalid: " + e.getCause().getMessage()));
        } catch (RestApiException e2) {
            return ValidationResult.error(new ValidationException("Could not retrieve public signature key: " + e2.getMessage()));
        } catch (ValidationException e3) {
            return ValidationResult.error(e3);
        } catch (ParseException | JOSEException | JsonProcessingException e4) {
            return ValidationResult.error(new ValidationException("Signature processing failed: " + e4.getMessage()));
        }
    }

    private void validateDestinationParameterSignature(Route route) throws JOSEException, ParseException, JsonProcessingException {
        SignedJWT combineDetachedSignatureWithPayload = combineDetachedSignatureWithPayload(route);
        if (!combineDetachedSignatureWithPayload.verify(new RSASSAVerifier(loadPublicKey(route, combineDetachedSignatureWithPayload)))) {
            throw new ValidationException("Invalid destination parameter signature for route " + route.getDestinationId());
        }
        checkHeaderAlgorithm(combineDetachedSignatureWithPayload.getHeader());
    }

    private RSAKey loadPublicKey(Route route, SignedJWT signedJWT) {
        String keyID = signedJWT.getHeader().getKeyID();
        return this.keyService.getWellKnownKeysForSubmissionUrl(route.getDestinationParameters().getSubmissionUrl(), keyID);
    }

    private SignedJWT combineDetachedSignatureWithPayload(Route route) throws ParseException, JsonProcessingException {
        SignedJWT parse = SignedJWT.parse(route.getDestinationParametersSignature());
        return new SignedJWT(parse.getHeader().getParsedBase64URL(), getBase64EncodedDetachedPayload(route), parse.getSignature());
    }

    private Base64URL getBase64EncodedDetachedPayload(Route route) throws JsonProcessingException {
        return Base64URL.encode(Strings.cleanNonPrintableChars(MAPPER.writeValueAsString(route.getDestinationParameters())).replace("eMail", "email").getBytes(StandardCharsets.UTF_8));
    }

    private void validateDestinationSignature(Route route, String str, String str2) throws ParseException, JOSEException, JsonProcessingException {
        SignedJWT parse = SignedJWT.parse(route.getDestinationSignature());
        JWSHeader header = parse.getHeader();
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        String submissionUrl = route.getDestinationParameters().getSubmissionUrl();
        checkHeaderAlgorithm(header);
        validatePayloadSchema(jWTClaimsSet);
        checkMatchingSubmissionHost(jWTClaimsSet, submissionUrl);
        checkExpectedServices(jWTClaimsSet, str, str2);
        validateAgainstPublicKey(parse, header.getKeyID());
    }

    private void validatePayloadSchema(JWTClaimsSet jWTClaimsSet) {
        ValidationResult validateDestinationSchema = this.validationService.validateDestinationSchema(jWTClaimsSet.toJSONObject());
        if (validateDestinationSchema.hasError()) {
            throw new ValidationException(validateDestinationSchema.getError().getMessage(), validateDestinationSchema.getError());
        }
    }

    private void validateAgainstPublicKey(SignedJWT signedJWT, String str) throws JOSEException {
        if (!signedJWT.verify(new RSASSAVerifier(this.keyService.getPortalPublicKey(str)))) {
            throw new ValidationException("Invalid destination signature for public key id " + str);
        }
    }

    private void checkExpectedServices(JWTClaimsSet jWTClaimsSet, String str, String str2) throws ParseException {
        List list = (List) jWTClaimsSet.getListClaim("services").stream().map(obj -> {
            return new RouteService((Map) obj);
        }).collect(Collectors.toList());
        String idFromIdentifier = getIdFromIdentifier(str);
        if (list.stream().noneMatch(routeService -> {
            return routeService.hasMatchingService(idFromIdentifier);
        })) {
            throw new ValidationException("Requested service identifier '" + str + "' is not supported by any of the destinations services");
        }
        if (str2 != null) {
            String idFromIdentifier2 = getIdFromIdentifier(str2);
            if (list.stream().noneMatch(routeService2 -> {
                return routeService2.hasMatchingRegionAndService(idFromIdentifier2, idFromIdentifier);
            })) {
                throw new ValidationException("Requested region '" + str2 + "' does not match any service provided by the destination");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getIdFromIdentifier(String str) {
        return isNumericId(str) ? str : (String) Arrays.stream(str.split(":")).reduce((str2, str3) -> {
            return str3;
        }).orElse(null);
    }

    private static boolean isNumericId(String str) {
        return Pattern.compile("\\d+").matcher(str).matches();
    }

    private void checkHeaderAlgorithm(JWSHeader jWSHeader) {
        if (!jWSHeader.getAlgorithm().equals(JWSAlgorithm.PS512)) {
            throw new ValidationException("Algorithm in signature header is not " + JWSAlgorithm.PS512);
        }
    }

    private void checkMatchingSubmissionHost(JWTClaimsSet jWTClaimsSet, String str) throws ParseException {
        String stringClaim = jWTClaimsSet.getStringClaim("submissionHost");
        if (!getHostFromSubmissionUrl(str).equals(stringClaim)) {
            throw new ValidationException("Submission host does not match destinationParameters submission url " + stringClaim);
        }
    }

    private static String getHostFromSubmissionUrl(String str) {
        if (str == null) {
            throw new ValidationException("SubmissionUrl must not be null");
        }
        try {
            return URI.create(str).getHost();
        } catch (IllegalArgumentException e) {
            throw new ValidationException("SubmissionUrl could not be parsed", e);
        }
    }

    private static JsonMapper getConfiguredJsonMapper() {
        return JsonMapper.builder().configure(MapperFeature.SORT_PROPERTIES_ALPHABETICALLY, true).configure(SerializationFeature.INDENT_OUTPUT, false).serializationInclusion(JsonInclude.Include.NON_NULL).build();
    }
}
