package dev.fitko.fitconnect.core.validation;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.core.JacksonException;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.networknt.schema.JsonSchemaFactory;
import com.networknt.schema.SchemaValidatorsConfig;
import com.networknt.schema.SpecVersion;
import com.networknt.schema.ValidationMessage;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.RSAKey;
import dev.fitko.fitconnect.api.config.ApplicationConfig;
import dev.fitko.fitconnect.api.domain.model.attachment.Fragment;
import dev.fitko.fitconnect.api.domain.model.destination.Destination;
import dev.fitko.fitconnect.api.domain.model.event.EventClaimFields;
import dev.fitko.fitconnect.api.domain.model.event.authtags.AuthenticationTags;
import dev.fitko.fitconnect.api.domain.model.event.problems.Problem;
import dev.fitko.fitconnect.api.domain.model.event.problems.attachment.AttachmentHashMismatch;
import dev.fitko.fitconnect.api.domain.model.event.problems.attachment.IncorrectAttachmentAuthenticationTag;
import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataHashMismatch;
import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataJsonSyntaxViolation;
import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataSchemaViolation;
import dev.fitko.fitconnect.api.domain.model.event.problems.data.DataXmlSyntaxViolation;
import dev.fitko.fitconnect.api.domain.model.event.problems.data.IncorrectDataAuthenticationTag;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.AttachmentsMismatch;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.IncorrectMetadataAuthenticationTag;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.MetadataJsonSyntaxViolation;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.MetadataSchemaViolation;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.MissingData;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedDataSchema;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedMetadataSchema;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedReplyChannel;
import dev.fitko.fitconnect.api.domain.model.event.problems.metadata.UnsupportedService;
import dev.fitko.fitconnect.api.domain.model.metadata.Metadata;
import dev.fitko.fitconnect.api.domain.model.metadata.attachment.ApiAttachment;
import dev.fitko.fitconnect.api.domain.model.metadata.attachment.AttachmentForValidation;
import dev.fitko.fitconnect.api.domain.model.metadata.data.Data;
import dev.fitko.fitconnect.api.domain.model.metadata.data.MimeType;
import dev.fitko.fitconnect.api.domain.model.metadata.data.SubmissionSchema;
import dev.fitko.fitconnect.api.domain.model.reply.Reply;
import dev.fitko.fitconnect.api.domain.model.reply.replychannel.ReplyChannel;
import dev.fitko.fitconnect.api.domain.model.submission.ServiceType;
import dev.fitko.fitconnect.api.domain.model.submission.Submission;
import dev.fitko.fitconnect.api.domain.validation.ValidationResult;
import dev.fitko.fitconnect.api.exceptions.internal.DataIntegrityException;
import dev.fitko.fitconnect.api.exceptions.internal.SchemaNotFoundException;
import dev.fitko.fitconnect.api.exceptions.internal.ValidationException;
import dev.fitko.fitconnect.api.services.crypto.MessageDigestService;
import dev.fitko.fitconnect.api.services.schema.SchemaProvider;
import dev.fitko.fitconnect.api.services.validation.ValidationService;
import dev.fitko.fitconnect.core.utils.EventLogUtil;
import dev.fitko.fitconnect.jwkvalidator.JWKValidator;
import dev.fitko.fitconnect.jwkvalidator.exceptions.JWKValidationException;
import dev.fitko.fitconnect.jwkvalidator.exceptions.LogLevel;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.text.SimpleDateFormat;
import java.time.Instant;
import java.time.ZoneId;
import java.time.ZonedDateTime;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;

/* loaded from: input_file:dev/fitko/fitconnect/core/validation/DefaultValidationService.class */
public class DefaultValidationService implements ValidationService {
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultValidationService.class);
    private static final ObjectMapper MAPPER = new ObjectMapper().setDateFormat(new SimpleDateFormat("yyyy-MM-dd")).setSerializationInclusion(JsonInclude.Include.NON_NULL);
    private static final JsonSchemaFactory SCHEMA_FACTORY_DRAFT_2020 = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V202012);
    private static final JsonSchemaFactory SCHEMA_FACTORY_DRAFT_2007 = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V7);
    private static final SchemaValidatorsConfig VALIDATORS_CONFIG = new SchemaValidatorsConfig();
    public static final String VALID_SCHEMA_URL_EXPRESSION = "https://schema\\.fitko\\.de/fit-connect/metadata/1\\.\\d+\\.\\d+/metadata.schema.json";
    private final MessageDigestService messageDigestService;
    private final SchemaProvider schemaProvider;
    private final ApplicationConfig config;
    private final JWKValidator jwkValidator;

    public DefaultValidationService(ApplicationConfig applicationConfig, MessageDigestService messageDigestService, SchemaProvider schemaProvider, List<String> list) {
        this.config = applicationConfig;
        this.messageDigestService = messageDigestService;
        this.schemaProvider = schemaProvider;
        this.jwkValidator = createValidator(applicationConfig, list);
        VALIDATORS_CONFIG.setFormatAssertionsEnabled(true);
        VALIDATORS_CONFIG.setLocale(Locale.US);
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validatePublicKey(RSAKey rSAKey, KeyOperation keyOperation) {
        try {
            return validateKey(rSAKey, keyOperation);
        } catch (Exception e) {
            return ValidationResult.error(e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateSetEventSchema(String str) {
        try {
            JsonNode readTree = MAPPER.readTree(str);
            URI create = URI.create(readTree.get(EventClaimFields.CLAIM_SCHEMA).asText());
            return this.schemaProvider.isAllowedSetSchema(create) ? validate2020JsonSchema(this.schemaProvider.loadSetSchema(this.config.getSetSchemaWriteVersion()), readTree) : ValidationResult.error(new SchemaNotFoundException("SET payload schema not supported: " + create));
        } catch (JsonProcessingException | IllegalArgumentException e) {
            return ValidationResult.error((Exception) e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateMetadataSchema(Metadata metadata) {
        if (metadata.getSchema() != null && !metadata.getSchema().isEmpty() && !metadata.getSchema().matches(VALID_SCHEMA_URL_EXPRESSION)) {
            return ValidationResult.problem(new UnsupportedMetadataSchema(metadata.getSchema()));
        }
        try {
            return validate2020JsonSchema(this.schemaProvider.loadMetadataSchema(this.config.getMetadataSchemaWriteVersion()), MAPPER.readTree(MAPPER.writeValueAsString(metadata)));
        } catch (JsonProcessingException | SchemaNotFoundException e) {
            return ValidationResult.withErrorAndProblem(e, new MetadataSchemaViolation());
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateDestinationSchema(Map<String, Object> map) {
        try {
            return returnValidationResult(SCHEMA_FACTORY_DRAFT_2007.getSchema(this.schemaProvider.loadDestinationSchema(this.config.getDestinationSchemaUri()), VALIDATORS_CONFIG).validate(MAPPER.readTree(MAPPER.writeValueAsString(map))));
        } catch (JsonProcessingException e) {
            return ValidationResult.error((Exception) e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateHashIntegrity(String str, byte[] bArr) {
        try {
            return !this.messageDigestService.verify(this.messageDigestService.fromHexString(str), bArr) ? ValidationResult.error(new DataIntegrityException("Metadata contains invalid hash value")) : ValidationResult.ok();
        } catch (IllegalArgumentException | NullPointerException e) {
            return ValidationResult.error(e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateHashIntegrity(String str, InputStream inputStream) {
        try {
            return !this.messageDigestService.verify(this.messageDigestService.fromHexString(str), inputStream) ? ValidationResult.error(new DataIntegrityException("Metadata contains invalid hash value")) : ValidationResult.ok();
        } catch (IllegalArgumentException | NullPointerException e) {
            return ValidationResult.error(e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateSubmissionDataSchema(String str, URI uri) {
        if (this.config.isSkipSubmissionDataValidation()) {
            LOGGER.warn("Submission data validation is deactivated. This should be done only on secure test environments.");
            return ValidationResult.ok();
        }
        try {
            return returnValidationResult(SCHEMA_FACTORY_DRAFT_2020.getSchema(this.schemaProvider.loadSubmissionDataSchema(uri), VALIDATORS_CONFIG).validate(MAPPER.readTree(str)));
        } catch (JacksonException e) {
            return ValidationResult.error((Exception) e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateJsonFormat(String str) {
        try {
            MAPPER.readTree(str);
            return ValidationResult.ok();
        } catch (JacksonException e) {
            return ValidationResult.error((Exception) e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateXmlFormat(String str) {
        try {
            getXmlReader().parse(new InputSource(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8))));
            return ValidationResult.ok();
        } catch (IOException | ParserConfigurationException | SAXException e) {
            return ValidationResult.error(e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateCallback(String str, Long l, String str2, String str3) {
        return ZonedDateTime.ofInstant(Instant.ofEpochSecond(l.longValue()), ZoneId.systemDefault()).isBefore(ZonedDateTime.now().minusMinutes(5L)) ? ValidationResult.error(new ValidationException("Timestamp provided by callback is expired.")) : !str.equals(this.messageDigestService.calculateHMAC(l + "." + str2, str3)) ? ValidationResult.error(new ValidationException("HMAC provided by callback does not match the expected result.")) : ValidationResult.ok();
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateData(byte[] bArr, String str, Metadata metadata, String str2) {
        if (!str2.equals(EventLogUtil.getAuthenticationTagFromEncryptedData(str))) {
            return ValidationResult.problem(new IncorrectDataAuthenticationTag());
        }
        Data data = metadata.getContentStructure().getData();
        if (validateHashIntegrity(data.getHash().getContent(), bArr).hasError()) {
            return ValidationResult.problem(new DataHashMismatch());
        }
        if (data.getSubmissionSchema().getMimeType().equals(MimeType.APPLICATION_JSON)) {
            String str3 = new String(bArr, StandardCharsets.UTF_8);
            if (validateJsonFormat(str3).hasError()) {
                return ValidationResult.problem(new DataJsonSyntaxViolation());
            }
            if (validateSubmissionDataSchema(str3, data.getSubmissionSchema().getSchemaUri()).hasError()) {
                return ValidationResult.problem(new DataSchemaViolation());
            }
        }
        return (data.getSubmissionSchema().getMimeType().equals(MimeType.APPLICATION_XML) && validateXmlFormat(new String(bArr, StandardCharsets.UTF_8)).hasError()) ? ValidationResult.problem(new DataXmlSyntaxViolation()) : ValidationResult.ok();
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateAttachments(List<AttachmentForValidation> list, AuthenticationTags authenticationTags) {
        Map<UUID, String> attachments = authenticationTags.getAttachments();
        ArrayList arrayList = new ArrayList();
        for (AttachmentForValidation attachmentForValidation : list) {
            if (attachmentForValidation.hasFragmentedPayload()) {
                ValidationResult validateFragmentedAttachment = validateFragmentedAttachment(attachmentForValidation, attachments, arrayList);
                if (validateFragmentedAttachment.hasError()) {
                    return validateFragmentedAttachment;
                }
            } else {
                validateAttachment(attachmentForValidation, attachments, arrayList);
            }
        }
        return arrayList.isEmpty() ? ValidationResult.ok() : ValidationResult.problems(arrayList);
    }

    private void validateAttachment(AttachmentForValidation attachmentForValidation, Map<UUID, String> map, List<Problem> list) {
        UUID attachmentId = attachmentForValidation.getAttachmentId();
        if (!map.get(attachmentId).equals(attachmentForValidation.getAuthTag())) {
            list.add(new IncorrectAttachmentAuthenticationTag(attachmentId));
        }
        if (validateHashIntegrity(attachmentForValidation.getHash(), attachmentForValidation.getDecryptedData()).hasError()) {
            list.add(new AttachmentHashMismatch(attachmentForValidation.getAttachmentId()));
        }
    }

    private ValidationResult validateFragmentedAttachment(AttachmentForValidation attachmentForValidation, Map<UUID, String> map, List<Problem> list) {
        for (Fragment fragment : attachmentForValidation.getFragments()) {
            if (!map.get(fragment.getFragmentId()).equals(fragment.getAuthTag())) {
                list.add(new IncorrectAttachmentAuthenticationTag(fragment.getFragmentId()));
            }
        }
        try {
            InputStream newInputStream = Files.newInputStream(attachmentForValidation.getDataFile().toPath(), new OpenOption[0]);
            try {
                if (validateHashIntegrity(attachmentForValidation.getHash(), newInputStream).hasError()) {
                    list.add(new AttachmentHashMismatch(attachmentForValidation.getAttachmentId()));
                }
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return ValidationResult.ok();
            } finally {
            }
        } catch (IOException e) {
            return ValidationResult.error(e);
        }
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateSubmissionMetadata(Metadata metadata, Submission submission, Destination destination, AuthenticationTags authenticationTags) {
        return validateMetadata(metadata, submission.getEncryptedMetadata(), destination, submission.getServiceType(), submission.getAttachments(), authenticationTags);
    }

    @Override // dev.fitko.fitconnect.api.services.validation.ValidationService
    public ValidationResult validateReplyMetadata(Metadata metadata, Reply reply, Destination destination, AuthenticationTags authenticationTags) {
        return validateMetadata(metadata, reply.getEncryptedMetadata(), destination, null, reply.getAttachments(), authenticationTags);
    }

    private ValidationResult validateMetadata(Metadata metadata, String str, Destination destination, ServiceType serviceType, List<UUID> list, AuthenticationTags authenticationTags) {
        if (!authenticationTags.getMetadata().equals(EventLogUtil.getAuthenticationTagFromEncryptedData(str))) {
            return ValidationResult.problem(new IncorrectMetadataAuthenticationTag());
        }
        if (invalidJsonSyntax(metadata)) {
            return ValidationResult.problem(new MetadataJsonSyntaxViolation());
        }
        if (metadata.getContentStructure().getData() == null) {
            return ValidationResult.problem(new MissingData());
        }
        ValidationResult validateMetadataSchema = validateMetadataSchema(metadata);
        if (validateMetadataSchema.hasProblems()) {
            return validateMetadataSchema;
        }
        if (destination.getServices().isEmpty()) {
            return ValidationResult.problem(new UnsupportedDataSchema());
        }
        SubmissionSchema submissionSchema = metadata.getContentStructure().getData().getSubmissionSchema();
        if (!matchingDestinationAndSubmissionSchema(destination, submissionSchema.getSchemaUri())) {
            return ValidationResult.problem(new UnsupportedDataSchema());
        }
        if (serviceType != null && destination.getServices().stream().map((v0) -> {
            return v0.getIdentifier();
        }).filter(str2 -> {
            return str2.equals(serviceType.getIdentifier());
        }).findFirst().isEmpty()) {
            return ValidationResult.problem(new UnsupportedService());
        }
        ValidationResult checkAttachmentCount = checkAttachmentCount(list, metadata, authenticationTags);
        return checkAttachmentCount.hasProblems() ? checkAttachmentCount : (metadata.getReplyChannel() == null || serviceType == null || !destination.getServices().stream().filter(destinationService -> {
            return destinationService.getIdentifier().equals(serviceType.getIdentifier());
        }).filter(destinationService2 -> {
            return destinationService2.getSubmissionSchemas().stream().anyMatch(submissionSchema2 -> {
                return submissionSchema2.equals(submissionSchema);
            });
        }).map((v0) -> {
            return v0.getReplyChannels();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).filter(destinationAllowsSubmissionReplyChannel(metadata.getReplyChannel())).findFirst().isEmpty()) ? ValidationResult.ok() : ValidationResult.problem(new UnsupportedReplyChannel());
    }

    private Predicate<ReplyChannel> destinationAllowsSubmissionReplyChannel(ReplyChannel replyChannel) {
        return replyChannel2 -> {
            List<Class<?>> nonNullReplyChannels = getNonNullReplyChannels(replyChannel2);
            return new HashSet(nonNullReplyChannels).containsAll(getNonNullReplyChannels(replyChannel));
        };
    }

    private List<Class<?>> getNonNullReplyChannels(ReplyChannel replyChannel) {
        return (List) Stream.of(replyChannel.getEMail(), replyChannel.getDeMail(), replyChannel.getFink(), replyChannel.getElster(), replyChannel.getFitConnect()).filter(Objects::nonNull).map((v0) -> {
            return v0.getClass();
        }).collect(Collectors.toList());
    }

    private static boolean matchingDestinationAndSubmissionSchema(Destination destination, URI uri) {
        Stream map = destination.getServices().stream().flatMap(destinationService -> {
            return destinationService.getSubmissionSchemas().stream();
        }).map((v0) -> {
            return v0.getSchemaUri();
        });
        Objects.requireNonNull(uri);
        return map.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    private ValidationResult validate2020JsonSchema(String str, JsonNode jsonNode) {
        return returnValidationResult(SCHEMA_FACTORY_DRAFT_2020.getSchema(str, VALIDATORS_CONFIG).validate(jsonNode));
    }

    private ValidationResult returnValidationResult(Set<ValidationMessage> set) {
        return set.isEmpty() ? ValidationResult.ok() : ValidationResult.withErrorAndProblem(new ValidationException(errorsToSingleString(set)), new MetadataSchemaViolation());
    }

    private ValidationResult validateKey(RSAKey rSAKey, KeyOperation keyOperation) throws JWKValidationException {
        return this.config.isAllowInsecurePublicKey() ? validateWithoutCertChain(rSAKey, keyOperation) : validateWithCertChain(rSAKey, keyOperation);
    }

    private ValidationResult validateWithoutCertChain(RSAKey rSAKey, KeyOperation keyOperation) throws JWKValidationException {
        LOGGER.debug("Validating public key {} without XC5 certificate chain", rSAKey.getKeyID());
        this.jwkValidator.validate(rSAKey, keyOperation);
        return ValidationResult.ok();
    }

    private ValidationResult validateWithCertChain(RSAKey rSAKey, KeyOperation keyOperation) throws JWKValidationException {
        LOGGER.info("Validating public key with x5c certificate chain checks");
        if (rSAKey.getParsedX509CertChain() == null) {
            throw new IllegalStateException("Public key with id '" + rSAKey.getKeyID() + "' does not contain an x5c certificate chain");
        }
        this.jwkValidator.validate(rSAKey, keyOperation);
        return ValidationResult.ok();
    }

    private String errorsToSingleString(Set<ValidationMessage> set) {
        return (String) set.stream().map((v0) -> {
            return v0.getMessage();
        }).collect(Collectors.joining("\n"));
    }

    private static XMLReader getXmlReader() throws ParserConfigurationException, SAXException {
        SAXParserFactory newInstance = SAXParserFactory.newInstance();
        newInstance.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        return newInstance.newSAXParser().getXMLReader();
    }

    private boolean invalidJsonSyntax(Metadata metadata) {
        if (metadata != null) {
            try {
                if (!validateJsonFormat(MAPPER.writeValueAsString(metadata)).hasError()) {
                    return false;
                }
            } catch (JsonProcessingException | NullPointerException e) {
                return true;
            }
        }
        return true;
    }

    private ValidationResult checkAttachmentCount(List<UUID> list, Metadata metadata, AuthenticationTags authenticationTags) {
        List<ApiAttachment> attachments = metadata.getContentStructure().getAttachments();
        Map<UUID, String> attachments2 = authenticationTags.getAttachments();
        if ((Objects.isNull(list) || list.isEmpty()) && (Objects.isNull(attachments2) || attachments2.isEmpty())) {
            return ValidationResult.ok();
        }
        ArrayList arrayList = new ArrayList();
        for (ApiAttachment apiAttachment : attachments) {
            List<UUID> fragments = apiAttachment.getFragments();
            if (apiAttachment.hasFragments()) {
                arrayList.addAll(fragments);
            } else {
                arrayList.add(apiAttachment.getAttachmentId());
            }
        }
        if (arrayList.size() == list.size() && attachments2.size() == list.size() && attachments2.keySet().containsAll(list) && list.stream().allMatch(uuid -> {
            return arrayList.stream().anyMatch(uuid -> {
                return uuid.equals(uuid);
            });
        })) {
            Stream<UUID> stream = list.stream();
            Objects.requireNonNull(attachments2);
            if (stream.allMatch((v1) -> {
                return r1.containsKey(v1);
            })) {
                return ValidationResult.ok();
            }
        }
        return ValidationResult.problem(new AttachmentsMismatch());
    }

    private JWKValidator createValidator(ApplicationConfig applicationConfig, List<String> list) {
        return applicationConfig.isAllowInsecurePublicKey() ? JWKValidator.withoutX5CValidation().withErrorLogLevel(LogLevel.WARN).build() : JWKValidator.withRecommendedDefaults().withProxy(applicationConfig.getHttpConfig().getProxyConfig().getHttpProxy()).withRootCertificatesAsPEM(list).build();
    }
}
