package dev.fitko.fitconnect.core.cases;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import dev.fitko.fitconnect.api.domain.model.event.Event;
import dev.fitko.fitconnect.api.domain.model.event.EventClaimFields;
import dev.fitko.fitconnect.api.domain.model.event.EventIssuer;
import dev.fitko.fitconnect.api.domain.model.event.authtags.AuthenticationTags;
import dev.fitko.fitconnect.api.domain.validation.ValidationContext;
import dev.fitko.fitconnect.api.domain.validation.ValidationResult;
import dev.fitko.fitconnect.api.exceptions.internal.EventLogException;
import dev.fitko.fitconnect.api.services.events.EventLogVerificationService;
import dev.fitko.fitconnect.api.services.keys.KeyService;
import dev.fitko.fitconnect.api.services.validation.ValidationService;
import dev.fitko.fitconnect.core.utils.EventLogUtil;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;

/* loaded from: input_file:dev/fitko/fitconnect/core/cases/EventLogVerifier.class */
public class EventLogVerifier implements EventLogVerificationService {
    private static final String UUID_V4_PATTERN = "[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}";
    private final KeyService keyService;
    private final ValidationService validationService;

    public EventLogVerifier(KeyService keyService, ValidationService validationService) {
        this.keyService = keyService;
        this.validationService = validationService;
    }

    @Override // dev.fitko.fitconnect.api.services.events.EventLogVerificationService
    public List<ValidationResult> validateEventLogs(ValidationContext validationContext, List<SignedJWT> list) {
        list.forEach(signedJWT -> {
            validateEventLogEntry(validationContext, signedJWT);
        });
        return new ArrayList(validationContext.getValidationResults());
    }

    private void validateEventLogEntry(ValidationContext validationContext, SignedJWT signedJWT) {
        try {
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            String issuer = jWTClaimsSet.getIssuer();
            JWSHeader header = signedJWT.getHeader();
            RSAKey signatureVerificationKey = getSignatureVerificationKey(issuer, header.getKeyID());
            validateSchema(validationContext, jWTClaimsSet);
            validateHeader(validationContext, header);
            validateHeaderKid(validationContext, header.getKeyID());
            validatePayload(validationContext, jWTClaimsSet);
            validateIssuerClaim(validationContext, jWTClaimsSet);
            validateSignatureKey(validationContext, signatureVerificationKey);
            validateSignature(validationContext, signedJWT, signatureVerificationKey);
            if (validationContext.validateAuthTags() && eventContainsAuthTags(jWTClaimsSet)) {
                validateAuthenticationTags(validationContext, jWTClaimsSet);
            }
        } catch (ParseException | JOSEException | RuntimeException e) {
            validationContext.addError(e);
        }
    }

    private void validateSchema(ValidationContext validationContext, JWTClaimsSet jWTClaimsSet) {
        if (getSchemaClaim(jWTClaimsSet) == null) {
            validationContext.addError("Referenced schema must not be null");
        } else {
            validationContext.addResult(this.validationService.validateSetEventSchema(jWTClaimsSet.toString()));
        }
    }

    private void validateHeader(ValidationContext validationContext, JWSHeader jWSHeader) {
        if (jWSHeader.getAlgorithm() == null) {
            validationContext.addError("The provided alg in the SET header must not be null.");
        } else {
            validationContext.addErrorIfTestFailed(jWSHeader.getAlgorithm() == JWSAlgorithm.PS512, "The provided alg in the SET header is not allowed.");
        }
        if (jWSHeader.getType() == null) {
            validationContext.addError("The provided typ in the SET header must not be null.");
        } else {
            validationContext.addErrorIfTestFailed(jWSHeader.getType().toString().equals(EventClaimFields.HEADER_TYPE), "The provided typ in the SET header is not secevent+jwt");
        }
    }

    private void validateHeaderKid(ValidationContext validationContext, String str) {
        if (str == null) {
            validationContext.addError("The kid the SET was signed with is not set and must not be null.");
            return;
        }
        int length = str.length();
        if (length < 8 || length > 64) {
            validationContext.addError("Invalid keyId path parameter. Must be >=8 and <=64.");
        }
    }

    private void validatePayload(ValidationContext validationContext, JWTClaimsSet jWTClaimsSet) throws ParseException {
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getClaim("iss") != null, "The claim iss is missing in the payload of the SET.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getClaim("iat") != null, "The claim iat is missing in the payload of the SET.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getClaim("jti") != null, "The claim jti is missing in the payload of the SET.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getClaim(EventClaimFields.CLAIM_SUB) != null, "The claim sub is missing in the payload of the SET.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getClaim(EventClaimFields.CLAIM_TXN) != null, "The claim txn is missing in the payload of the SET.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getClaim(EventClaimFields.CLAIM_EVENTS) != null, "The claim events is missing in the payload of the SET.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getJSONObjectClaim(EventClaimFields.CLAIM_EVENTS).keySet().size() == 1, "The events claims has must be exactly one event.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getStringClaim(EventClaimFields.CLAIM_SUB).matches("(submission|case|reply):[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}"), "The provided subject does not match the allowed pattern.");
        validationContext.addErrorIfTestFailed(jWTClaimsSet.getStringClaim(EventClaimFields.CLAIM_TXN).matches("case:[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}"), "The provided txn does not match the allowed pattern.");
        getEventClaim(jWTClaimsSet).ifPresentOrElse(str -> {
            validationContext.addErrorIfTestFailed(Event.fromSchemaUri(str) != null, "The provided event is not a valid event supported by this instance.");
        }, () -> {
            validationContext.addError("No events in JWT");
        });
    }

    private void validateSignatureKey(ValidationContext validationContext, RSAKey rSAKey) throws JOSEException {
        if (rSAKey == null) {
            validationContext.addError("The signature key cannot be validated, it must not be null.");
        } else {
            validationContext.addResult(this.validationService.validatePublicKey(rSAKey, KeyOperation.VERIFY));
        }
    }

    private void validateSignature(ValidationContext validationContext, SignedJWT signedJWT, RSAKey rSAKey) throws JOSEException {
        if (rSAKey == null) {
            validationContext.addError("The signature cannot validated, signature key is unavailable.");
        } else {
            validationContext.addErrorIfTestFailed(signedJWT.verify(new RSASSAVerifier(rSAKey)), "The signature of the token could not be verified with the specified key.");
        }
    }

    private static Object getSchemaClaim(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getClaim(EventClaimFields.CLAIM_SCHEMA);
    }

    private static Optional<String> getEventClaim(JWTClaimsSet jWTClaimsSet) throws ParseException {
        return jWTClaimsSet.getJSONObjectClaim(EventClaimFields.CLAIM_EVENTS).keySet().stream().findFirst();
    }

    private RSAKey getSignatureVerificationKey(String str, String str2) throws ParseException, EventLogException {
        return EventLogUtil.resolveIssuerType(str) == EventIssuer.SUBMISSION_SERVICE ? this.keyService.getSubmissionServicePublicKey(str2) : this.keyService.getPublicSignatureKey(EventLogUtil.getDestinationId(str), str2);
    }

    private void validateIssuerClaim(ValidationContext validationContext, JWTClaimsSet jWTClaimsSet) throws EventLogException {
        String issuer = jWTClaimsSet.getIssuer();
        UUID destinationId = EventLogUtil.getDestinationId(issuer);
        Event eventFromClaims = EventLogUtil.getEventFromClaims(jWTClaimsSet);
        if (destinationId == null && EventLogUtil.resolveIssuerType(issuer).equals(EventIssuer.DESTINATION)) {
            validationContext.addError("The event '" + eventFromClaims.getSchemaUri() + "' has to be created by the destination ('iss' claim must be an UUID)");
        }
        if (destinationId != null) {
            validationContext.addErrorIfTestFailed(destinationId.equals(validationContext.getDestinationId()), "The destination of the submission is not the issuer ('iss' claim must match submission.destinationId)");
        }
    }

    private void validateAuthenticationTags(ValidationContext validationContext, JWTClaimsSet jWTClaimsSet) throws ParseException {
        AuthenticationTags authTags = EventLogUtil.getAuthTags(jWTClaimsSet);
        AuthenticationTags authenticationTags = validationContext.getAuthenticationTags();
        validationContext.addErrorIfTestFailed(authTags != null, "AuthenticationTags of event must not be null.");
        validationContext.addErrorIfTestFailed(authenticationTags != null, "AuthenticationTags of submission must not be null.");
        if (authTags == null || authenticationTags == null) {
            return;
        }
        validateDataAuthTags(validationContext, authTags.getData(), authenticationTags.getData());
        validateMetadataAuthTags(validationContext, authTags.getMetadata(), authenticationTags.getMetadata());
        validateAttachmentsAuthTags(validationContext, authTags.getAttachments(), authenticationTags.getAttachments());
    }

    private void validateAttachmentsAuthTags(ValidationContext validationContext, Map<UUID, String> map, Map<UUID, String> map2) {
        if (map == null || map2 == null) {
            return;
        }
        validationContext.addErrorIfTestFailed(map.size() == map2.size(), "The events quantity of attachments does not match the submission.");
        map.forEach((uuid, str) -> {
            validationContext.addErrorIfTestFailed(str.equals((String) map2.get(uuid)), "The authentication-tag for the attachment " + uuid + " does not match the submission.");
        });
    }

    private void validateDataAuthTags(ValidationContext validationContext, String str, String str2) {
        validationContext.addErrorIfTestFailed(str.equals(str2), "The events data authentication-tag does not match the submission.");
    }

    private void validateMetadataAuthTags(ValidationContext validationContext, String str, String str2) {
        validationContext.addErrorIfTestFailed(str.equals(str2), "The events metadata authentication-tag does not match the submission.");
    }

    private static boolean eventContainsAuthTags(JWTClaimsSet jWTClaimsSet) throws ParseException {
        Optional<String> eventClaim = getEventClaim(jWTClaimsSet);
        return eventClaim.isPresent() && Event.fromSchemaUri(eventClaim.get()).hasAuthTags();
    }
}
