package org.apache.cxf.rs.security.oauth2.grants.code;

import jakarta.ws.rs.core.MultivaluedMap;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.AbstractGrantHandler;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

/* loaded from: input_file:lib/cxf-shade-9.1.0.jar:org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeGrantHandler.class */
public class AuthorizationCodeGrantHandler extends AbstractGrantHandler {
    private List<CodeVerifierTransformer> codeVerifierTransformers;
    private boolean expectCodeVerifierForPublicClients;
    private boolean requireCodeVerifier;

    public AuthorizationCodeGrantHandler() {
        super(OAuthConstants.AUTHORIZATION_CODE_GRANT);
        this.codeVerifierTransformers = Collections.emptyList();
    }

    @Override // org.apache.cxf.rs.security.oauth2.provider.AccessTokenGrantHandler
    public ServerAccessToken createAccessToken(Client client, MultivaluedMap<String, String> multivaluedMap) throws OAuthServiceException {
        ServerAuthorizationCodeGrant removeCodeGrant = ((AuthorizationCodeDataProvider) getDataProvider()).removeCodeGrant(multivaluedMap.getFirst("code"));
        if (removeCodeGrant == null) {
            return null;
        }
        if (OAuthUtils.isExpired(Long.valueOf(removeCodeGrant.getIssuedAt()), Long.valueOf(removeCodeGrant.getExpiresIn()))) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        if (!removeCodeGrant.getClient().getClientId().equals(client.getClientId())) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        String redirectUri = removeCodeGrant.getRedirectUri();
        String first = multivaluedMap.getFirst(OAuthConstants.REDIRECT_URI);
        if (first != null) {
            if (!first.equals(redirectUri)) {
                throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
            }
        } else if ((redirectUri == null && !isCanSupportPublicClients()) || (redirectUri != null && (client.getRedirectUris().size() != 1 || !client.getRedirectUris().contains(redirectUri)))) {
            throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
        }
        String first2 = multivaluedMap.getFirst(OAuthConstants.AUTHORIZATION_CODE_VERIFIER);
        if (!compareCodeVerifierWithChallenge(client, first2, removeCodeGrant.getClientCodeChallenge(), removeCodeGrant.getClientCodeChallengeMethod())) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        return doCreateAccessToken(client, removeCodeGrant, getSingleGrantType(), first2, getAudiences(client, multivaluedMap, removeCodeGrant.getAudience()));
    }

    protected List<String> getAudiences(Client client, MultivaluedMap<String, String> multivaluedMap, String str) {
        String first = multivaluedMap.getFirst(OAuthConstants.CLIENT_AUDIENCE);
        if (client.getRegisteredAudiences().isEmpty() && first == null && str == null) {
            return Collections.emptyList();
        }
        if (str == null || first == null || str.equals(first)) {
            return getAudiences(client, first == null ? str : first);
        }
        throw new OAuthServiceException(OAuthConstants.INVALID_REQUEST);
    }

    private ServerAccessToken doCreateAccessToken(Client client, ServerAuthorizationCodeGrant serverAuthorizationCodeGrant, String str, String str2, List<String> list) {
        if (serverAuthorizationCodeGrant.isPreauthorizedTokenAvailable()) {
            ServerAccessToken preAuthorizedToken = getPreAuthorizedToken(client, serverAuthorizationCodeGrant.getSubject(), str, serverAuthorizationCodeGrant.getRequestedScopes(), getAudiences(client, serverAuthorizationCodeGrant.getAudience()));
            if (preAuthorizedToken == null) {
                throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
            }
            if (serverAuthorizationCodeGrant.getNonce() != null) {
                JAXRSUtils.getCurrentMessage().getExchange().put("nonce", serverAuthorizationCodeGrant.getNonce());
            }
            return preAuthorizedToken;
        }
        if (!client.getAllowedGrantTypes().isEmpty() && !client.getAllowedGrantTypes().contains(str)) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        AccessTokenRegistration accessTokenRegistration = new AccessTokenRegistration();
        accessTokenRegistration.setGrantCode(serverAuthorizationCodeGrant.getCode());
        accessTokenRegistration.setClient(client);
        accessTokenRegistration.setGrantType(str);
        accessTokenRegistration.setSubject(serverAuthorizationCodeGrant.getSubject());
        accessTokenRegistration.setRequestedScope(serverAuthorizationCodeGrant.getRequestedScopes());
        accessTokenRegistration.setNonce(serverAuthorizationCodeGrant.getNonce());
        if (serverAuthorizationCodeGrant.getApprovedScopes() != null) {
            accessTokenRegistration.setApprovedScope(serverAuthorizationCodeGrant.getApprovedScopes());
        } else {
            accessTokenRegistration.setApprovedScope(Collections.emptyList());
        }
        accessTokenRegistration.setAudiences(list);
        accessTokenRegistration.setResponseType(serverAuthorizationCodeGrant.getResponseType());
        accessTokenRegistration.setClientCodeVerifier(str2);
        accessTokenRegistration.getExtraProperties().putAll(serverAuthorizationCodeGrant.getExtraProperties());
        return getDataProvider().createAccessToken(accessTokenRegistration);
    }

    private boolean compareCodeVerifierWithChallenge(Client client, String str, String str2, String str3) {
        if (str2 == null && str == null) {
            if (this.requireCodeVerifier) {
                return false;
            }
            return client.isConfidential() || !this.expectCodeVerifierForPublicClients;
        }
        if (str2 != null && str == null) {
            return false;
        }
        if (str2 == null && str != null) {
            return false;
        }
        CodeVerifierTransformer codeVerifierTransformer = null;
        if (!this.codeVerifierTransformers.isEmpty() && str3 != null) {
            codeVerifierTransformer = this.codeVerifierTransformers.stream().filter(codeVerifierTransformer2 -> {
                return str3.equals(codeVerifierTransformer2.getChallengeMethod());
            }).findAny().orElse(null);
            if (codeVerifierTransformer == null) {
                return false;
            }
        }
        if (codeVerifierTransformer == null) {
            codeVerifierTransformer = new PlainCodeVerifier();
        }
        return str2.equals(codeVerifierTransformer.transformCodeVerifier(str));
    }

    public void setCodeVerifierTransformer(CodeVerifierTransformer codeVerifierTransformer) {
        setCodeVerifierTransformers(codeVerifierTransformer == null ? null : Collections.singletonList(codeVerifierTransformer));
    }

    public void setCodeVerifierTransformers(List<CodeVerifierTransformer> list) {
        if (list == null) {
            this.codeVerifierTransformers = Collections.emptyList();
        }
        this.codeVerifierTransformers = new ArrayList(list);
    }

    public void setExpectCodeVerifierForPublicClients(boolean z) {
        this.expectCodeVerifierForPublicClients = z;
    }

    public void setRequireCodeVerifier(boolean z) {
        this.requireCodeVerifier = z;
    }
}
