package org.apache.cxf.rs.security.oauth2.services;

import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.OAuthError;
import org.apache.cxf.rs.security.oauth2.provider.ClientIdProvider;
import org.apache.cxf.rs.security.oauth2.provider.ClientSecretVerifier;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.AuthorizationUtils;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.security.transport.TLSSessionInfo;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.3.1.jar:org/apache/cxf/rs/security/oauth2/services/AbstractTokenService.class */
public class AbstractTokenService extends AbstractOAuthService {
    private boolean canSupportPublicClients;
    private boolean writeCustomErrors;
    private ClientIdProvider clientIdProvider;
    private ClientSecretVerifier clientSecretVerifier;

    /* JADX INFO: Access modifiers changed from: protected */
    public Client authenticateClientIfNeeded(MultivaluedMap<String, String> multivaluedMap) {
        Client client = null;
        SecurityContext securityContext = getMessageContext().getSecurityContext();
        Principal userPrincipal = securityContext.getUserPrincipal();
        if (userPrincipal == null) {
            String retrieveClientId = retrieveClientId(multivaluedMap);
            if (retrieveClientId != null) {
                String first = multivaluedMap.getFirst("client_secret");
                if (first != null) {
                    client = getAndValidateClientFromIdAndSecret(retrieveClientId, first, multivaluedMap);
                    validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_POST);
                } else if (OAuthUtils.isMutualTls(securityContext, getTlsSessionInfo())) {
                    client = getClient(retrieveClientId, multivaluedMap);
                    checkCertificateBinding(client, getTlsSessionInfo());
                    validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
                } else if (this.canSupportPublicClients) {
                    client = getValidClient(retrieveClientId, multivaluedMap);
                    if (isValidPublicClient(client, retrieveClientId)) {
                        validateClientAuthenticationMethod(client, "none");
                    } else {
                        client = null;
                    }
                }
            }
        } else {
            String retrieveClientId2 = retrieveClientId(multivaluedMap);
            if (retrieveClientId2 != null) {
                if (retrieveClientId2.equals(userPrincipal.getName())) {
                    client = (Client) getMessageContext().get(Client.class.getName());
                }
                if (client == null) {
                    client = getClient(retrieveClientId2, multivaluedMap);
                }
            } else if (userPrincipal.getName() != null) {
                client = getClient(userPrincipal.getName(), multivaluedMap);
            }
        }
        if (client == null) {
            client = getClientFromTLSCertificates(securityContext, getTlsSessionInfo(), multivaluedMap);
            if (client == null) {
                client = getClientFromBasicAuthScheme(multivaluedMap);
            }
        }
        if (client == null) {
            reportInvalidClient();
        }
        return client;
    }

    protected void validateClientAuthenticationMethod(Client client, String str) {
        if (client == null || client.getTokenEndpointAuthMethod() == null || client.getTokenEndpointAuthMethod().equals(str)) {
            return;
        }
        reportInvalidClient(new OAuthError(OAuthConstants.UNAUTHORIZED_CLIENT));
    }

    protected String retrieveClientId(MultivaluedMap<String, String> multivaluedMap) {
        String first = multivaluedMap.getFirst("client_id");
        if (first == null) {
            first = (String) getMessageContext().get("client_id");
        }
        if (first == null && this.clientIdProvider != null) {
            first = this.clientIdProvider.getClientId(getMessageContext());
        }
        return first;
    }

    protected Client getAndValidateClientFromIdAndSecret(String str, String str2, MultivaluedMap<String, String> multivaluedMap) {
        Client client = getClient(str, str2, multivaluedMap);
        if (!client.getClientId().equals(str)) {
            reportInvalidClient();
        }
        if (!client.isConfidential() || !isConfidenatialClientSecretValid(client, str2)) {
            reportInvalidClient();
        }
        return client;
    }

    protected boolean isConfidenatialClientSecretValid(Client client, String str) {
        return this.clientSecretVerifier != null ? this.clientSecretVerifier.validateClientSecret(client, str) : (client.getClientSecret() == null || str == null || !client.getClientSecret().equals(str)) ? false : true;
    }

    protected boolean isValidPublicClient(Client client, String str) {
        return this.canSupportPublicClients && !client.isConfidential() && client.getClientSecret() == null;
    }

    protected Client getClientFromBasicAuthScheme(MultivaluedMap<String, String> multivaluedMap) {
        Client client = null;
        String[] basicAuthUserInfo = AuthorizationUtils.getBasicAuthUserInfo(getMessageContext());
        if (basicAuthUserInfo != null && basicAuthUserInfo.length == 2) {
            client = getAndValidateClientFromIdAndSecret(basicAuthUserInfo[0], basicAuthUserInfo[1], multivaluedMap);
        }
        validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_BASIC);
        return client;
    }

    protected void checkCertificateBinding(Client client, TLSSessionInfo tLSSessionInfo) {
        String str = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_SUBJECT_DN);
        if (str == null && client.getApplicationCertificates().isEmpty()) {
            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the TLS certificate");
            reportInvalidClient();
        }
        X509Certificate rootTLSCertificate = OAuthUtils.getRootTLSCertificate(tLSSessionInfo);
        if (str != null && !str.equals(OAuthUtils.getSubjectDnFromTLSCertificates(rootTLSCertificate))) {
            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the TLS certificate");
            reportInvalidClient();
        }
        String str2 = client.getProperties().get(OAuthConstants.TLS_CLIENT_AUTH_ISSUER_DN);
        if (str2 != null && !str2.equals(OAuthUtils.getIssuerDnFromTLSCertificates(rootTLSCertificate))) {
            LOG.warning("Client \"" + client.getClientId() + "\" can not be bound to the TLS certificate");
            reportInvalidClient();
        }
        if (!client.getApplicationCertificates().isEmpty()) {
            compareTlsCertificates(tLSSessionInfo, client.getApplicationCertificates());
        }
        OAuthUtils.setCertificateThumbprintConfirmation(getMessageContext(), rootTLSCertificate);
    }

    private TLSSessionInfo getTlsSessionInfo() {
        return (TLSSessionInfo) getMessageContext().get(TLSSessionInfo.class.getName());
    }

    protected Client getClientFromTLSCertificates(SecurityContext securityContext, TLSSessionInfo tLSSessionInfo, MultivaluedMap<String, String> multivaluedMap) {
        Client client = null;
        if (OAuthUtils.isMutualTls(securityContext, tLSSessionInfo)) {
            X509Certificate rootTLSCertificate = OAuthUtils.getRootTLSCertificate(tLSSessionInfo);
            String subjectDnFromTLSCertificates = OAuthUtils.getSubjectDnFromTLSCertificates(rootTLSCertificate);
            if (!StringUtils.isEmpty(subjectDnFromTLSCertificates)) {
                client = getClient(subjectDnFromTLSCertificates, multivaluedMap);
                validateClientAuthenticationMethod(client, OAuthConstants.TOKEN_ENDPOINT_AUTH_TLS);
                compareTlsCertificates(tLSSessionInfo, client.getApplicationCertificates());
                OAuthUtils.setCertificateThumbprintConfirmation(getMessageContext(), rootTLSCertificate);
            }
        }
        return client;
    }

    protected void compareTlsCertificates(TLSSessionInfo tLSSessionInfo, List<String> list) {
        if (OAuthUtils.compareTlsCertificates(tLSSessionInfo, list)) {
            return;
        }
        reportInvalidClient();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response handleException(OAuthServiceException oAuthServiceException, String str) {
        OAuthError error = oAuthServiceException.getError();
        return (!this.writeCustomErrors || error == null) ? createErrorResponseFromBean(new OAuthError(str)) : createErrorResponseFromBean(error);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createErrorResponse(MultivaluedMap<String, String> multivaluedMap, String str) {
        return createErrorResponseFromBean(new OAuthError(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createErrorResponseFromErrorCode(String str) {
        return createErrorResponseFromBean(new OAuthError(str));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Response createErrorResponseFromBean(OAuthError oAuthError) {
        return JAXRSUtils.toResponseBuilder(400).entity(oAuthError).build();
    }

    protected Client getClient(String str, MultivaluedMap<String, String> multivaluedMap) {
        return getClient(str, multivaluedMap.getFirst("client_secret"), multivaluedMap);
    }

    protected Client getClient(String str, String str2, MultivaluedMap<String, String> multivaluedMap) {
        if (str == null) {
            reportInvalidRequestError("Client ID is null");
            return null;
        }
        Client client = null;
        try {
            client = getValidClient(str, str2, multivaluedMap);
        } catch (OAuthServiceException e) {
            LOG.warning("No valid client found for clientId: " + str);
            if (e.getError() != null) {
                reportInvalidClient(e.getError());
                return null;
            }
        }
        if (client == null) {
            LOG.warning("No valid client found for clientId: " + str);
            reportInvalidClient();
        }
        return client;
    }

    protected void reportInvalidClient() {
        reportInvalidClient(new OAuthError(OAuthConstants.INVALID_CLIENT));
    }

    protected void reportInvalidClient(OAuthError oAuthError) {
        throw ExceptionUtils.toNotAuthorizedException(null, JAXRSUtils.toResponseBuilder(401).type(MediaType.APPLICATION_JSON_TYPE).entity(oAuthError).build());
    }

    public void setCanSupportPublicClients(boolean z) {
        this.canSupportPublicClients = z;
    }

    public boolean isCanSupportPublicClients() {
        return this.canSupportPublicClients;
    }

    public void setWriteCustomErrors(boolean z) {
        this.writeCustomErrors = z;
    }

    public void setClientIdProvider(ClientIdProvider clientIdProvider) {
        this.clientIdProvider = clientIdProvider;
    }

    public void setClientSecretVerifier(ClientSecretVerifier clientSecretVerifier) {
        this.clientSecretVerifier = clientSecretVerifier;
    }
}
