package org.apereo.cas.support.oauth.authenticator;

import java.io.Serializable;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.credential.UsernamePasswordCredential;
import org.apereo.cas.authentication.principal.Principal;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.profile.CommonProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ClientIdClientSecretAuthenticator.class */
public class OAuth20ClientIdClientSecretAuthenticator implements Authenticator<UsernamePasswordCredentials> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20ClientIdClientSecretAuthenticator.class);
    private final ServicesManager servicesManager;
    private final ServiceFactory<WebApplicationService> webApplicationServiceServiceFactory;
    private final AuditableExecution registeredServiceAccessStrategyEnforcer;
    private final CipherExecutor<Serializable, String> registeredServiceCipherExecutor;
    private final TicketRegistry ticketRegistry;
    private final PrincipalResolver principalResolver;

    public void validate(UsernamePasswordCredentials usernamePasswordCredentials, WebContext webContext) throws CredentialsException {
        LOGGER.debug("Authenticating credential [{}]", usernamePasswordCredentials);
        String username = usernamePasswordCredentials.getUsername();
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, username);
        if (registeredOAuthServiceByClientId == null) {
            LOGGER.debug("Unable to locate registered service for [{}]", username);
            return;
        }
        if (canAuthenticate(webContext)) {
            this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().service(this.webApplicationServiceServiceFactory.createService(registeredOAuthServiceByClientId.getServiceId())).registeredService(registeredOAuthServiceByClientId).build()).throwExceptionIfNeeded();
            validateCredentials(usernamePasswordCredentials, registeredOAuthServiceByClientId, webContext);
            Principal resolve = this.principalResolver.resolve(new UsernamePasswordCredential(usernamePasswordCredentials.getUsername(), usernamePasswordCredentials.getPassword()));
            CommonProfile commonProfile = new CommonProfile();
            commonProfile.setId(username);
            Map attributes = resolve.getAttributes();
            Objects.requireNonNull(commonProfile);
            attributes.forEach((v1, v2) -> {
                r1.addAttribute(v1, v2);
            });
            usernamePasswordCredentials.setUserProfile(commonProfile);
            LOGGER.debug("Authenticated user profile [{}]", commonProfile);
        }
    }

    protected void validateCredentials(UsernamePasswordCredentials usernamePasswordCredentials, OAuthRegisteredService oAuthRegisteredService, WebContext webContext) {
        if (!OAuth20Utils.checkClientSecret(oAuthRegisteredService, usernamePasswordCredentials.getPassword(), this.registeredServiceCipherExecutor)) {
            throw new CredentialsException("Client Credentials provided is not valid for registered service: " + oAuthRegisteredService.getName());
        }
    }

    protected boolean canAuthenticate(WebContext webContext) {
        Optional requestParameter = webContext.getRequestParameter(OAuth20Constants.GRANT_TYPE);
        if (requestParameter.isPresent() && OAuth20Utils.isGrantType((String) requestParameter.get(), OAuth20GrantTypes.PASSWORD)) {
            LOGGER.debug("Skipping Client credential authentication to use password authentication");
            return false;
        }
        if (requestParameter.isPresent() && OAuth20Utils.isGrantType((String) requestParameter.get(), OAuth20GrantTypes.REFRESH_TOKEN) && webContext.getRequestParameter("client_id").isPresent() && !webContext.getRequestParameter(OAuth20Constants.CLIENT_SECRET).isPresent()) {
            LOGGER.debug("Skipping client credential authentication to use refresh token authentication");
            return false;
        }
        Optional requestParameter2 = webContext.getRequestParameter(OAuth20Constants.CODE);
        if (!requestParameter2.isPresent()) {
            return true;
        }
        LOGGER.debug("Checking if the OAuth code issued contains code challenge");
        OAuth20Code ticket = this.ticketRegistry.getTicket((String) requestParameter2.get(), OAuth20Code.class);
        if (ticket == null || !StringUtils.isNotEmpty(ticket.getCodeChallenge())) {
            return true;
        }
        LOGGER.debug("The OAuth code [{}] issued contains code challenge which requires PKCE Authentication", requestParameter2.get());
        return false;
    }

    @Generated
    public OAuth20ClientIdClientSecretAuthenticator(ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory, AuditableExecution auditableExecution, CipherExecutor<Serializable, String> cipherExecutor, TicketRegistry ticketRegistry, PrincipalResolver principalResolver) {
        this.servicesManager = servicesManager;
        this.webApplicationServiceServiceFactory = serviceFactory;
        this.registeredServiceAccessStrategyEnforcer = auditableExecution;
        this.registeredServiceCipherExecutor = cipherExecutor;
        this.ticketRegistry = ticketRegistry;
        this.principalResolver = principalResolver;
    }

    @Generated
    public ServicesManager getServicesManager() {
        return this.servicesManager;
    }

    @Generated
    public CipherExecutor<Serializable, String> getRegisteredServiceCipherExecutor() {
        return this.registeredServiceCipherExecutor;
    }

    @Generated
    public TicketRegistry getTicketRegistry() {
        return this.ticketRegistry;
    }
}
