package org.apereo.cas.support.oauth.authenticator;

import java.io.Serializable;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.authentication.principal.PrincipalResolver;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.ticket.registry.TicketRegistry;
import org.apereo.cas.util.DigestUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.UsernamePasswordCredentials;
import org.pac4j.core.exception.CredentialsException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/authenticator/OAuth20ProofKeyCodeExchangeAuthenticator.class */
public class OAuth20ProofKeyCodeExchangeAuthenticator extends OAuth20ClientIdClientSecretAuthenticator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20ProofKeyCodeExchangeAuthenticator.class);

    public OAuth20ProofKeyCodeExchangeAuthenticator(ServicesManager servicesManager, ServiceFactory serviceFactory, AuditableExecution auditableExecution, TicketRegistry ticketRegistry, CipherExecutor<Serializable, String> cipherExecutor, PrincipalResolver principalResolver) {
        super(servicesManager, serviceFactory, auditableExecution, cipherExecutor, ticketRegistry, principalResolver);
    }

    @Override // org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator
    protected boolean canAuthenticate(WebContext webContext) {
        return webContext.getRequestParameter(OAuth20Constants.CODE_VERIFIER).isPresent();
    }

    @Override // org.apereo.cas.support.oauth.authenticator.OAuth20ClientIdClientSecretAuthenticator
    protected void validateCredentials(UsernamePasswordCredentials usernamePasswordCredentials, OAuthRegisteredService oAuthRegisteredService, WebContext webContext, SessionStore sessionStore) {
        if (!OAuth20Utils.checkClientSecret(oAuthRegisteredService, (String) OAuth20Utils.getClientIdAndClientSecret(webContext, sessionStore).getRight(), getRegisteredServiceCipherExecutor())) {
            throw new CredentialsException("Client Credentials provided is not valid for service: " + oAuthRegisteredService.getName());
        }
        String str = (String) webContext.getRequestParameter(OAuth20Constants.CODE_VERIFIER).map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        String str2 = (String) webContext.getRequestParameter(OAuth20Constants.CODE).map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuth20Code ticket = getTicketRegistry().getTicket(str2, OAuth20Code.class);
        if (ticket == null || ticket.isExpired()) {
            LOGGER.error("Provided code [{}] is either not found in the ticket registry or has expired", str2);
            throw new CredentialsException("Invalid token: " + str2);
        }
        String str3 = (String) StringUtils.defaultIfEmpty(ticket.getCodeChallengeMethod(), "plain");
        String calculateCodeVerifierHash = calculateCodeVerifierHash(str3, str);
        if (calculateCodeVerifierHash.equalsIgnoreCase(ticket.getCodeChallenge())) {
            LOGGER.debug("Validated code verifier using verification method [{}]", str3);
        } else {
            LOGGER.error("Code verifier [{}] does not match the challenge [{}]", calculateCodeVerifierHash, ticket.getCodeChallenge());
            throw new CredentialsException("Code verification does not match the challenge assigned to: " + ticket.getId());
        }
    }

    private static String calculateCodeVerifierHash(String str, String str2) {
        if ("plain".equalsIgnoreCase(str)) {
            return str2;
        }
        if ("S256".equalsIgnoreCase(str)) {
            return EncodingUtils.encodeUrlSafeBase64(DigestUtils.rawDigestSha256(str2));
        }
        throw new CredentialsException("Code verification method is unrecognized: " + str);
    }
}
