package org.apereo.cas.support.oauth.validator;

import java.io.Serializable;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/validator/DefaultOAuth20ClientSecretValidator.class */
public class DefaultOAuth20ClientSecretValidator implements OAuth20ClientSecretValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultOAuth20ClientSecretValidator.class);
    private final CipherExecutor<Serializable, String> cipherExecutor;

    public boolean validate(OAuthRegisteredService oAuthRegisteredService, String str) {
        if (isClientSecretUndefined(oAuthRegisteredService)) {
            LOGGER.debug("The client secret is not defined for the registered service [{}]", oAuthRegisteredService.getName());
            return true;
        }
        if (StringUtils.equals((String) this.cipherExecutor.decode(oAuthRegisteredService.getClientSecret(), new Object[]{oAuthRegisteredService}), EncodingUtils.urlDecode(str))) {
            return true;
        }
        LOGGER.error("Wrong client secret for service: [{}]. Using PKCE does not require a client secret and requests generally must not specify a client secret to CAS.\nFurthermore, you must make sure no client secret is assigned to this registered service in the CAS service registry.", oAuthRegisteredService.getServiceId());
        return false;
    }

    public boolean isClientSecretExpired(OAuthRegisteredService oAuthRegisteredService) {
        return false;
    }

    protected boolean isClientSecretUndefined(OAuthRegisteredService oAuthRegisteredService) {
        return oAuthRegisteredService != null && StringUtils.isBlank(oAuthRegisteredService.getClientSecret());
    }

    @Generated
    public DefaultOAuth20ClientSecretValidator(CipherExecutor<Serializable, String> cipherExecutor) {
        this.cipherExecutor = cipherExecutor;
    }

    @Generated
    public CipherExecutor<Serializable, String> getCipherExecutor() {
        return this.cipherExecutor;
    }
}
