package org.apereo.cas.support.oauth.validator.token;

import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.util.HttpRequestUtils;
import org.pac4j.core.context.JEEContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/support/oauth/validator/token/OAuth20AuthorizationCodeGrantTypeTokenRequestValidator.class */
public class OAuth20AuthorizationCodeGrantTypeTokenRequestValidator extends BaseOAuth20TokenRequestValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OAuth20AuthorizationCodeGrantTypeTokenRequestValidator.class);

    public OAuth20AuthorizationCodeGrantTypeTokenRequestValidator(OAuth20ConfigurationContext oAuth20ConfigurationContext) {
        super(oAuth20ConfigurationContext);
    }

    @Override // org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator
    protected OAuth20GrantTypes getGrantType() {
        return OAuth20GrantTypes.AUTHORIZATION_CODE;
    }

    @Override // org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator
    protected boolean validateInternal(JEEContext jEEContext, String str, ProfileManager profileManager, UserProfile userProfile) {
        HttpServletRequest nativeRequest = jEEContext.getNativeRequest();
        String id = userProfile.getId();
        String parameter = nativeRequest.getParameter(OAuth20Constants.REDIRECT_URI);
        LOGGER.debug("Locating registered service for client id [{}]", id);
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), id);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredOAuthServiceByClientId);
        LOGGER.debug("Received grant type [{}] with client id [{}] and redirect URI [{}]", new Object[]{str, id, parameter});
        if (!(HttpRequestUtils.doesParameterExist(nativeRequest, OAuth20Constants.REDIRECT_URI) && HttpRequestUtils.doesParameterExist(nativeRequest, OAuth20Constants.CODE) && OAuth20Utils.checkCallbackValid(registeredOAuthServiceByClientId, parameter))) {
            LOGGER.warn("Access token request cannot be validated for grant type [{}] and client id [{}] given the redirect URI [{}]", new Object[]{str, id, parameter});
            return false;
        }
        String str2 = (String) jEEContext.getRequestParameter(OAuth20Constants.CODE).map((v0) -> {
            return String.valueOf(v0);
        }).orElse("");
        OAuth20Code ticket = getConfigurationContext().getTicketRegistry().getTicket(str2, OAuth20Code.class);
        if (ticket == null || ticket.isExpired()) {
            LOGGER.warn("Request OAuth code [{}] is not found or has expired", str2);
            return false;
        }
        String id2 = ticket.getService().getId();
        OAuthRegisteredService registeredOAuthServiceByClientId2 = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), id2);
        getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(ticket.getService()).authentication(ticket.getAuthentication()).registeredService(registeredOAuthServiceByClientId2).build()).throwExceptionIfNeeded();
        if (!registeredOAuthServiceByClientId.equals(registeredOAuthServiceByClientId2)) {
            LOGGER.warn("OAuth code [{}] issued to service [{}] does not match [{}] provided, given the redirect URI [{}]", new Object[]{str2, id2, registeredOAuthServiceByClientId.getName(), parameter});
            return false;
        }
        if (isGrantTypeSupportedBy(registeredOAuthServiceByClientId, str)) {
            return true;
        }
        LOGGER.warn("Requested grant type [{}] is not authorized by service definition [{}]", getGrantType(), registeredOAuthServiceByClientId.getServiceId());
        return false;
    }
}
