package org.nuxeo.ecm.platform.oauth2.request;

import java.io.Serializable;
import java.security.Principal;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.text.CharacterPredicate;
import org.apache.commons.text.CharacterPredicates;
import org.apache.commons.text.RandomStringGenerator;
import org.nuxeo.ecm.core.transientstore.api.TransientStoreService;
import org.nuxeo.ecm.platform.oauth2.Constants;
import org.nuxeo.ecm.platform.oauth2.OAuth2Error;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2Client;
import org.nuxeo.ecm.platform.oauth2.clients.OAuth2ClientService;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/platform/oauth2/request/AuthorizationRequest.class */
public class AuthorizationRequest extends OAuth2Request {
    private static final Log log = LogFactory.getLog(AuthorizationRequest.class);
    private static final RandomStringGenerator GENERATOR = new RandomStringGenerator.Builder().filteredBy(new CharacterPredicate[]{CharacterPredicates.LETTERS, CharacterPredicates.DIGITS}).withinRange(48, 122).build();
    public static final String MISSING_REQUIRED_FIELD_MESSAGE = "Missing required field \"%s\".";
    public static final String STORE_NAME = "authorizationRequestStore";
    protected String responseType;
    protected String scope;
    protected Date creationDate;
    protected String authorizationCode;
    protected String username;
    protected String codeChallenge;
    protected String codeChallengeMethod;

    public static AuthorizationRequest fromRequest(HttpServletRequest httpServletRequest) {
        return new AuthorizationRequest(httpServletRequest);
    }

    public static AuthorizationRequest fromMap(Map<String, Serializable> map) {
        return new AuthorizationRequest(map);
    }

    public static void store(String str, AuthorizationRequest authorizationRequest) {
        ((TransientStoreService) Framework.getService(TransientStoreService.class)).getStore(STORE_NAME).putParameters(str, authorizationRequest.toMap());
    }

    public static AuthorizationRequest get(String str) {
        Map parameters = ((TransientStoreService) Framework.getService(TransientStoreService.class)).getStore(STORE_NAME).getParameters(str);
        if (parameters == null) {
            return null;
        }
        AuthorizationRequest fromMap = fromMap(parameters);
        if (fromMap.isExpired()) {
            return null;
        }
        return fromMap;
    }

    public static void remove(String str) {
        ((TransientStoreService) Framework.getService(TransientStoreService.class)).getStore(STORE_NAME).remove(str);
    }

    protected AuthorizationRequest(HttpServletRequest httpServletRequest) {
        super(httpServletRequest);
        this.responseType = httpServletRequest.getParameter(Constants.RESPONSE_TYPE_PARAM);
        this.scope = httpServletRequest.getParameter(Constants.SCOPE_PARAM);
        Principal userPrincipal = httpServletRequest.getUserPrincipal();
        if (userPrincipal != null) {
            this.username = userPrincipal.getName();
        }
        this.creationDate = new Date();
        this.codeChallenge = httpServletRequest.getParameter(Constants.CODE_CHALLENGE_PARAM);
        this.codeChallengeMethod = httpServletRequest.getParameter(Constants.CODE_CHALLENGE_METHOD_PARAM);
    }

    protected AuthorizationRequest(Map<String, Serializable> map) {
        this.clientId = (String) map.get("clientId");
        this.redirectURI = (String) map.get("redirectURI");
        this.responseType = (String) map.get("responseType");
        this.scope = (String) map.get(Constants.SCOPE_PARAM);
        this.creationDate = (Date) map.get("creationDate");
        this.authorizationCode = (String) map.get("authorizationCode");
        this.username = (String) map.get("username");
        this.codeChallenge = (String) map.get("codeChallenge");
        this.codeChallengeMethod = (String) map.get("codeChallengeMethod");
    }

    public OAuth2Error checkError() {
        String str;
        if (StringUtils.isBlank(this.clientId)) {
            return OAuth2Error.invalidRequest(String.format(MISSING_REQUIRED_FIELD_MESSAGE, Constants.CLIENT_ID_PARAM));
        }
        if (StringUtils.isBlank(this.responseType)) {
            return OAuth2Error.invalidRequest(String.format(MISSING_REQUIRED_FIELD_MESSAGE, Constants.RESPONSE_TYPE_PARAM));
        }
        if (!"code".equals(this.responseType)) {
            return OAuth2Error.unsupportedResponseType(String.format("Unknown %s: got \"%s\", expecting \"%s\".", Constants.RESPONSE_TYPE_PARAM, this.responseType, "code"));
        }
        OAuth2Client client = ((OAuth2ClientService) Framework.getService(OAuth2ClientService.class)).getClient(this.clientId);
        if (client == null) {
            return OAuth2Error.invalidRequest(String.format("Invalid %s: %s.", Constants.CLIENT_ID_PARAM, this.clientId));
        }
        if (!client.isEnabled()) {
            return OAuth2Error.accessDenied(String.format("Client %s is disabled.", this.clientId));
        }
        if (StringUtils.isBlank(client.getName())) {
            log.error(String.format("No name set for OAuth2 client %s. It is a required field, please make sure you update this OAuth2 client.", client));
        }
        List<String> redirectURIs = client.getRedirectURIs();
        if (CollectionUtils.isEmpty(redirectURIs)) {
            log.error(String.format("No redirect URI set for OAuth2 client %s, at least one is required. Please make sure you update this OAuth2 client.", client));
            return OAuth2Error.accessDenied("No redirect URI configured for the app.");
        }
        if (StringUtils.isBlank(this.redirectURI)) {
            str = redirectURIs.get(0);
        } else {
            if (!redirectURIs.contains(this.redirectURI)) {
                return OAuth2Error.invalidRequest(String.format("Invalid %s parameter: %s. It must exactly match one of the redirect URIs configured for the app.", Constants.REDIRECT_URI_PARAM, this.redirectURI));
            }
            str = this.redirectURI;
        }
        if (!OAuth2Client.isRedirectURIValid(str)) {
            log.error(String.format("The redirect URI %s set for OAuth2 client %s is invalid: it must not be empty and start with https for security reasons. Please make sure you update this OAuth2 client.", str, client));
            return OAuth2Error.invalidRequest(String.format("Invalid redirect URI configured for the app: %s. It must not be empty and start with https for security reasons.", str));
        }
        if ((this.codeChallenge != null && this.codeChallengeMethod == null) || (this.codeChallenge == null && this.codeChallengeMethod != null)) {
            return OAuth2Error.invalidRequest(String.format("Invalid PKCE parameters: either both %s and %s parameters must be sent or none of them.", Constants.CODE_CHALLENGE_PARAM, Constants.CODE_CHALLENGE_METHOD_PARAM));
        }
        if (this.codeChallengeMethod == null || Constants.CODE_CHALLENGE_METHODS_SUPPORTED.contains(this.codeChallengeMethod)) {
            return null;
        }
        return OAuth2Error.invalidRequest(String.format("Invalid %s parameter: transform algorithm %s not supported. The server only supports %s.", Constants.CODE_CHALLENGE_METHOD_PARAM, this.codeChallengeMethod, Constants.CODE_CHALLENGE_METHODS_SUPPORTED));
    }

    public boolean isExpired() {
        return new Date().getTime() - this.creationDate.getTime() > 600000;
    }

    public String getResponseType() {
        return this.responseType;
    }

    public String getScope() {
        return this.scope;
    }

    public String getUsername() {
        return this.username;
    }

    public String getAuthorizationCode() {
        if (StringUtils.isBlank(this.authorizationCode)) {
            this.authorizationCode = GENERATOR.generate(10);
        }
        return this.authorizationCode;
    }

    public String getCodeChallenge() {
        return this.codeChallenge;
    }

    public String getCodeChallengeMethod() {
        return this.codeChallengeMethod;
    }

    public Map<String, Serializable> toMap() {
        HashMap hashMap = new HashMap();
        if (this.clientId != null) {
            hashMap.put("clientId", this.clientId);
        }
        if (this.redirectURI != null) {
            hashMap.put("redirectURI", this.redirectURI);
        }
        if (this.responseType != null) {
            hashMap.put("responseType", this.responseType);
        }
        if (this.scope != null) {
            hashMap.put(Constants.SCOPE_PARAM, this.scope);
        }
        if (this.creationDate != null) {
            hashMap.put("creationDate", this.creationDate);
        }
        if (this.authorizationCode != null) {
            hashMap.put("authorizationCode", this.authorizationCode);
        }
        if (this.username != null) {
            hashMap.put("username", this.username);
        }
        if (this.codeChallenge != null) {
            hashMap.put("codeChallenge", this.codeChallenge);
        }
        if (this.codeChallengeMethod != null) {
            hashMap.put("codeChallengeMethod", this.codeChallengeMethod);
        }
        return hashMap;
    }

    public boolean isCodeVerifierValid(String str) {
        if (this.codeChallenge == null || this.codeChallengeMethod == null) {
            return false;
        }
        String str2 = this.codeChallengeMethod;
        boolean z = -1;
        switch (str2.hashCode()) {
            case 2522400:
                if (str2.equals(Constants.CODE_CHALLENGE_METHOD_S256)) {
                    z = false;
                    break;
                }
                break;
            case 106748362:
                if (str2.equals(Constants.CODE_CHALLENGE_METHOD_PLAIN)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return this.codeChallenge.equals(Base64.encodeBase64URLSafeString(DigestUtils.sha256(str)));
            case true:
                return this.codeChallenge.equals(str);
            default:
                return false;
        }
    }
}
