package org.apereo.cas.support.oauth.web;

import java.util.List;
import java.util.Optional;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.OAuth20ResponseTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantRequestExtractor;
import org.apereo.cas.util.CollectionUtils;
import org.apereo.cas.util.spring.beans.BeanSupplier;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.jee.context.JEEContext;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.web.servlet.AsyncHandlerInterceptor;
import org.springframework.web.servlet.HandlerInterceptor;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.6.0.jar:org/apereo/cas/support/oauth/web/OAuth20HandlerInterceptorAdapter.class */
public class OAuth20HandlerInterceptorAdapter implements AsyncHandlerInterceptor {
    protected final ObjectProvider<HandlerInterceptor> requiresAuthenticationAccessTokenInterceptor;
    protected final ObjectProvider<HandlerInterceptor> requiresAuthenticationAuthorizeInterceptor;
    private final ObjectProvider<List<AccessTokenGrantRequestExtractor>> accessTokenGrantRequestExtractors;
    private final ObjectProvider<ServicesManager> servicesManager;
    private final ObjectProvider<SessionStore> sessionStore;
    private final ObjectProvider<List<OAuth20AuthorizationRequestValidator>> oauthAuthorizationRequestValidators;
    private final ObjectProvider<OAuth20RequestParameterResolver> requestParameterResolver;

    @Override // org.springframework.web.servlet.HandlerInterceptor
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        return requestRequiresAuthentication(httpServletRequest, httpServletResponse) ? this.requiresAuthenticationAccessTokenInterceptor.getObject().preHandle(httpServletRequest, httpServletResponse, obj) : isDeviceTokenRequest(httpServletRequest, httpServletResponse) ? this.requiresAuthenticationAuthorizeInterceptor.getObject().preHandle(httpServletRequest, httpServletResponse, obj) : !isAuthorizationRequest(httpServletRequest, httpServletResponse) || this.requiresAuthenticationAuthorizeInterceptor.getObject().preHandle(httpServletRequest, httpServletResponse, obj);
    }

    protected boolean clientNeedAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        OAuthRegisteredService registeredOAuthServiceByClientId;
        String left = this.requestParameterResolver.getObject().resolveClientIdAndClientSecret(new JEEContext(httpServletRequest, httpServletResponse), this.sessionStore.getObject()).getLeft();
        return left.isEmpty() || (registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager.getObject(), left)) == null || OAuth20Utils.doesServiceNeedAuthentication(registeredOAuthServiceByClientId);
    }

    protected boolean isRevokeTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return doesUriMatchPattern(httpServletRequest.getRequestURI(), getRevocationUrls());
    }

    protected List<String> getRevocationUrls() {
        return CollectionUtils.wrapList("revoke");
    }

    protected boolean isAccessTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return doesUriMatchPattern(httpServletRequest.getRequestURI(), getAccessTokenUrls());
    }

    protected List<String> getAccessTokenUrls() {
        return CollectionUtils.wrapList(OAuth20Constants.ACCESS_TOKEN_URL, "token");
    }

    protected boolean isDeviceTokenRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return doesUriMatchPattern(httpServletRequest.getRequestURI(), CollectionUtils.wrapList(OAuth20Constants.DEVICE_AUTHZ_URL));
    }

    protected boolean requestRequiresAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JEEContext jEEContext = new JEEContext(httpServletRequest, httpServletResponse);
        if (isRevokeTokenRequest(httpServletRequest, httpServletResponse)) {
            return clientNeedAuthentication(httpServletRequest, httpServletResponse);
        }
        boolean isAccessTokenRequest = isAccessTokenRequest(httpServletRequest, httpServletResponse);
        Optional<AccessTokenGrantRequestExtractor> extractAccessTokenGrantRequest = extractAccessTokenGrantRequest(jEEContext);
        if (isAccessTokenRequest) {
            return extractAccessTokenGrantRequest.isPresent() && extractAccessTokenGrantRequest.get().getResponseType() != OAuth20ResponseTypes.DEVICE_CODE;
        }
        if (extractAccessTokenGrantRequest.isPresent()) {
            return extractAccessTokenGrantRequest.get().requestMustBeAuthenticated();
        }
        return false;
    }

    protected boolean isAuthorizationRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return doesUriMatchPattern(httpServletRequest.getRequestURI(), getAuthorizeUrls()) && isValidAuthorizeRequest(new JEEContext(httpServletRequest, httpServletResponse));
    }

    protected List<String> getAuthorizeUrls() {
        return CollectionUtils.wrapList(OAuth20Constants.AUTHORIZE_URL);
    }

    protected boolean doesUriMatchPattern(String str, List<String> list) {
        return list.stream().anyMatch(str2 -> {
            return Pattern.compile("/" + str2 + "(/)*$").matcher(str).find();
        });
    }

    protected boolean isValidAuthorizeRequest(JEEContext jEEContext) throws Exception {
        OAuth20AuthorizationRequestValidator orElse = this.oauthAuthorizationRequestValidators.getObject().stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).filter(Unchecked.predicate(oAuth20AuthorizationRequestValidator -> {
            return oAuth20AuthorizationRequestValidator.supports(jEEContext);
        })).findFirst().orElse(null);
        return orElse != null && orElse.validate(jEEContext);
    }

    private Optional<AccessTokenGrantRequestExtractor> extractAccessTokenGrantRequest(WebContext webContext) {
        return this.accessTokenGrantRequestExtractors.getObject().stream().filter((v0) -> {
            return BeanSupplier.isNotProxy(v0);
        }).filter(accessTokenGrantRequestExtractor -> {
            return accessTokenGrantRequestExtractor.supports(webContext);
        }).findFirst();
    }

    @Generated
    public OAuth20HandlerInterceptorAdapter(ObjectProvider<HandlerInterceptor> objectProvider, ObjectProvider<HandlerInterceptor> objectProvider2, ObjectProvider<List<AccessTokenGrantRequestExtractor>> objectProvider3, ObjectProvider<ServicesManager> objectProvider4, ObjectProvider<SessionStore> objectProvider5, ObjectProvider<List<OAuth20AuthorizationRequestValidator>> objectProvider6, ObjectProvider<OAuth20RequestParameterResolver> objectProvider7) {
        this.requiresAuthenticationAccessTokenInterceptor = objectProvider;
        this.requiresAuthenticationAuthorizeInterceptor = objectProvider2;
        this.accessTokenGrantRequestExtractors = objectProvider3;
        this.servicesManager = objectProvider4;
        this.sessionStore = objectProvider5;
        this.oauthAuthorizationRequestValidators = objectProvider6;
        this.requestParameterResolver = objectProvider7;
    }
}
