package org.apereo.cas.support.oauth.validator.token;

import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.ObjectUtils;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.support.oauth.OAuth20GrantTypes;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20ConfigurationContext;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.ticket.code.OAuth20Code;
import org.apereo.cas.util.function.FunctionUtils;
import org.jooq.lambda.Unchecked;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oauth-core-api-6.6.0.jar:org/apereo/cas/support/oauth/validator/token/OAuth20AuthorizationCodeGrantTypeTokenRequestValidator.class */
public class OAuth20AuthorizationCodeGrantTypeTokenRequestValidator extends BaseOAuth20TokenRequestValidator {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OAuth20AuthorizationCodeGrantTypeTokenRequestValidator.class);

    public OAuth20AuthorizationCodeGrantTypeTokenRequestValidator(OAuth20ConfigurationContext oAuth20ConfigurationContext) {
        super(oAuth20ConfigurationContext);
    }

    @Override // org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator
    protected OAuth20GrantTypes getGrantType() {
        return OAuth20GrantTypes.AUTHORIZATION_CODE;
    }

    /* JADX WARN: Type inference failed for: r0v57, types: [org.apereo.cas.audit.AuditableContext$AuditableContextBuilder] */
    @Override // org.apereo.cas.support.oauth.validator.token.BaseOAuth20TokenRequestValidator
    protected boolean validateInternal(WebContext webContext, String str, ProfileManager profileManager, UserProfile userProfile) {
        Optional<String> resolveRequestParameter = getConfigurationContext().getRequestParameterResolver().resolveRequestParameter(webContext, "redirect_uri");
        Optional<String> resolveRequestParameter2 = getConfigurationContext().getRequestParameterResolver().resolveRequestParameter(webContext, "code");
        String obj = ObjectUtils.defaultIfNull(userProfile.getAttribute("client_id"), userProfile.getId()).toString();
        LOGGER.debug("Locating registered service for client id [{}]", obj);
        OAuthRegisteredService registeredOAuthServiceByClientId = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), obj);
        RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(registeredOAuthServiceByClientId);
        LOGGER.debug("Received grant type [{}] with client id [{}] and redirect URI [{}]", str, obj, resolveRequestParameter);
        if (!(resolveRequestParameter.isPresent() && resolveRequestParameter2.isPresent() && OAuth20Utils.checkCallbackValid(registeredOAuthServiceByClientId, resolveRequestParameter.get()))) {
            LOGGER.warn("Access token request cannot be validated for grant type [{}] and client id [{}] given the redirect URI [{}]", str, obj, resolveRequestParameter);
            return false;
        }
        OAuth20Code oAuth20Code = (OAuth20Code) FunctionUtils.doAndHandle(() -> {
            OAuth20Code oAuth20Code2 = (OAuth20Code) getConfigurationContext().getTicketRegistry().getTicket((String) resolveRequestParameter2.get(), OAuth20Code.class);
            if (oAuth20Code2 == null || oAuth20Code2.isExpired()) {
                return null;
            }
            return oAuth20Code2;
        });
        boolean isRemoveRelatedAccessTokens = getConfigurationContext().getCasProperties().getAuthn().getOauth().getCode().isRemoveRelatedAccessTokens();
        if (oAuth20Code == null || oAuth20Code.isExpired()) {
            if (isRemoveRelatedAccessTokens) {
                LOGGER.debug("Code [{}] is invalid or expired. Attempting to revoke access tokens issued to the code", resolveRequestParameter2.get());
                getConfigurationContext().getTicketRegistry().getTickets(ticket -> {
                    return (ticket instanceof OAuth20AccessToken) && StringUtils.equalsIgnoreCase(((OAuth20AccessToken) ticket).getToken(), (CharSequence) resolveRequestParameter2.get());
                }).forEach(Unchecked.consumer(ticket2 -> {
                    LOGGER.debug("Removing access token [{}] issued via expired/unknown code [{}]", ticket2.getId(), resolveRequestParameter2.get());
                    getConfigurationContext().getTicketRegistry().deleteTicket(ticket2);
                }));
            }
            LOGGER.warn("Provided OAuth code [{}] is not found or has expired", resolveRequestParameter2.get());
            return false;
        }
        String id = oAuth20Code.getService().getId();
        OAuthRegisteredService registeredOAuthServiceByClientId2 = OAuth20Utils.getRegisteredOAuthServiceByClientId(getConfigurationContext().getServicesManager(), id);
        getConfigurationContext().getRegisteredServiceAccessStrategyEnforcer().execute(AuditableContext.builder().service(oAuth20Code.getService()).authentication(oAuth20Code.getAuthentication()).registeredService(registeredOAuthServiceByClientId2).build()).throwExceptionIfNeeded();
        if (!registeredOAuthServiceByClientId.equals(registeredOAuthServiceByClientId2)) {
            LOGGER.warn("OAuth code [{}] issued to service [{}] does not match [{}] provided, given the redirect URI [{}]", resolveRequestParameter2, id, registeredOAuthServiceByClientId.getName(), resolveRequestParameter);
            return false;
        }
        if (isGrantTypeSupportedBy(registeredOAuthServiceByClientId, str)) {
            return true;
        }
        LOGGER.warn("Requested grant type [{}] is not authorized by service definition [{}]", getGrantType(), registeredOAuthServiceByClientId.getServiceId());
        return false;
    }
}
