package org.forgerock.openam.oauth2;

import com.sun.identity.shared.debug.Debug;
import javax.inject.Inject;
import org.forgerock.oauth2.core.OAuth2Jwt;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.openidconnect.Client;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore;
import org.restlet.Request;
import org.restlet.data.ChallengeResponse;

/* loaded from: input_file:org/forgerock/openam/oauth2/ClientCredentialsReader.class */
public class ClientCredentialsReader {
    private final Debug logger = Debug.getInstance("OAuth2Provider");
    private final OpenIdConnectClientRegistrationStore clientRegistrationStore;
    private final ClientAuthenticationFailureFactory failureFactory;

    @Inject
    public ClientCredentialsReader(OpenIdConnectClientRegistrationStore openIdConnectClientRegistrationStore, ClientAuthenticationFailureFactory clientAuthenticationFailureFactory) {
        this.clientRegistrationStore = openIdConnectClientRegistrationStore;
        this.failureFactory = clientAuthenticationFailureFactory;
    }

    public ClientCredentials extractCredentials(OAuth2Request oAuth2Request, String str) throws InvalidRequestException, InvalidClientException, NotFoundException {
        ClientCredentials clientCredentials;
        Request request = oAuth2Request.getRequest();
        boolean z = false;
        if (request.getChallengeResponse() != null) {
            z = true;
        }
        Client.TokenEndpointAuthMethod tokenEndpointAuthMethod = Client.TokenEndpointAuthMethod.CLIENT_SECRET_POST;
        if ("urn:ietf:params:oauth:client-assertion-type:jwt-bearer".equalsIgnoreCase((String) oAuth2Request.getParameter("client_assertion_type"))) {
            clientCredentials = verifyJwtBearer(oAuth2Request, z, str);
            tokenEndpointAuthMethod = Client.TokenEndpointAuthMethod.PRIVATE_KEY_JWT;
        } else {
            String str2 = (String) oAuth2Request.getParameter("client_id");
            String str3 = (String) oAuth2Request.getParameter("client_secret");
            if (z && str2 != null) {
                this.logger.error("Client (" + str2 + ") using multiple authentication methods");
                throw new InvalidRequestException("Client authentication failed");
            }
            if (request.getChallengeResponse() != null) {
                ChallengeResponse challengeResponse = request.getChallengeResponse();
                str2 = challengeResponse.getIdentifier();
                str3 = "";
                if (challengeResponse.getSecret() != null && challengeResponse.getSecret().length > 0) {
                    str3 = String.valueOf(request.getChallengeResponse().getSecret());
                }
                tokenEndpointAuthMethod = Client.TokenEndpointAuthMethod.CLIENT_SECRET_BASIC;
            }
            if (str2 == null || str2.isEmpty()) {
                this.logger.error("Client Id is not set");
                throw this.failureFactory.getException(oAuth2Request, "Client authentication failed");
            }
            clientCredentials = new ClientCredentials(str2, str3 == null ? null : str3.toCharArray(), false, z);
        }
        OpenIdConnectClientRegistration openIdConnectClientRegistration = this.clientRegistrationStore.get(clientCredentials.getClientId(), oAuth2Request);
        if (openIdConnectClientRegistration.getAllowedScopes().contains("openid") && request.getResourceRef().getLastSegment().equals("access_token") && !openIdConnectClientRegistration.getTokenEndpointAuthMethod().equals(tokenEndpointAuthMethod.getType())) {
            throw this.failureFactory.getException(oAuth2Request, "Invalid authentication method for accessing this endpoint.");
        }
        return clientCredentials;
    }

    private ClientCredentials verifyJwtBearer(OAuth2Request oAuth2Request, boolean z, String str) throws InvalidClientException, InvalidRequestException, NotFoundException {
        OAuth2Jwt create = OAuth2Jwt.create((String) oAuth2Request.getParameter("client_assertion"));
        OpenIdConnectClientRegistration openIdConnectClientRegistration = this.clientRegistrationStore.get(create.getSubject(), oAuth2Request);
        if (create.isExpired()) {
            throw this.failureFactory.getException(oAuth2Request, "JWT has expired");
        }
        if (!openIdConnectClientRegistration.verifyJwtIdentity(create)) {
            throw this.failureFactory.getException(oAuth2Request, "JWT is not valid");
        }
        if (z && create.getSubject() != null) {
            this.logger.error("Client (" + create.getSubject() + ") using multiple authentication methods");
            throw this.failureFactory.getException(oAuth2Request, "Client authentication failed");
        }
        if (str == null || create.isIntendedForAudience(str)) {
            return new ClientCredentials(create.getSubject(), null, true, false);
        }
        throw this.failureFactory.getException(oAuth2Request, "Audience validation failed");
    }
}
