package org.forgerock.oauth2.core;

import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.forgerock.http.MutableUri;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.InvalidCodeException;
import org.forgerock.oauth2.core.exceptions.InvalidGrantException;
import org.forgerock.oauth2.core.exceptions.InvalidRequestException;
import org.forgerock.oauth2.core.exceptions.NotFoundException;
import org.forgerock.oauth2.core.exceptions.RedirectUriMismatchException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.oauth2.core.exceptions.UnauthorizedClientException;
import org.forgerock.openam.oauth2.OAuth2UrisFactory;
import org.forgerock.util.encode.Base64url;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/forgerock/oauth2/core/AuthorizationCodeGrantTypeHandler.class */
public class AuthorizationCodeGrantTypeHandler extends GrantTypeHandler {
    private final Logger logger;
    private final List<AuthorizationCodeRequestValidator> requestValidators;
    private final TokenStore tokenStore;
    private final TokenInvalidator tokenInvalidator;
    private final GrantTypeAccessTokenGenerator accessTokenGenerator;

    @Inject
    public AuthorizationCodeGrantTypeHandler(List<AuthorizationCodeRequestValidator> list, ClientAuthenticator clientAuthenticator, TokenStore tokenStore, TokenInvalidator tokenInvalidator, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory, OAuth2UrisFactory oAuth2UrisFactory, GrantTypeAccessTokenGenerator grantTypeAccessTokenGenerator) {
        super(oAuth2ProviderSettingsFactory, oAuth2UrisFactory, clientAuthenticator);
        this.logger = LoggerFactory.getLogger("OAuth2Provider");
        this.requestValidators = list;
        this.tokenStore = tokenStore;
        this.tokenInvalidator = tokenInvalidator;
        this.accessTokenGenerator = grantTypeAccessTokenGenerator;
    }

    @Override // org.forgerock.oauth2.core.GrantTypeHandler
    public AccessToken handle(OAuth2Request oAuth2Request, ClientRegistration clientRegistration, OAuth2ProviderSettings oAuth2ProviderSettings) throws RedirectUriMismatchException, InvalidClientException, InvalidRequestException, InvalidCodeException, InvalidGrantException, ServerException, NotFoundException, UnauthorizedClientException {
        Set<String> scope;
        AccessToken generateAccessToken;
        Iterator<AuthorizationCodeRequestValidator> it = this.requestValidators.iterator();
        while (it.hasNext()) {
            it.next().validateRequest(oAuth2Request, clientRegistration);
        }
        String str = (String) oAuth2Request.getParameter("code");
        String str2 = (String) oAuth2Request.getParameter("redirect_uri");
        AuthorizationCode readAuthorizationCode = this.tokenStore.readAuthorizationCode(oAuth2Request, str);
        if (readAuthorizationCode == null) {
            this.logger.error("Authorization code doesn't exist, " + str);
            throw new InvalidRequestException("Authorization code doesn't exist.");
        }
        String str3 = (String) oAuth2Request.getParameter("code_verifier");
        if (oAuth2ProviderSettings.isCodeVerifierRequired() && str3 == null) {
            throw new InvalidRequestException("code_verifier parameter required");
        }
        synchronized (str.intern()) {
            if (readAuthorizationCode.isIssued()) {
                this.tokenInvalidator.invalidateTokens(oAuth2Request, readAuthorizationCode.getClientId(), readAuthorizationCode.getResourceOwnerId(), readAuthorizationCode.getAuthGrantId());
                this.logger.error("Authorization Code has already been issued, " + str);
                throw new InvalidGrantException();
            }
            try {
                MutableUri uri = MutableUri.uri(readAuthorizationCode.getRedirectUri());
                if (uri.getRawQuery() != null) {
                    uri.setQuery((String) null);
                }
                if (uri.getRawFragment() != null) {
                    uri.setRawFragment((String) null);
                }
                if (!uri.toString().equalsIgnoreCase(str2)) {
                    this.logger.error("Authorization code was issued with a different redirect URI, " + str + ". Expected, " + readAuthorizationCode.getRedirectUri() + ", actual, " + str2);
                    throw new InvalidGrantException();
                }
                if (!readAuthorizationCode.getClientId().equalsIgnoreCase(clientRegistration.getClientId())) {
                    this.logger.error("Authorization Code was issued to a different client, " + str + ". Expected, " + readAuthorizationCode.getClientId() + ", actual, " + clientRegistration.getClientId());
                    throw new InvalidGrantException();
                }
                if (readAuthorizationCode.isExpired()) {
                    this.logger.error("Authorization code has expired, " + str);
                    throw new InvalidGrantException("Authorization code expired.");
                }
                if (str3 != null) {
                    checkCodeVerifier(readAuthorizationCode, str3);
                }
                String str4 = (String) oAuth2Request.getParameter("grant_type");
                scope = readAuthorizationCode.getScope();
                generateAccessToken = this.accessTokenGenerator.generateAccessToken(oAuth2ProviderSettings, str4, clientRegistration.getClientId(), readAuthorizationCode.getResourceOwnerId(), str2, scope, oAuth2ProviderSettings.validateRequestedClaims(readAuthorizationCode.getClaims()), str, readAuthorizationCode.getNonce(), oAuth2Request);
                readAuthorizationCode.setIssued();
                this.tokenStore.updateAuthorizationCode(oAuth2Request, readAuthorizationCode);
            } catch (URISyntaxException e) {
                throw new InvalidRequestException("Invalid parameter: redirect_uri");
            }
        }
        generateAccessToken.addExtraData("nonce", readAuthorizationCode.getNonce());
        generateAccessToken.addExtraData("ssoTokenId", readAuthorizationCode.getSessionId());
        oAuth2ProviderSettings.additionalDataToReturnFromTokenEndpoint(generateAccessToken, oAuth2Request);
        generateAccessToken.addExtraData("ssoTokenId", null);
        if (scope != null && !scope.isEmpty()) {
            generateAccessToken.addExtraData("scope", Utils.joinScope(scope));
        }
        return generateAccessToken;
    }

    private void checkCodeVerifier(AuthorizationCode authorizationCode, String str) throws InvalidGrantException, InvalidRequestException {
        String codeChallenge = authorizationCode.getCodeChallenge();
        String codeChallengeMethod = authorizationCode.getCodeChallengeMethod();
        if ("plain".equals(codeChallengeMethod)) {
            checkCodeChallenge(codeChallenge, str);
        } else {
            if (!"S256".equals(codeChallengeMethod)) {
                throw new InvalidRequestException("Invalid code challenge method specified.");
            }
            try {
                checkCodeChallenge(codeChallenge, Base64url.encode(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII))));
            } catch (NoSuchAlgorithmException e) {
                this.logger.error("Error encoding code verifier.");
                throw new InvalidGrantException();
            }
        }
    }

    private void checkCodeChallenge(String str, String str2) throws InvalidGrantException {
        if (MessageDigest.isEqual(str2.getBytes(), str.getBytes())) {
            return;
        }
        this.logger.error("Incorrect Code Verifier,");
        throw new InvalidGrantException();
    }
}
