package pl.edu.icm.unity.oauth.as.token;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.nimbusds.oauth2.sdk.AccessTokenResponse;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.client.ClientType;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import java.util.Date;
import javax.ws.rs.core.Response;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.token.Token;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;
import pl.edu.icm.unity.oauth.as.OAuthProcessor;
import pl.edu.icm.unity.oauth.as.OAuthToken;
import pl.edu.icm.unity.oauth.as.OAuthTokenRepository;
import pl.edu.icm.unity.store.api.tx.TransactionalRunner;
import pl.edu.icm.unity.types.basic.EntityParam;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/AuthzCodeHandler.class */
class AuthzCodeHandler {
    private static final Logger log = Log.getLogger("unity.server.oauth", AuthzCodeHandler.class);
    private TokensManagement tokensManagement;
    private OAuthASProperties config;
    private TransactionalRunner tx;
    private AccessTokenFactory accessTokenFactory;
    private OAuthTokenRepository oauthTokenDAO;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/AuthzCodeHandler$TokensPair.class */
    public static class TokensPair {
        Token codeToken;
        OAuthToken parsedAuthzCodeToken;

        public TokensPair(Token token, OAuthToken oAuthToken) {
            this.codeToken = token;
            this.parsedAuthzCodeToken = oAuthToken;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthzCodeHandler(TokensManagement tokensManagement, OAuthTokenRepository oAuthTokenRepository, OAuthASProperties oAuthASProperties, TransactionalRunner transactionalRunner, AccessTokenFactory accessTokenFactory) {
        this.tokensManagement = tokensManagement;
        this.oauthTokenDAO = oAuthTokenRepository;
        this.config = oAuthASProperties;
        this.tx = transactionalRunner;
        this.accessTokenFactory = accessTokenFactory;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Response handleAuthzCodeFlow(String str, String str2, String str3, String str4) throws EngineException, JsonProcessingException {
        try {
            TokensPair loadAndRemoveAuthzCodeToken = loadAndRemoveAuthzCodeToken(str);
            Token token = loadAndRemoveAuthzCodeToken.codeToken;
            OAuthToken oAuthToken = loadAndRemoveAuthzCodeToken.parsedAuthzCodeToken;
            try {
                verifyPKCE(oAuthToken.getPkcsInfo(), oAuthToken.getClientType(), str3);
                if (oAuthToken.getRedirectUri() != null) {
                    if (str2 == null) {
                        return BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "redirect_uri is required");
                    }
                    if (!str2.equals(oAuthToken.getRedirectUri())) {
                        return BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "redirect_uri is wrong");
                    }
                }
                OAuthToken oAuthToken2 = new OAuthToken(oAuthToken);
                Date date = new Date();
                AccessToken create = this.accessTokenFactory.create(oAuthToken2, date, str4);
                oAuthToken2.setAccessToken(create.getValue());
                RefreshToken addRefreshToken = TokenUtils.addRefreshToken(this.config, this.tokensManagement, date, oAuthToken2, token.getOwner());
                Date accessTokenExpiration = TokenUtils.getAccessTokenExpiration(this.config, date);
                AccessTokenResponse accessTokenResponse = TokenUtils.getAccessTokenResponse(oAuthToken2, create, addRefreshToken, null);
                log.debug("Authz code grant: issuing new access token {}, valid until {}", BaseOAuthResource.tokenToLog(create.getValue()), accessTokenExpiration);
                this.oauthTokenDAO.storeAccessToken(create, oAuthToken2, new EntityParam(token.getOwner()), date, accessTokenExpiration);
                return BaseOAuthResource.toResponse(Response.ok(BaseOAuthResource.getResponseContent(accessTokenResponse)));
            } catch (OAuthErrorException e) {
                return e.response;
            }
        } catch (OAuthErrorException e2) {
            return e2.response;
        }
    }

    private void verifyPKCE(OAuthToken.PKCSInfo pKCSInfo, ClientType clientType, String str) throws OAuthErrorException {
        if (pKCSInfo.getCodeChallenge() == null && clientType == ClientType.PUBLIC) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "missing mandatory PKCE"));
        }
        if (pKCSInfo.getCodeChallenge() != null && str == null) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "missing PKCE"));
        }
        if (pKCSInfo.getCodeChallenge() == null && str != null) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "unexpected PKCE"));
        }
        if (pKCSInfo.getCodeChallenge() == null) {
            return;
        }
        String codeChallengeMethod = pKCSInfo.getCodeChallengeMethod();
        if (codeChallengeMethod == null) {
            codeChallengeMethod = CodeChallengeMethod.PLAIN.getValue();
        }
        verifyPKCEChallenge(pKCSInfo.getCodeChallenge(), str, codeChallengeMethod);
    }

    private void verifyPKCEChallenge(String str, String str2, String str3) throws OAuthErrorException {
        if (!CodeChallenge.compute(CodeChallengeMethod.parse(str3), new CodeVerifier(str2)).getValue().equals(str)) {
            throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "PKCE verification error"));
        }
    }

    private TokensPair loadAndRemoveAuthzCodeToken(String str) throws OAuthErrorException, EngineException {
        return (TokensPair) this.tx.runInTransactionRetThrowing(() -> {
            try {
                Token tokenById = this.tokensManagement.getTokenById(OAuthProcessor.INTERNAL_CODE_TOKEN, str);
                OAuthToken parseInternalToken = BaseOAuthResource.parseInternalToken(tokenById);
                long entityId = InvocationContext.getCurrent().getLoginSession().getEntityId();
                if (parseInternalToken.getClientId() != entityId) {
                    log.warn("Client with id " + entityId + " presented authorization code issued for client " + parseInternalToken.getClientId());
                    throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "wrong code"));
                }
                this.tokensManagement.removeToken(OAuthProcessor.INTERNAL_CODE_TOKEN, str);
                return new TokensPair(tokenById, parseInternalToken);
            } catch (IllegalArgumentException e) {
                throw new OAuthErrorException(BaseOAuthResource.makeError(OAuth2Error.INVALID_GRANT, "wrong code"));
            }
        });
    }
}
