package org.springframework.security.oauth2.server.authorization.authentication;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.util.StringUtils;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.class */
public final class OAuth2AuthorizationCodeRequestAuthenticationValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1";
    private static final String PKCE_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1";
    private static final Log LOGGER = LogFactory.getLog(OAuth2AuthorizationCodeRequestAuthenticationValidator.class);
    static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_AUTHORIZATION_GRANT_TYPE_VALIDATOR = OAuth2AuthorizationCodeRequestAuthenticationValidator::validateAuthorizationGrantType;
    static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_CODE_CHALLENGE_VALIDATOR = OAuth2AuthorizationCodeRequestAuthenticationValidator::validateCodeChallenge;
    static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_PROMPT_VALIDATOR = OAuth2AuthorizationCodeRequestAuthenticationValidator::validatePrompt;
    public static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_REDIRECT_URI_VALIDATOR = OAuth2AuthorizationCodeRequestAuthenticationValidator::validateRedirectUri;
    public static final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> DEFAULT_SCOPE_VALIDATOR = OAuth2AuthorizationCodeRequestAuthenticationValidator::validateScope;
    private final Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator = DEFAULT_REDIRECT_URI_VALIDATOR.andThen(DEFAULT_SCOPE_VALIDATOR);

    @Override // java.util.function.Consumer
    public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext oAuth2AuthorizationCodeRequestAuthenticationContext) {
        this.authenticationValidator.accept(oAuth2AuthorizationCodeRequestAuthenticationContext);
    }

    private static void validateAuthorizationGrantType(OAuth2AuthorizationCodeRequestAuthenticationContext oAuth2AuthorizationCodeRequestAuthenticationContext) {
        OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthorizationCodeRequestAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2AuthorizationCodeRequestAuthenticationContext.getRegisteredClient();
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.AUTHORIZATION_CODE)) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(LogMessage.format("Invalid request: requested grant_type is not allowed for registered client '%s'", registeredClient.getId()));
        }
        throwError("unauthorized_client", OidcClientMetadataClaimNames.CLIENT_ID, authentication, registeredClient);
    }

    private static void validateRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationContext oAuth2AuthorizationCodeRequestAuthenticationContext) {
        OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthorizationCodeRequestAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2AuthorizationCodeRequestAuthenticationContext.getRegisteredClient();
        String redirectUri = authentication.getRedirectUri();
        if (!StringUtils.hasText(redirectUri)) {
            if (authentication.getScopes().contains("openid") || registeredClient.getRedirectUris().size() != 1) {
                throwError("invalid_request", "redirect_uri", authentication, registeredClient);
                return;
            }
            return;
        }
        UriComponents uriComponents = null;
        try {
            uriComponents = UriComponentsBuilder.fromUriString(redirectUri).build();
        } catch (Exception e) {
        }
        if (uriComponents == null || uriComponents.getFragment() != null) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug(LogMessage.format("Invalid request: redirect_uri is missing or contains a fragment for registered client '%s'", registeredClient.getId()));
            }
            throwError("invalid_request", "redirect_uri", authentication, registeredClient);
        }
        if (!isLoopbackAddress(uriComponents.getHost())) {
            if (registeredClient.getRedirectUris().contains(redirectUri)) {
                return;
            }
            throwError("invalid_request", "redirect_uri", authentication, registeredClient);
            return;
        }
        boolean z = false;
        Iterator<String> it = registeredClient.getRedirectUris().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(it.next());
            fromUriString.port(uriComponents.getPort());
            if (fromUriString.build().toString().equals(uriComponents.toString())) {
                z = true;
                break;
            }
        }
        if (z) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(LogMessage.format("Invalid request: redirect_uri does not match for registered client '%s'", registeredClient.getId()));
        }
        throwError("invalid_request", "redirect_uri", authentication, registeredClient);
    }

    private static void validateScope(OAuth2AuthorizationCodeRequestAuthenticationContext oAuth2AuthorizationCodeRequestAuthenticationContext) {
        OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthorizationCodeRequestAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2AuthorizationCodeRequestAuthenticationContext.getRegisteredClient();
        Set scopes = authentication.getScopes();
        Set<String> scopes2 = registeredClient.getScopes();
        if (scopes.isEmpty() || scopes2.containsAll(scopes)) {
            return;
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug(LogMessage.format("Invalid request: requested scope is not allowed for registered client '%s'", registeredClient.getId()));
        }
        throwError("invalid_scope", OidcClientMetadataClaimNames.SCOPE, authentication, registeredClient);
    }

    private static void validateCodeChallenge(OAuth2AuthorizationCodeRequestAuthenticationContext oAuth2AuthorizationCodeRequestAuthenticationContext) {
        OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthorizationCodeRequestAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2AuthorizationCodeRequestAuthenticationContext.getRegisteredClient();
        if (!StringUtils.hasText((String) authentication.getAdditionalParameters().get("code_challenge"))) {
            if (registeredClient.getClientSettings().isRequireProofKey()) {
                throwError("invalid_request", "code_challenge", PKCE_ERROR_URI, authentication, registeredClient);
            }
        } else {
            String str = (String) authentication.getAdditionalParameters().get("code_challenge_method");
            if (StringUtils.hasText(str) && "S256".equals(str)) {
                return;
            }
            throwError("invalid_request", "code_challenge_method", PKCE_ERROR_URI, authentication, registeredClient);
        }
    }

    private static void validatePrompt(OAuth2AuthorizationCodeRequestAuthenticationContext oAuth2AuthorizationCodeRequestAuthenticationContext) {
        OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthorizationCodeRequestAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2AuthorizationCodeRequestAuthenticationContext.getRegisteredClient();
        if (authentication.getScopes().contains("openid")) {
            String str = (String) authentication.getAdditionalParameters().get("prompt");
            if (StringUtils.hasText(str)) {
                HashSet hashSet = new HashSet(Arrays.asList(StringUtils.delimitedListToStringArray(str, " ")));
                if (hashSet.contains("none")) {
                    if (hashSet.contains("login") || hashSet.contains("consent") || hashSet.contains("select_account")) {
                        throwError("invalid_request", "prompt", authentication, registeredClient);
                    }
                }
            }
        }
    }

    private static boolean isLoopbackAddress(String str) {
        if (!StringUtils.hasText(str)) {
            return false;
        }
        if ("[0:0:0:0:0:0:0:1]".equals(str) || "[::1]".equals(str)) {
            return true;
        }
        String[] split = str.split("\\.");
        if (split.length != 4) {
            return false;
        }
        try {
            int[] iArr = new int[split.length];
            for (int i = 0; i < split.length; i++) {
                iArr[i] = Integer.parseInt(split[i]);
            }
            if (iArr[0] == 127 && iArr[1] >= 0 && iArr[1] <= 255 && iArr[2] >= 0 && iArr[2] <= 255 && iArr[3] >= 1) {
                if (iArr[3] <= 255) {
                    return true;
                }
            }
            return false;
        } catch (NumberFormatException e) {
            return false;
        }
    }

    private static void throwError(String str, String str2, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient) {
        throwError(str, str2, ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, registeredClient);
    }

    private static void throwError(String str, String str2, String str3, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient) {
        throwError(new OAuth2Error(str, "OAuth 2.0 Parameter: " + str2, str3), str2, oAuth2AuthorizationCodeRequestAuthenticationToken, registeredClient);
    }

    private static void throwError(OAuth2Error oAuth2Error, String str, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient) {
        String redirectUri = StringUtils.hasText(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri()) ? oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri() : registeredClient.getRedirectUris().iterator().next();
        if (oAuth2Error.getErrorCode().equals("invalid_request") && str.equals("redirect_uri")) {
            redirectUri = null;
        }
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken2 = new OAuth2AuthorizationCodeRequestAuthenticationToken(oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationUri(), oAuth2AuthorizationCodeRequestAuthenticationToken.getClientId(), (Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal(), redirectUri, oAuth2AuthorizationCodeRequestAuthenticationToken.getState(), (Set<String>) oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes(), (Map<String, Object>) oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters());
        oAuth2AuthorizationCodeRequestAuthenticationToken2.setAuthenticated(true);
        throw new OAuth2AuthorizationCodeRequestAuthenticationException(oAuth2Error, oAuth2AuthorizationCodeRequestAuthenticationToken2);
    }
}
