package org.springframework.security.oauth2.server.authorization.authentication;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/CodeVerifierAuthenticator.class */
final class CodeVerifierAuthenticator {
    private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType("code");
    private final Log logger = LogFactory.getLog(getClass());
    private final OAuth2AuthorizationService authorizationService;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CodeVerifierAuthenticator(OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authenticateRequired(OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken, RegisteredClient registeredClient) {
        if (authenticate(oAuth2ClientAuthenticationToken, registeredClient)) {
            return;
        }
        throwInvalidGrant("code_verifier");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void authenticateIfAvailable(OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken, RegisteredClient registeredClient) {
        authenticate(oAuth2ClientAuthenticationToken, registeredClient);
    }

    private boolean authenticate(OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken, RegisteredClient registeredClient) {
        Map<String, Object> additionalParameters = oAuth2ClientAuthenticationToken.getAdditionalParameters();
        if (!authorizationCodeGrant(additionalParameters)) {
            return false;
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken((String) additionalParameters.get("code"), AUTHORIZATION_CODE_TOKEN_TYPE);
        if (findByToken == null) {
            throwInvalidGrant("code");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with authorization code");
        }
        OAuth2AuthorizationRequest oAuth2AuthorizationRequest = (OAuth2AuthorizationRequest) findByToken.getAttribute(OAuth2AuthorizationRequest.class.getName());
        String str = (String) oAuth2AuthorizationRequest.getAdditionalParameters().get("code_challenge");
        String str2 = (String) additionalParameters.get("code_verifier");
        if (!StringUtils.hasText(str)) {
            if (!registeredClient.getClientSettings().isRequireProofKey() && !StringUtils.hasText(str2)) {
                if (!this.logger.isTraceEnabled()) {
                    return false;
                }
                this.logger.trace("Did not authenticate code verifier since requireProofKey=false");
                return false;
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Invalid request: code_challenge is required for registered client '%s'", registeredClient.getId()));
            }
            throwInvalidGrant("code_challenge");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated code verifier parameters");
        }
        if (!codeVerifierValid(str2, str, (String) oAuth2AuthorizationRequest.getAdditionalParameters().get("code_challenge_method"))) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(LogMessage.format("Invalid request: code_verifier is missing or invalid for registered client '%s'", registeredClient.getId()));
            }
            throwInvalidGrant("code_verifier");
        }
        if (!this.logger.isTraceEnabled()) {
            return true;
        }
        this.logger.trace("Authenticated code verifier");
        return true;
    }

    private static boolean authorizationCodeGrant(Map<String, Object> map) {
        if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(map.get("grant_type"))) {
            return false;
        }
        if (StringUtils.hasText((String) map.get("code"))) {
            return true;
        }
        throwInvalidGrant("code");
        return true;
    }

    private boolean codeVerifierValid(String str, String str2, String str3) {
        if (!StringUtils.hasText(str) || !"S256".equals(str3)) {
            return false;
        }
        try {
            return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII))).equals(str2);
        } catch (NoSuchAlgorithmException e) {
            throw new OAuth2AuthenticationException("server_error");
        }
    }

    private static void throwInvalidGrant(String str) {
        throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant", "Client authentication failed: " + str, (String) null));
    }
}
