package io.jans.as.server.token.ws.rs;

import io.jans.as.common.model.common.User;
import io.jans.as.common.model.registration.Client;
import io.jans.as.model.common.GrantType;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.error.ErrorResponseFactory;
import io.jans.as.model.token.TokenErrorResponseType;
import io.jans.as.server.audit.ApplicationAuditLogger;
import io.jans.as.server.model.audit.OAuth2AuditLog;
import io.jans.as.server.model.common.AuthorizationGrant;
import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
import io.jans.as.server.model.common.RefreshToken;
import io.jans.as.server.util.ServerUtil;
import jakarta.ejb.Stateless;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.Arrays;
import java.util.function.Consumer;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;

@Named
@Stateless
/* loaded from: input_file:io/jans/as/server/token/ws/rs/TokenRestWebServiceValidator.class */
public class TokenRestWebServiceValidator {

    @Inject
    private Logger log;

    @Inject
    private ErrorResponseFactory errorResponseFactory;

    @Inject
    private ApplicationAuditLogger applicationAuditLogger;

    @Inject
    private AppConfiguration appConfiguration;

    public void validateParams(String str, String str2, String str3, String str4, OAuth2AuditLog oAuth2AuditLog) {
        this.log.debug("Starting to validate request parameters");
        if (str == null || str.isEmpty()) {
            this.log.trace("Grant Type is not set.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Grant Type is not set."), oAuth2AuditLog));
        }
        GrantType fromString = GrantType.fromString(str);
        if (fromString != GrantType.AUTHORIZATION_CODE) {
            if (fromString == GrantType.REFRESH_TOKEN && StringUtils.isBlank(str4)) {
                this.log.trace("Refresh Token is not set for REFRESH_TOKEN.");
                throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Refresh Token is not set for REFRESH_TOKEN."), oAuth2AuditLog));
            }
            return;
        }
        if (StringUtils.isBlank(str2)) {
            this.log.trace("Code is not set for AUTHORIZATION_CODE.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUEST, "Code is not set for AUTHORIZATION_CODE."), oAuth2AuditLog));
        }
        if (StringUtils.isBlank(str3)) {
            this.log.trace("redirect_uri is not set for AUTHORIZATION_CODE.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_REQUEST, "redirect_uri is not set for AUTHORIZATION_CODE."), oAuth2AuditLog));
        }
    }

    public static boolean validateParams(String str, String str2) {
        return StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2);
    }

    public void validateGrantType(GrantType grantType, Client client, OAuth2AuditLog oAuth2AuditLog) {
        if (!Arrays.asList(client.getGrantTypes()).contains(grantType)) {
            this.log.trace("GrantType is not allowed by client's grantTypes.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "GrantType is not allowed by client's grantTypes."), oAuth2AuditLog));
        }
        if (this.appConfiguration.getGrantTypesSupported().contains(grantType)) {
            return;
        }
        this.log.trace("GrantType is not allowed by AS configuration");
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "GrantType is not allowed by AS configuration"), oAuth2AuditLog));
    }

    private Response response(Response.ResponseBuilder responseBuilder, OAuth2AuditLog oAuth2AuditLog) {
        responseBuilder.cacheControl(ServerUtil.cacheControl(true, false));
        responseBuilder.header("Pragma", "no-cache");
        this.applicationAuditLogger.sendMessage(oAuth2AuditLog);
        return responseBuilder.build();
    }

    public Response.ResponseBuilder error(int i, TokenErrorResponseType tokenErrorResponseType, String str) {
        return Response.status(i).type(MediaType.APPLICATION_JSON_TYPE).entity(this.errorResponseFactory.errorAsJson(tokenErrorResponseType, str));
    }

    @NotNull
    public Client validateClient(Client client, OAuth2AuditLog oAuth2AuditLog) {
        if (client == null) {
            throw new WebApplicationException(response(error(Response.Status.UNAUTHORIZED.getStatusCode(), TokenErrorResponseType.INVALID_GRANT, "Unable to find client."), oAuth2AuditLog));
        }
        this.log.debug("Get client from session: '{}'", client.getClientId());
        if (client.isDisabled()) {
            throw new WebApplicationException(response(error(Response.Status.FORBIDDEN.getStatusCode(), TokenErrorResponseType.DISABLED_CLIENT, "Client is disabled."), oAuth2AuditLog));
        }
        return client;
    }

    public void validateDeviceAuthorization(Client client, String str, DeviceAuthorizationCacheControl deviceAuthorizationCacheControl, OAuth2AuditLog oAuth2AuditLog) {
        if (deviceAuthorizationCacheControl == null) {
            this.log.debug("The authentication request has expired for deviceCode: '{}'", str);
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.EXPIRED_TOKEN, "The authentication request has expired."), oAuth2AuditLog));
        }
        if (!deviceAuthorizationCacheControl.getClient().getClientId().equals(client.getClientId())) {
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "The client is not authorized."), oAuth2AuditLog));
        }
    }

    public void validateGrant(AuthorizationGrant authorizationGrant, Client client, Object obj, OAuth2AuditLog oAuth2AuditLog) {
        validateGrant(authorizationGrant, client, obj, oAuth2AuditLog, null);
    }

    public void validateGrant(AuthorizationGrant authorizationGrant, Client client, Object obj, OAuth2AuditLog oAuth2AuditLog, Consumer<AuthorizationGrant> consumer) {
        if (authorizationGrant == null) {
            this.log.debug("AuthorizationGrant not found by clientId: '{}', identifier: '{}'", client.getClientId(), obj);
            if (consumer != null) {
                consumer.accept(authorizationGrant);
            }
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find grant object for given code."), oAuth2AuditLog));
        }
        if (client.getClientId().equals(authorizationGrant.getClientId())) {
            return;
        }
        this.log.debug("AuthorizationGrant is found but belongs to another client. Grant's clientId: '{}', identifier: '{}'", authorizationGrant.getClientId(), obj);
        if (consumer != null) {
            consumer.accept(authorizationGrant);
        }
        throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Client mismatch."), oAuth2AuditLog));
    }

    public void validateRefreshToken(RefreshToken refreshToken, OAuth2AuditLog oAuth2AuditLog) {
        if (refreshToken == null || !refreshToken.isValid()) {
            this.log.trace("Invalid refresh token.");
            throw new WebApplicationException(response(error(400, TokenErrorResponseType.INVALID_GRANT, "Unable to find refresh token or otherwise token type or client does not match."), oAuth2AuditLog));
        }
    }

    public void validateUser(User user, OAuth2AuditLog oAuth2AuditLog) {
        if (user == null) {
            this.log.debug("Invalid user", new RuntimeException("User is empty"));
            throw new WebApplicationException(response(error(401, TokenErrorResponseType.INVALID_CLIENT, "Invalid user."), oAuth2AuditLog));
        }
    }
}
