package com.stormpath.sdk.servlet.filter.oauth;

import com.stormpath.sdk.http.HttpMethod;
import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.lang.Strings;
import com.stormpath.sdk.servlet.authz.RequestAuthorizer;
import com.stormpath.sdk.servlet.http.Resolver;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/stormpath/sdk/servlet/filter/oauth/DefaultAccessTokenRequestAuthorizer.class */
public class DefaultAccessTokenRequestAuthorizer implements RequestAuthorizer {
    public static final String FORM_MEDIA_TYPE = "application/x-www-form-urlencoded";
    public static final String GRANT_TYPE_PARAM_NAME = "grant_type";
    private final Resolver<Boolean> secureConnectionRequired;
    private final RequestAuthorizer originAuthorizer;
    private static final Logger log = LoggerFactory.getLogger(DefaultAccessTokenRequestAuthorizer.class);
    private boolean secureWarned;

    public DefaultAccessTokenRequestAuthorizer(Resolver<Boolean> resolver, RequestAuthorizer requestAuthorizer) {
        Assert.notNull(resolver, "secure resolver cannot be null.");
        Assert.notNull(requestAuthorizer, "origin RequestAuthorizer cannot be null.");
        this.secureConnectionRequired = resolver;
        this.originAuthorizer = requestAuthorizer;
    }

    public Resolver<Boolean> getSecureConnectionRequired() {
        return this.secureConnectionRequired;
    }

    public RequestAuthorizer getOriginAuthorizer() {
        return this.originAuthorizer;
    }

    @Override // com.stormpath.sdk.servlet.authz.RequestAuthorizer
    public void assertAuthorized(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthException {
        if (!HttpMethod.POST.name().equalsIgnoreCase(httpServletRequest.getMethod())) {
            throw new OAuthException(OAuthErrorCode.INVALID_REQUEST, "HTTP POST is required.", (Exception) null);
        }
        String clean = Strings.clean(httpServletRequest.getContentType());
        if (clean == null || !clean.startsWith("application/x-www-form-urlencoded")) {
            throw new OAuthException(OAuthErrorCode.INVALID_REQUEST, "Content-Type must be application/x-www-form-urlencoded", (Exception) null);
        }
        if (Strings.clean(httpServletRequest.getParameter(GRANT_TYPE_PARAM_NAME)) == null) {
            throw new OAuthException(OAuthErrorCode.INVALID_REQUEST, "Missing grant_type value.", (Exception) null);
        }
        assertSecure(httpServletRequest, httpServletResponse);
        assertOriginAuthorized(httpServletRequest, httpServletResponse);
    }

    protected void assertSecure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthException {
        boolean isSecure = httpServletRequest.isSecure();
        boolean isSecureConnectionRequired = isSecureConnectionRequired(httpServletRequest, httpServletResponse);
        if (isSecure) {
            return;
        }
        if (isSecureConnectionRequired) {
            throw new OAuthException(OAuthErrorCode.INVALID_REQUEST, "A secure HTTPS connection is required for token requests - this is a requirement of the OAuth 2 specification.", (Exception) null);
        }
        if (this.secureWarned) {
            return;
        }
        this.secureWarned = true;
        log.warn("The OAuth 2 specification requires secure HTTPS connections during token requests, but the current configuration allows insecure requests.  The Stormpath SDK default configuration allows insecure requests for convenience during localhost development, but CAUTION: it will automatically throw an OAuthException in production instead of logging this warning (where production is defined as !localhost by default). When you deploy your application to staging and production environments, ensure that HTTPS is always enabled otherwise token requests are not likely to function correctly.");
    }

    protected boolean isSecureConnectionRequired(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return getSecureConnectionRequired().get(httpServletRequest, httpServletResponse).booleanValue();
    }

    protected void assertOriginAuthorized(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthException {
        getOriginAuthorizer().assertAuthorized(httpServletRequest, httpServletResponse);
    }
}
