package org.wso2.carbon.identity.oauth2.client.authentication;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.ClientAuthenticationMethodModel;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/client/authentication/OAuthClientAuthnService.class */
public class OAuthClientAuthnService {
    private static final Log log = LogFactory.getLog(OAuthClientAuthnService.class);
    private static final String FAPI_CLIENT_AUTH_METHOD_CONFIGURATION = "OAuth.OpenIDConnect.FAPI.AllowedClientAuthenticationMethods.AllowedClientAuthenticationMethod";

    public List<OAuthClientAuthenticator> getClientAuthenticators() {
        if (log.isDebugEnabled()) {
            log.debug("Retrieving registered OAuth client authenticator list.");
        }
        return OAuth2ServiceComponentHolder.getAuthenticationHandlers();
    }

    public OAuthClientAuthnContext authenticateClient(HttpServletRequest httpServletRequest, Map<String, List> map) {
        OAuthClientAuthnContext oAuthClientAuthnContext = new OAuthClientAuthnContext();
        executeClientAuthenticators(httpServletRequest, oAuthClientAuthnContext, map);
        failOnMultipleAuthenticators(oAuthClientAuthnContext);
        return oAuthClientAuthnContext;
    }

    private void executeAuthenticator(OAuthClientAuthenticator oAuthClientAuthenticator, OAuthClientAuthnContext oAuthClientAuthnContext, HttpServletRequest httpServletRequest, Map<String, List> map) {
        if (isAuthenticatorDisabled(oAuthClientAuthenticator)) {
            if (log.isDebugEnabled()) {
                log.debug("Authenticator " + oAuthClientAuthenticator.getName() + " is disabled. Hence not evaluating");
                return;
            }
            return;
        }
        if (!canAuthenticate(oAuthClientAuthenticator, oAuthClientAuthnContext, httpServletRequest, map)) {
            if (log.isDebugEnabled()) {
                log.debug(oAuthClientAuthenticator.getName() + " authenticator cannot handle this request.");
                return;
            }
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug(oAuthClientAuthenticator.getName() + " authenticator can handle incoming request.");
        }
        if (oAuthClientAuthnContext.isPreviousAuthenticatorEngaged()) {
            if (log.isDebugEnabled()) {
                log.debug("Previously an authenticator is evaluated. Hence authenticator " + oAuthClientAuthenticator.getName() + " is not evaluating");
            }
            addAuthenticatorToContext(oAuthClientAuthenticator, oAuthClientAuthnContext);
        } else {
            addAuthenticatorToContext(oAuthClientAuthenticator, oAuthClientAuthnContext);
            try {
                oAuthClientAuthnContext.setClientId(oAuthClientAuthenticator.getClientId(httpServletRequest, map, oAuthClientAuthnContext));
                authenticateClient(oAuthClientAuthenticator, oAuthClientAuthnContext, httpServletRequest, map);
            } catch (OAuthClientAuthnException e) {
                handleClientAuthnException(oAuthClientAuthenticator, oAuthClientAuthnContext, e);
            }
        }
    }

    private void failOnMultipleAuthenticators(OAuthClientAuthnContext oAuthClientAuthnContext) {
        if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
            if (log.isDebugEnabled()) {
                log.debug(oAuthClientAuthnContext.getExecutedAuthenticators().size() + " Authenticators were executed previously. Hence failing client authentication");
            }
            setErrorToContext("invalid_request", "The client MUST NOT use more than one authentication method in each", oAuthClientAuthnContext);
        }
    }

    private void executeClientAuthenticators(HttpServletRequest httpServletRequest, OAuthClientAuthnContext oAuthClientAuthnContext, Map<String, List> map) {
        if (log.isDebugEnabled()) {
            log.debug("Executing OAuth client authenticators.");
        }
        try {
            String extractClientId = extractClientId(httpServletRequest, map);
            if (StringUtils.isBlank(extractClientId)) {
                setErrorToContext("invalid_client", "Client ID not found in the request.", oAuthClientAuthnContext);
                return;
            }
            try {
                List<OAuthClientAuthenticator> configuredClientAuthMethods = getConfiguredClientAuthMethods(extractClientId);
                List<OAuthClientAuthenticator> filterClientAuthenticatorsForFapi = OAuth2Util.isFapiConformantApp(extractClientId) ? filterClientAuthenticatorsForFapi(configuredClientAuthMethods) : configuredClientAuthMethods.isEmpty() ? getClientAuthenticators() : configuredClientAuthMethods;
                if (filterClientAuthenticatorsForFapi.isEmpty()) {
                    setErrorToContext("invalid_request", "No valid authenticators found for the application.", oAuthClientAuthnContext);
                } else {
                    filterClientAuthenticatorsForFapi.forEach(oAuthClientAuthenticator -> {
                        executeAuthenticator(oAuthClientAuthenticator, oAuthClientAuthnContext, httpServletRequest, map);
                    });
                }
            } catch (IdentityOAuth2Exception e) {
                throw new OAuthClientAuthnException("Error while obtaining the service provider for client_id: " + extractClientId, "server_error");
            } catch (InvalidOAuthClientException e2) {
                throw new OAuthClientAuthnException("Could not find an existing app for client_id: " + extractClientId, "invalid_client");
            }
        } catch (IdentityOAuth2Exception e3) {
            log.error("Error occurred while processing the request to validate the client authentication method.", e3);
            setErrorToContext("invalid_client", "Error occurred while validating the request auth method with the configured token endpoint auth methods.", oAuthClientAuthnContext);
        }
    }

    private void setErrorToContext(String str, String str2, OAuthClientAuthnContext oAuthClientAuthnContext) {
        if (log.isDebugEnabled()) {
            log.debug("Setting error to client authentication context : Error code : " + str + ", Error message : " + str2);
        }
        oAuthClientAuthnContext.setAuthenticated(false);
        oAuthClientAuthnContext.setErrorCode(str);
        oAuthClientAuthnContext.setErrorMessage(str2);
    }

    private boolean isAuthenticatorDisabled(OAuthClientAuthenticator oAuthClientAuthenticator) {
        return !oAuthClientAuthenticator.isEnabled();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private void handleClientAuthnException(OAuthClientAuthenticator oAuthClientAuthenticator, OAuthClientAuthnContext oAuthClientAuthnContext, OAuthClientAuthnException oAuthClientAuthnException) {
        if (log.isDebugEnabled()) {
            log.debug("Error while evaluating client authenticator : " + oAuthClientAuthenticator.getName(), oAuthClientAuthnException);
        }
        setErrorToContext(oAuthClientAuthnException.getErrorCode(), oAuthClientAuthnException.getMessage(), oAuthClientAuthnContext);
    }

    private void authenticateClient(OAuthClientAuthenticator oAuthClientAuthenticator, OAuthClientAuthnContext oAuthClientAuthnContext, HttpServletRequest httpServletRequest, Map<String, List> map) throws OAuthClientAuthnException {
        boolean authenticateClient = oAuthClientAuthenticator.authenticateClient(httpServletRequest, map, oAuthClientAuthnContext);
        if (log.isDebugEnabled()) {
            log.debug("Authentication result from OAuth client authenticator " + oAuthClientAuthenticator.getName() + " is : " + authenticateClient);
        }
        oAuthClientAuthnContext.setAuthenticated(authenticateClient);
        if (authenticateClient) {
            return;
        }
        setErrorToContext("invalid_client", "Client credentials are invalid.", oAuthClientAuthnContext);
    }

    private void addAuthenticatorToContext(OAuthClientAuthenticator oAuthClientAuthenticator, OAuthClientAuthnContext oAuthClientAuthnContext) {
        if (log.isDebugEnabled()) {
            log.debug("Authenticator " + oAuthClientAuthenticator.getName() + " can authenticate the client request.  Hence trying to evaluate authentication");
        }
        oAuthClientAuthnContext.addAuthenticator(oAuthClientAuthenticator.getName());
    }

    private boolean canAuthenticate(OAuthClientAuthenticator oAuthClientAuthenticator, OAuthClientAuthnContext oAuthClientAuthnContext, HttpServletRequest httpServletRequest, Map<String, List> map) {
        if (log.isDebugEnabled()) {
            log.debug("Evaluating canAuthenticate of authenticator : " + oAuthClientAuthenticator.getName());
        }
        return oAuthClientAuthenticator.canAuthenticate(httpServletRequest, map, oAuthClientAuthnContext);
    }

    private List<OAuthClientAuthenticator> getConfiguredClientAuthMethods(String str) throws OAuthClientAuthnException {
        String resolveTenantDomain = IdentityTenantUtil.resolveTenantDomain();
        List<String> arrayList = new ArrayList();
        try {
            String tokenEndpointAuthMethod = OAuth2Util.getAppInformationByClientId(str, resolveTenantDomain).getTokenEndpointAuthMethod();
            if (StringUtils.isNotBlank(tokenEndpointAuthMethod)) {
                arrayList = Arrays.asList(tokenEndpointAuthMethod);
            }
            return arrayList.isEmpty() ? Collections.emptyList() : getApplicableClientAuthenticators(arrayList);
        } catch (IdentityOAuth2Exception | InvalidOAuthClientException e) {
            throw new OAuthClientAuthnException("Error occurred while retrieving app information for client id: " + str + " of tenantDomain: " + resolveTenantDomain, "invalid_request", e);
        }
    }

    public String extractClientId(HttpServletRequest httpServletRequest, Map<String, List> map) throws OAuthClientAuthnException {
        String str = null;
        for (OAuthClientAuthenticator oAuthClientAuthenticator : getClientAuthenticators()) {
            try {
                str = oAuthClientAuthenticator.getClientId(httpServletRequest, map, new OAuthClientAuthnContext());
            } catch (OAuthClientAuthnException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Client ID cannot be extracted using the " + oAuthClientAuthenticator.getName(), e);
                }
            }
            if (StringUtils.isNotBlank(str)) {
                break;
            }
        }
        return str;
    }

    private List<OAuthClientAuthenticator> filterClientAuthenticatorsForFapi(List<OAuthClientAuthenticator> list) {
        List<String> propertyAsList = IdentityUtil.getPropertyAsList(FAPI_CLIENT_AUTH_METHOD_CONFIGURATION);
        if (list.isEmpty()) {
            return getApplicableClientAuthenticators(propertyAsList);
        }
        ArrayList arrayList = new ArrayList();
        for (OAuthClientAuthenticator oAuthClientAuthenticator : list) {
            ArrayList arrayList2 = new ArrayList();
            Iterator<ClientAuthenticationMethodModel> it = oAuthClientAuthenticator.getSupportedClientAuthenticationMethods().iterator();
            while (it.hasNext()) {
                arrayList2.add(it.next().getName());
            }
            Stream<String> stream = propertyAsList.stream();
            Objects.requireNonNull(arrayList2);
            if (stream.anyMatch((v1) -> {
                return r1.contains(v1);
            })) {
                arrayList.add(oAuthClientAuthenticator);
            }
        }
        return arrayList;
    }

    private List<OAuthClientAuthenticator> getApplicableClientAuthenticators(List<String> list) {
        ArrayList arrayList = new ArrayList();
        for (OAuthClientAuthenticator oAuthClientAuthenticator : getClientAuthenticators()) {
            ArrayList arrayList2 = new ArrayList();
            Iterator<ClientAuthenticationMethodModel> it = oAuthClientAuthenticator.getSupportedClientAuthenticationMethods().iterator();
            while (it.hasNext()) {
                arrayList2.add(it.next().getName());
            }
            Stream<String> stream = list.stream();
            Objects.requireNonNull(arrayList2);
            if (stream.anyMatch((v1) -> {
                return r1.contains(v1);
            })) {
                arrayList.add(oAuthClientAuthenticator);
            }
        }
        return arrayList;
    }
}
