package org.wso2.carbon.identity.oauth2.client.authentication;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.model.ClientAuthenticationMethodModel;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/client/authentication/BasicAuthClientAuthenticator.class */
public class BasicAuthClientAuthenticator extends AbstractOAuthClientAuthenticator {
    private static final Log log = LogFactory.getLog(BasicAuthClientAuthenticator.class);
    private static final String CREDENTIAL_SEPARATOR = ":";
    private static final String SIMPLE_CASE_AUTHORIZATION_HEADER = "authorization";
    private static final String BASIC_PREFIX = "Basic";
    private static final int CREDENTIAL_LENGTH = 2;
    private static final String CLIENT_SECRET_BASIC = "client_secret_basic";
    private static final String CLIENT_SECRET_POST = "client_secret_post";
    private static final String CLIENT_SECRET_BASIC_DISPLAY_NAME = "Client Secret Basic";
    private static final String CLIENT_SECRET_POST_DISPLAY_NAME = "Client Secret Post";

    public int getPriority() {
        return 100;
    }

    @Override // org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthenticator
    public boolean authenticateClient(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        validateAuthenticationInfo(httpServletRequest, map);
        if (StringUtils.isEmpty(oAuthClientAuthnContext.getClientId())) {
            oAuthClientAuthnContext.setClientId(getClientId(httpServletRequest, map, oAuthClientAuthnContext));
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Authenticating client : " + oAuthClientAuthnContext.getClientId() + " with client secret.");
            }
            return OAuth2Util.authenticateClient(oAuthClientAuthnContext.getClientId(), (String) oAuthClientAuthnContext.getParameter("client_secret"));
        } catch (InvalidOAuthClientException | IdentityOAuth2Exception e) {
            throw new OAuthClientAuthnException("Invalid Client : " + oAuthClientAuthnContext.getClientId(), "invalid_client", e);
        } catch (IdentityOAuthAdminException e2) {
            throw new OAuthClientAuthnException("Error while authenticating client", "invalid_client", e2);
        }
    }

    private void validateAuthenticationInfo(HttpServletRequest httpServletRequest, Map<String, List> map) throws OAuthClientAuthnException {
        if (isBasicAuthorizationHeaderExists(httpServletRequest)) {
            if (log.isErrorEnabled()) {
                log.debug("Authorization header exists. Hence validating whether body params also present");
            }
            validateDuplicatedBasicAuthInfo(httpServletRequest, map);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthenticator
    public boolean canAuthenticate(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) {
        if (isBasicAuthorizationHeaderExists(httpServletRequest)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Basic auth credentials exists as Authorization header. Hence returning true.");
            return true;
        }
        if (isClientCredentialsExistsAsParams(map)) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("Basic auth credentials present as body params. Hence returning true");
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Client id and secret neither present as Authorization header nor as body params. Hence returning false");
        return false;
    }

    public String getName() {
        return "BasicOAuthClientCredAuthenticator";
    }

    @Override // org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthenticator
    public String getClientId(HttpServletRequest httpServletRequest, Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        if (isBasicAuthorizationHeaderExists(httpServletRequest)) {
            validateDuplicatedBasicAuthInfo(httpServletRequest, map);
            String[] extractCredentialsFromAuthzHeader = extractCredentialsFromAuthzHeader(getAuthorizationHeader(httpServletRequest), oAuthClientAuthnContext);
            oAuthClientAuthnContext.setClientId(extractCredentialsFromAuthzHeader[0]);
            oAuthClientAuthnContext.addParameter("client_secret", extractCredentialsFromAuthzHeader[1]);
        } else {
            setClientCredentialsFromParam(map, oAuthClientAuthnContext);
        }
        return oAuthClientAuthnContext.getClientId();
    }

    protected void validateDuplicatedBasicAuthInfo(HttpServletRequest httpServletRequest, Map<String, List> map) throws OAuthClientAuthnException {
        if (isClientCredentialsExistsAsParams(map)) {
            if (log.isDebugEnabled()) {
                log.debug("Client Id and Client Secret found in request body and Authorization header. Credentials should be sent in either request body or Authorization header, not both");
            }
            throw new OAuthClientAuthnException("Request body and headers contain authorization information", "invalid_request");
        }
    }

    protected boolean isBasicAuthorizationHeaderExists(HttpServletRequest httpServletRequest) {
        String authorizationHeader = getAuthorizationHeader(httpServletRequest);
        boolean z = StringUtils.isNotEmpty(authorizationHeader) && authorizationHeader.toUpperCase().startsWith(BASIC_PREFIX.toUpperCase());
        if (!z && log.isDebugEnabled()) {
            log.debug("Basic authorization does not exist");
        }
        return z;
    }

    protected String getAuthorizationHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (StringUtils.isEmpty(header)) {
            header = httpServletRequest.getHeader(SIMPLE_CASE_AUTHORIZATION_HEADER);
        }
        if (StringUtils.isBlank(header) && log.isDebugEnabled()) {
            log.debug("Authorization header is empty");
        }
        return header;
    }

    protected boolean isClientCredentialsExistsAsParams(Map<String, List> map) {
        Map<String, String> bodyParameters = getBodyParameters(map);
        return StringUtils.isNotEmpty(bodyParameters.get("client_id")) && StringUtils.isNotEmpty(bodyParameters.get("client_secret"));
    }

    protected static String[] extractCredentialsFromAuthzHeader(String str, OAuthClientAuthnContext oAuthClientAuthnContext) throws OAuthClientAuthnException {
        String[] split = str.trim().split(Constants.SEPARATED_WITH_SPACE);
        if (split.length == CREDENTIAL_LENGTH) {
            String[] split2 = new String(Base64Utils.decode(split[1].trim()), Charsets.UTF_8).split(CREDENTIAL_SEPARATOR);
            if (split2.length == CREDENTIAL_LENGTH) {
                return split2;
            }
        }
        throw new OAuthClientAuthnException("Error decoding authorization header. Space delimited \"<authMethod> <base64Hash>\" format violated.", "invalid_client");
    }

    protected void setClientCredentialsFromParam(Map<String, List> map, OAuthClientAuthnContext oAuthClientAuthnContext) {
        Map<String, String> bodyParameters = getBodyParameters(map);
        oAuthClientAuthnContext.setClientId(bodyParameters.get("client_id"));
        oAuthClientAuthnContext.addParameter("client_secret", bodyParameters.get("client_secret"));
    }

    @Override // org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthenticator
    public List<ClientAuthenticationMethodModel> getSupportedClientAuthenticationMethods() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new ClientAuthenticationMethodModel(CLIENT_SECRET_BASIC, CLIENT_SECRET_BASIC_DISPLAY_NAME));
        arrayList.add(new ClientAuthenticationMethodModel(CLIENT_SECRET_POST, CLIENT_SECRET_POST_DISPLAY_NAME));
        return arrayList;
    }
}
