package org.wso2.carbon.identity.oauth2.authz.validators;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.owasp.encoder.Encode;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthRequestException;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.device.errorcodes.DeviceErrorCodes;
import org.wso2.carbon.identity.oauth2.dto.OAuth2ClientValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.openidconnect.model.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/authz/validators/AbstractResponseTypeRequestValidator.class */
public abstract class AbstractResponseTypeRequestValidator implements ResponseTypeRequestValidator {
    private static final Log log = LogFactory.getLog(AbstractResponseTypeRequestValidator.class);
    private static final String APP_STATE_ACTIVE = "ACTIVE";
    protected final List<String> parametersToValidate = new ArrayList();

    @Override // org.wso2.carbon.identity.oauth2.authz.validators.ResponseTypeRequestValidator
    public void validateInputParameters(HttpServletRequest httpServletRequest) throws InvalidOAuthRequestException {
        if (StringUtils.isBlank(httpServletRequest.getParameter("client_id"))) {
            if (log.isDebugEnabled()) {
                log.debug("Client Id is not present in the authorization request");
            }
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "client_id is not present in the authorization request", "validate-input-parameters", (Map) null);
            throw new InvalidOAuthRequestException("Client Id is not present in the authorization request", "invalid_request", "invalid_client");
        }
        if (this.parametersToValidate.contains("redirect_uri") && StringUtils.isBlank(httpServletRequest.getParameter(Constants.REQUEST_URI)) && StringUtils.isBlank(httpServletRequest.getParameter("redirect_uri"))) {
            if (log.isDebugEnabled()) {
                log.debug("Redirect URI is not present in the authorization request");
            }
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "redirect_uri is not present in the authorization request", "validate-input-parameters", (Map) null);
            throw new InvalidOAuthRequestException("Redirect URI is not present in the authorization request", "invalid_request", "invalid_redirect_uri");
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.authz.validators.ResponseTypeRequestValidator
    public OAuth2ClientValidationResponseDTO validateClientInfo(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("client_id");
        String parameter2 = httpServletRequest.getParameter("redirect_uri");
        if (log.isDebugEnabled()) {
            log.debug("Validate Client information request for client_id : " + parameter + " , callback_uri " + parameter2);
        }
        try {
            OAuth2Util.validateRequestTenantDomain(OAuth2Util.getTenantDomainOfOauthApp(parameter));
            if (StringUtils.isBlank(parameter)) {
                if (LoggerUtils.isDiagnosticLogsEnabled()) {
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "client_id cannot be empty.", "validate-input-parameters", (Map) null);
                }
                throw new InvalidOAuthClientException("Invalid client_id. No OAuth application has been registered with the given client_id");
            }
            OAuthAppDO appInformationByClientId = OAuth2Util.getAppInformationByClientId(parameter);
            String state = appInformationByClientId.getState();
            if (StringUtils.isEmpty(state)) {
                if (log.isDebugEnabled()) {
                    log.debug("A valid OAuth client could not be found for client_id: " + parameter);
                }
                if (LoggerUtils.isDiagnosticLogsEnabled()) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("clientId", parameter);
                    LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "FAILED", "A valid OAuth application could not be found for given client_id.", "validate-input-parameters", (Map) null);
                }
                throw new InvalidOAuthClientException("A valid OAuth client could not be found for client_id: " + Encode.forHtml(parameter));
            }
            if (state.equalsIgnoreCase(APP_STATE_ACTIVE)) {
                return validateCallBack(parameter, parameter2, appInformationByClientId);
            }
            if (log.isDebugEnabled()) {
                log.debug("App is not in active state in client ID: " + parameter + ". App state is: " + state);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap2 = new HashMap();
                hashMap2.put("clientId", parameter);
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap2, "FAILED", "OAuth application is not in active state.", "validate-input-parameters", (Map) null);
            }
            throw new InvalidOAuthClientException("Oauth application is not in active state.");
        } catch (InvalidOAuthClientException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error while retrieving the Application Information", e);
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap3 = new HashMap();
                hashMap3.put("clientId", parameter);
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap3, "FAILED", "Cannot find an application associated with the given client_id", "validate-oauth-client", (Map) null);
            }
            OAuth2ClientValidationResponseDTO oAuth2ClientValidationResponseDTO = new OAuth2ClientValidationResponseDTO();
            oAuth2ClientValidationResponseDTO.setValidClient(false);
            oAuth2ClientValidationResponseDTO.setErrorCode("invalid_client");
            oAuth2ClientValidationResponseDTO.setErrorMsg(e.getMessage());
            return oAuth2ClientValidationResponseDTO;
        } catch (IdentityOAuth2Exception e2) {
            log.error("Error when reading the Application Information.", e2);
            LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", (Map) null, "FAILED", "Server error occurred.", "validate-input-parameters", (Map) null);
            OAuth2ClientValidationResponseDTO oAuth2ClientValidationResponseDTO2 = new OAuth2ClientValidationResponseDTO();
            oAuth2ClientValidationResponseDTO2.setValidClient(false);
            oAuth2ClientValidationResponseDTO2.setErrorCode("server_error");
            oAuth2ClientValidationResponseDTO2.setErrorMsg("Error when processing the authorization request.");
            return oAuth2ClientValidationResponseDTO2;
        }
    }

    private OAuth2ClientValidationResponseDTO validateCallBack(String str, String str2, OAuthAppDO oAuthAppDO) {
        if (!this.parametersToValidate.contains("redirect_uri")) {
            OAuth2ClientValidationResponseDTO oAuth2ClientValidationResponseDTO = new OAuth2ClientValidationResponseDTO();
            oAuth2ClientValidationResponseDTO.setValidClient(true);
            return oAuth2ClientValidationResponseDTO;
        }
        OAuth2ClientValidationResponseDTO oAuth2ClientValidationResponseDTO2 = new OAuth2ClientValidationResponseDTO();
        if (StringUtils.isEmpty(oAuthAppDO.getGrantTypes()) || StringUtils.isEmpty(oAuthAppDO.getCallbackUrl())) {
            if (log.isDebugEnabled()) {
                log.debug("Registered App found for the given Client Id : " + str + " ,App Name : " + oAuthAppDO.getApplicationName() + ", does not support the requested grant type.");
            }
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap = new HashMap();
                hashMap.put("clientId", str);
                HashMap hashMap2 = new HashMap();
                hashMap2.put("callbackUrl", oAuthAppDO.getCallbackUrl());
                hashMap2.put("supportedGrantTypes", oAuthAppDO.getGrantTypes());
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap, "FAILED", "The OAuth client is not authorized to use the requested grant type.", "validate-input-parameters", hashMap2);
            }
            oAuth2ClientValidationResponseDTO2.setValidClient(false);
            oAuth2ClientValidationResponseDTO2.setErrorCode(DeviceErrorCodes.UNAUTHORIZED_CLIENT);
            oAuth2ClientValidationResponseDTO2.setErrorMsg("The authenticated client is not authorized to use this authorization grant type");
            return oAuth2ClientValidationResponseDTO2;
        }
        OAuth2Util.setClientTenatId(IdentityTenantUtil.getTenantId(oAuthAppDO.getAppOwner().getTenantDomain()));
        if (str2 == null) {
            oAuth2ClientValidationResponseDTO2.setValidClient(true);
            oAuth2ClientValidationResponseDTO2.setCallbackURL(oAuthAppDO.getCallbackUrl());
            return oAuth2ClientValidationResponseDTO2;
        }
        if (log.isDebugEnabled()) {
            log.debug("Registered App found for the given Client Id : " + str + " ,App Name : " + oAuthAppDO.getApplicationName() + ", Callback URL : " + oAuthAppDO.getCallbackUrl());
        }
        if (validateCallbackURI(str2, oAuthAppDO)) {
            oAuth2ClientValidationResponseDTO2.setValidClient(true);
            oAuth2ClientValidationResponseDTO2.setCallbackURL(str2);
        } else {
            log.warn("Provided Callback URL does not match with the registered one.");
            if (LoggerUtils.isDiagnosticLogsEnabled()) {
                HashMap hashMap3 = new HashMap();
                hashMap3.put("clientId", str);
                hashMap3.put("redirectUri", str2);
                HashMap hashMap4 = new HashMap();
                hashMap4.put("redirectUri", oAuthAppDO.getApplicationName());
                LoggerUtils.triggerDiagnosticLogEvent("oauth-inbound-service", hashMap3, "FAILED", "redirect_uri in request does not match with the registered one.", "validate-input-parameters", hashMap4);
            }
            oAuth2ClientValidationResponseDTO2.setValidClient(false);
            oAuth2ClientValidationResponseDTO2.setErrorCode("invalid_callback");
            oAuth2ClientValidationResponseDTO2.setErrorMsg("callback.not.match");
        }
        return oAuth2ClientValidationResponseDTO2;
    }

    private boolean validateCallbackURI(String str, OAuthAppDO oAuthAppDO) {
        String str2 = null;
        String callbackUrl = oAuthAppDO.getCallbackUrl();
        if (callbackUrl.startsWith("regexp=")) {
            str2 = callbackUrl.substring("regexp=".length());
        }
        if (log.isDebugEnabled()) {
            log.debug("Comparing provided callback URL: " + str + " with configured callback: " + callbackUrl);
        }
        if (str.matches("(.*127\\.0\\.0\\.1.*|.*\\[::1].*)")) {
            str = str.replaceFirst("(?<=127\\.0\\.0\\.1|\\[::1])(:[0-9]{1,5})", "");
            if (str2 != null) {
                if (str.matches(str2.replaceAll("(?<=127\\.0\\.0\\.1|\\[::1])(:[0-9]{1,5})", ""))) {
                    return true;
                }
                log.debug("Regex might contain port number capture group/groups for loopback ip address");
                return false;
            }
            callbackUrl = callbackUrl.replaceFirst("(?<=127\\.0\\.0\\.1|\\[::1])(:[0-9]{1,5})", "");
        }
        return (str2 != null && str.matches(str2)) || callbackUrl.equals(str);
    }
}
