package org.springframework.security.oauth2.server.authorization.authentication;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Map;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.class */
public final class OAuth2ClientAuthenticationProvider implements AuthenticationProvider {
    private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType("code");
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private PasswordEncoder passwordEncoder;

    public OAuth2ClientAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
        this.passwordEncoder = passwordEncoder;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication;
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2ClientAuthenticationToken.getPrincipal().toString());
        if (findByClientId == null) {
            throwInvalidClient();
        }
        if (!findByClientId.getClientAuthenticationMethods().contains(oAuth2ClientAuthenticationToken.getClientAuthenticationMethod())) {
            throwInvalidClient();
        }
        boolean z = false;
        if (oAuth2ClientAuthenticationToken.getCredentials() != null) {
            if (!this.passwordEncoder.matches(oAuth2ClientAuthenticationToken.getCredentials().toString(), findByClientId.getClientSecret())) {
                throwInvalidClient();
            }
            z = true;
        }
        if (!(z || authenticatePkceIfAvailable(oAuth2ClientAuthenticationToken, findByClientId))) {
            throwInvalidClient();
        }
        return new OAuth2ClientAuthenticationToken(findByClientId, oAuth2ClientAuthenticationToken.getClientAuthenticationMethod(), oAuth2ClientAuthenticationToken.getCredentials());
    }

    public boolean supports(Class<?> cls) {
        return OAuth2ClientAuthenticationToken.class.isAssignableFrom(cls);
    }

    private boolean authenticatePkceIfAvailable(OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken, RegisteredClient registeredClient) {
        Map<String, Object> additionalParameters = oAuth2ClientAuthenticationToken.getAdditionalParameters();
        if (CollectionUtils.isEmpty(additionalParameters) || !authorizationCodeGrant(additionalParameters)) {
            return false;
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken((String) additionalParameters.get("code"), AUTHORIZATION_CODE_TOKEN_TYPE);
        if (findByToken == null) {
            throwInvalidClient();
        }
        OAuth2AuthorizationRequest oAuth2AuthorizationRequest = (OAuth2AuthorizationRequest) findByToken.getAttribute(OAuth2AuthorizationRequest.class.getName());
        String str = (String) oAuth2AuthorizationRequest.getAdditionalParameters().get("code_challenge");
        if (!StringUtils.hasText(str) && registeredClient.getClientSettings().isRequireProofKey()) {
            throwInvalidClient();
        }
        if (codeVerifierValid((String) additionalParameters.get("code_verifier"), str, (String) oAuth2AuthorizationRequest.getAdditionalParameters().get("code_challenge_method"))) {
            return true;
        }
        throwInvalidClient();
        return true;
    }

    private static boolean authorizationCodeGrant(Map<String, Object> map) {
        return AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(map.get("grant_type")) && map.get("code") != null;
    }

    private static boolean codeVerifierValid(String str, String str2, String str3) {
        if (!StringUtils.hasText(str)) {
            return false;
        }
        if (!StringUtils.hasText(str3) || "plain".equals(str3)) {
            return str.equals(str2);
        }
        if ("S256".equals(str3)) {
            try {
                return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII))).equals(str2);
            } catch (NoSuchAlgorithmException e) {
            }
        }
        throw new OAuth2AuthenticationException("server_error");
    }

    private static void throwInvalidClient() {
        throw new OAuth2AuthenticationException("invalid_client");
    }
}
