package com.appiancorp.oauth.inbound.credentials.verification;

import com.appiancorp.access.ServiceAccountMembershipCheck;
import com.appiancorp.oauth.inbound.authserver.exceptions.OAuthInvalidServiceAccountException;
import com.appiancorp.oauth.inbound.crypto.OAuthClientSecretService;
import com.appiancorp.oauth.inbound.exceptions.OAuthException;
import com.appiancorp.oauth.inbound.exceptions.shared.OAuthInvalidClientException;
import com.appiancorp.oauth.inbound.persistence.OAuthConfigDaoService;
import com.appiancorp.oauth.inbound.persistence.OAuthConfigEntity;
import com.appiancorp.security.auth.ServiceAccountStatus;
import com.nimbusds.oauth2.sdk.auth.verifier.InvalidClientException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/oauth/inbound/credentials/verification/OAuthClientCredentialsVerifierImpl.class */
public class OAuthClientCredentialsVerifierImpl implements OAuthClientCredentialsVerifier {
    private final OAuthConfigDaoService oAuthConfigDaoService;
    private final OAuthClientSecretService oAuthClientSecretService;
    private final ServiceAccountMembershipCheck serviceAccountMembershipCheck;
    private static final Logger LOG = LoggerFactory.getLogger(OAuthClientCredentialsVerifierImpl.class);

    public OAuthClientCredentialsVerifierImpl(OAuthConfigDaoService oAuthConfigDaoService, OAuthClientSecretService oAuthClientSecretService, ServiceAccountMembershipCheck serviceAccountMembershipCheck) {
        this.oAuthConfigDaoService = oAuthConfigDaoService;
        this.oAuthClientSecretService = oAuthClientSecretService;
        this.serviceAccountMembershipCheck = serviceAccountMembershipCheck;
    }

    public OAuthConfigEntity verify(String str, String str2) throws OAuthException {
        try {
            OAuthConfigEntity activeConfigByClientId = this.oAuthConfigDaoService.getActiveConfigByClientId(str);
            if (!this.oAuthClientSecretService.verify(str + activeConfigByClientId.getSalt(), str2)) {
                throw InvalidClientException.BAD_SECRET;
            }
            Long serviceAccountId = activeConfigByClientId.getServiceAccountId();
            if (serviceAccountId != null && this.serviceAccountMembershipCheck.getServiceAccountStatus(serviceAccountId) == ServiceAccountStatus.VALID) {
                return activeConfigByClientId;
            }
            LOG.debug("Service Account {} associated with client id {} is no longer in the Service Account group or has been deactivated", serviceAccountId, str);
            throw new OAuthInvalidServiceAccountException();
        } catch (InvalidClientException e) {
            throw new OAuthInvalidClientException(e);
        }
    }
}
