package com.appiancorp.oauth.inbound.authserver.clients;

import com.appiancorp.oauth.inbound.AppianSessionRegistryAdapter;
import com.appiancorp.oauth.inbound.OAuthUserService;
import com.appiancorp.oauth.inbound.authserver.GrantedAuthorization;
import com.appiancorp.oauth.inbound.authserver.clients.pm.ProcessMiningFrontEndClientConfig;
import com.appiancorp.oauth.inbound.authserver.tokens.AuthCodeCheck;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeChallengeMethod;
import java.net.URI;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.session.SessionInformation;

/* loaded from: input_file:com/appiancorp/oauth/inbound/authserver/clients/AuthCodeCheckImpl.class */
public class AuthCodeCheckImpl implements AuthCodeCheck {
    private static final Logger LOG = LoggerFactory.getLogger(AuthCodeCheckImpl.class);
    private final TokenRequest tokenRequest;
    private final UserCheck userCheck;
    private final AppianSessionRegistryAdapter appianSessionRegistry;
    private final ProcessMiningFrontEndClientConfig clientConfig;
    private final OAuthUserService oAuthUserService;

    public AuthCodeCheckImpl(TokenRequest tokenRequest, UserCheck userCheck, AppianSessionRegistryAdapter appianSessionRegistryAdapter, ProcessMiningFrontEndClientConfig processMiningFrontEndClientConfig, OAuthUserService oAuthUserService) {
        this.tokenRequest = tokenRequest;
        this.userCheck = userCheck;
        this.appianSessionRegistry = appianSessionRegistryAdapter;
        this.clientConfig = processMiningFrontEndClientConfig;
        this.oAuthUserService = oAuthUserService;
    }

    public boolean isAuthorized(GrantedAuthorization grantedAuthorization) {
        Optional sessionId = grantedAuthorization.getSessionId();
        if (!sessionId.isPresent()) {
            LOG.error("Unexpected error, No session id was set at the time of auth code generation.", grantedAuthorization.getUserUuid());
            return false;
        }
        SessionInformation sessionInformation = this.appianSessionRegistry.getSessionInformation((String) sessionId.get());
        if (sessionInformation == null || sessionInformation.isExpired()) {
            LOG.error("Session not found or has expired.");
            return false;
        }
        AuthorizationCodeGrant authorizationGrant = this.tokenRequest.getAuthorizationGrant();
        GrantType type = authorizationGrant.getType();
        if (type == null || !GrantType.AUTHORIZATION_CODE.equals(type)) {
            LOG.error("Unsupported grant type {}, Expected: {}", type, GrantType.AUTHORIZATION_CODE);
            return false;
        }
        Optional codeChallenge = grantedAuthorization.getCodeChallenge();
        if (!codeChallenge.isPresent()) {
            LOG.error("Code challenge NOT found.");
            return false;
        }
        CodeChallenge compute = CodeChallenge.compute(CodeChallengeMethod.S256, authorizationGrant.getCodeVerifier());
        if (!((String) codeChallenge.get()).equals(compute.getValue())) {
            LOG.error("Code challenge DO NOT match. Given: {}, Expected: {}", compute.getValue(), codeChallenge.get());
            return false;
        }
        String userUuid = grantedAuthorization.getUserUuid();
        if (userUuid == null) {
            LOG.error("Unexpected, Configured UserUuid when auth code was generated is null.");
            return false;
        }
        String usernameFromUuidAsAdmin = this.oAuthUserService.getUsernameFromUuidAsAdmin(userUuid);
        if (userUuid.equals(usernameFromUuidAsAdmin)) {
            LOG.error("Unable to find user uuid {}.", userUuid);
            return false;
        }
        if (!this.userCheck.isUserAuthorized(usernameFromUuidAsAdmin)) {
            LOG.error("User with username of {} is not authorized.", usernameFromUuidAsAdmin);
            return false;
        }
        Scope scope = this.tokenRequest.getScope();
        if (scope != null && !scope.isEmpty()) {
            LOG.error("Unexpected Scope values; we don't support any scopes. Scopes: {}", scope.toStringList());
            return false;
        }
        URI redirectionURI = authorizationGrant.getRedirectionURI();
        if (redirectionURI == null) {
            LOG.error("Redirect URI is null.");
            return false;
        }
        Optional redirectURI = grantedAuthorization.getRedirectURI();
        if (!redirectURI.isPresent()) {
            LOG.error("Unexpected, No redirect uri was configured during auth code generation.");
            return false;
        }
        if (!((URI) redirectURI.get()).equals(redirectionURI)) {
            LOG.error("Redirect uri mismatch. Given: {}, Expected", redirectionURI, redirectURI.get());
            return false;
        }
        ClientID clientID = this.tokenRequest.getClientID();
        if (this.clientConfig.getClientId().equals(clientID.getValue())) {
            return true;
        }
        LOG.error("Invalid client id. Given: {}, Expected: {}", clientID, this.clientConfig.getClientId());
        return false;
    }
}
