package org.apache.cxf.rs.security.oauth2.grants.code;

import jakarta.ws.rs.core.MultivaluedMap;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.AuthorizationRequestFilter;
import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtConsumer;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.class */
public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements AuthorizationRequestFilter {
    protected static final Logger LOG = LogUtils.getL7dLogger(JwtRequestCodeFilter.class);
    private static final String REQUEST_URI_CONTENT_TYPE = "application/oauth-authz-req+jwt";
    private static final String REQUEST_PARAM = "request";
    private static final String REQUEST_URI_PARAM = "request_uri";
    private boolean verifyWithClientCertificates;
    private String issuer;
    private JsonMapObjectReaderWriter jsonHandler = new JsonMapObjectReaderWriter();

    @Override // org.apache.cxf.rs.security.oauth2.provider.AuthorizationRequestFilter
    public MultivaluedMap<String, String> process(MultivaluedMap<String, String> multivaluedMap, UserSubject userSubject, Client client) {
        String first = multivaluedMap.getFirst(REQUEST_PARAM);
        String first2 = multivaluedMap.getFirst(REQUEST_URI_PARAM);
        if (first == null) {
            if (isRequestUriValid(client, first2)) {
                first = (String) WebClient.create(first2).accept(REQUEST_URI_CONTENT_TYPE).get(String.class);
            }
        } else if (first2 != null) {
            LOG.warning("It is not valid to specify both a request and request_uri value");
            throw new SecurityException();
        }
        if (first == null) {
            return multivaluedMap;
        }
        JwtClaims claims = getJwtToken(first, super.getInitializedDecryptionProvider(client.getClientSecret()), getInitializedSigVerifier(client)).getClaims();
        if (!(this.issuer != null ? this.issuer : client.getClientId()).equals(claims.getIssuer())) {
            throw new SecurityException();
        }
        if (claims.getClaim("client_id") != null && !claims.getStringProperty("client_id").equals(client.getClientId())) {
            throw new SecurityException();
        }
        String str = (String) claims.getClaim(OAuthConstants.RESPONSE_TYPE);
        if (str != null && !str.equals(multivaluedMap.getFirst(OAuthConstants.RESPONSE_TYPE))) {
            throw new SecurityException();
        }
        MetadataMap metadataMap = new MetadataMap(multivaluedMap);
        for (Map.Entry<String, Object> entry : claims.asMap().entrySet()) {
            String key = entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Map) {
                value = this.jsonHandler.toJson(CastUtils.cast((Map<?, ?>) value));
            } else if (value instanceof List) {
                value = this.jsonHandler.toJson(CastUtils.cast((List<?>) value));
            }
            metadataMap.putSingle(key, value.toString());
        }
        return metadataMap;
    }

    protected boolean isRequestUriValid(Client client, String str) {
        return false;
    }

    protected JwsSignatureVerifier getInitializedSigVerifier(Client client) {
        return this.verifyWithClientCertificates ? JwsUtils.getPublicKeySignatureVerifier((X509Certificate) CryptoUtils.decodeCertificate(client.getApplicationCertificates().get(0)), SignatureAlgorithm.RS256) : super.getInitializedSignatureVerifier(client.getClientSecret());
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    public void setVerifyWithClientCertificates(boolean z) {
        this.verifyWithClientCertificates = z;
    }
}
