package org.apereo.cas.oidc.web;

import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.validator.authorization.OAuth20AuthorizationRequestValidator;
import org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter;
import org.apereo.cas.support.oauth.web.OAuth20RequestParameterResolver;
import org.apereo.cas.support.oauth.web.response.accesstoken.ext.AccessTokenGrantRequestExtractor;
import org.apereo.cas.util.CollectionUtils;
import org.pac4j.core.context.session.SessionStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.ObjectProvider;
import org.springframework.http.HttpMethod;
import org.springframework.web.servlet.HandlerInterceptor;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/web/OidcHandlerInterceptorAdapter.class */
public class OidcHandlerInterceptorAdapter extends OAuth20HandlerInterceptorAdapter {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcHandlerInterceptorAdapter.class);
    private final ObjectProvider<HandlerInterceptor> requiresAuthenticationDynamicRegistrationInterceptor;
    private final ObjectProvider<HandlerInterceptor> requiresAuthenticationClientConfigurationInterceptor;
    private final CasConfigurationProperties casProperties;

    public OidcHandlerInterceptorAdapter(ObjectProvider<HandlerInterceptor> objectProvider, ObjectProvider<HandlerInterceptor> objectProvider2, ObjectProvider<HandlerInterceptor> objectProvider3, ObjectProvider<HandlerInterceptor> objectProvider4, CasConfigurationProperties casConfigurationProperties, ObjectProvider<List<AccessTokenGrantRequestExtractor>> objectProvider5, ObjectProvider<ServicesManager> objectProvider6, ObjectProvider<SessionStore> objectProvider7, ObjectProvider<List<OAuth20AuthorizationRequestValidator>> objectProvider8, ObjectProvider<OAuth20RequestParameterResolver> objectProvider9) {
        super(objectProvider, objectProvider2, objectProvider5, objectProvider6, objectProvider7, objectProvider8, objectProvider9);
        this.requiresAuthenticationDynamicRegistrationInterceptor = objectProvider3;
        this.casProperties = casConfigurationProperties;
        this.requiresAuthenticationClientConfigurationInterceptor = objectProvider4;
    }

    @Override // org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter, org.springframework.web.servlet.HandlerInterceptor
    public boolean preHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object obj) throws Exception {
        LOGGER.trace("Attempting to pre-handle OIDC request at [{}] with parameters [{}]", httpServletRequest.getRequestURI(), httpServletRequest.getParameterMap().keySet());
        if (this.casProperties.getAuthn().getOidc().getDiscovery().isRequirePushedAuthorizationRequests() && HttpMethod.valueOf(httpServletRequest.getMethod()) != HttpMethod.POST && StringUtils.isBlank(httpServletRequest.getParameter(OidcConstants.REQUEST_URI)) && isAuthorizationRequest(httpServletRequest, httpServletResponse)) {
            LOGGER.warn("CAS is configured to only accept pushed authorization requests and this is not a POST");
            httpServletResponse.setStatus(403);
            return false;
        }
        if (isPushedAuthorizationRequest(httpServletRequest.getRequestURI())) {
            LOGGER.trace("OIDC pushed authorization request is protected at [{}]", httpServletRequest.getRequestURI());
            return this.requiresAuthenticationAccessTokenInterceptor.getObject().preHandle(httpServletRequest, httpServletResponse, obj);
        }
        if (!super.preHandle(httpServletRequest, httpServletResponse, obj)) {
            LOGGER.trace("Unable to pre-handle OIDC request at [{}]", httpServletRequest.getRequestURI());
            return false;
        }
        if (isClientConfigurationRequest(httpServletRequest.getRequestURI())) {
            LOGGER.trace("OIDC client configuration is protected at [{}]", httpServletRequest.getRequestURI());
            return this.requiresAuthenticationClientConfigurationInterceptor.getObject().preHandle(httpServletRequest, httpServletResponse, obj);
        }
        if (!isDynamicClientRegistrationRequest(httpServletRequest.getRequestURI())) {
            return true;
        }
        LOGGER.trace("OIDC request at [{}] is one of dynamic client registration", httpServletRequest.getRequestURI());
        if (!isDynamicClientRegistrationRequestProtected()) {
            return true;
        }
        LOGGER.trace("OIDC dynamic client registration is protected at [{}]", httpServletRequest.getRequestURI());
        return this.requiresAuthenticationDynamicRegistrationInterceptor.getObject().preHandle(httpServletRequest, httpServletResponse, obj);
    }

    protected boolean isDynamicClientRegistrationRequest(String str) {
        return doesUriMatchPattern(str, CollectionUtils.wrapList("register"));
    }

    protected boolean isClientConfigurationRequest(String str) {
        return doesUriMatchPattern(str, CollectionUtils.wrapList(OidcConstants.CLIENT_CONFIGURATION_URL));
    }

    protected boolean isPushedAuthorizationRequest(String str) {
        return doesUriMatchPattern(str, CollectionUtils.wrapList(OidcConstants.PUSHED_AUTHORIZE_URL));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter
    public List<String> getRevocationUrls() {
        List<String> revocationUrls = super.getRevocationUrls();
        revocationUrls.add("revoke");
        return revocationUrls;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter
    public List<String> getAccessTokenUrls() {
        List<String> accessTokenUrls = super.getAccessTokenUrls();
        accessTokenUrls.add(OidcConstants.ACCESS_TOKEN_URL);
        accessTokenUrls.add(OidcConstants.TOKEN_URL);
        return accessTokenUrls;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apereo.cas.support.oauth.web.OAuth20HandlerInterceptorAdapter
    public List<String> getAuthorizeUrls() {
        List<String> authorizeUrls = super.getAuthorizeUrls();
        authorizeUrls.add(OidcConstants.AUTHORIZE_URL);
        return authorizeUrls;
    }

    private boolean isDynamicClientRegistrationRequestProtected() {
        return this.casProperties.getAuthn().getOidc().getRegistration().getDynamicClientRegistrationMode().isProtected();
    }
}
