package cn.herodotus.engine.oauth2.authentication.provider;

import cn.herodotus.engine.oauth2.authentication.utils.OAuth2AuthenticationProviderUtils;
import java.security.Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:cn/herodotus/engine/oauth2/authentication/provider/OAuth2AuthorizationCodeAuthenticationProvider.class */
public final class OAuth2AuthorizationCodeAuthenticationProvider extends AbstractAuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
    private static final Logger log = LoggerFactory.getLogger(OAuth2AuthorizationCodeAuthenticationProvider.class);
    private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType("code");

    public OAuth2AuthorizationCodeAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(oAuth2AuthorizationCodeAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2AuthorizationCodeAuthenticationToken.getCode(), AUTHORIZATION_CODE_TOKEN_TYPE);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        OAuth2Authorization.Token token = findByToken.getToken(OAuth2AuthorizationCode.class);
        OAuth2AuthorizationRequest oAuth2AuthorizationRequest = (OAuth2AuthorizationRequest) findByToken.getAttribute(OAuth2AuthorizationRequest.class.getName());
        if (!registeredClient.getClientId().equals(oAuth2AuthorizationRequest.getClientId())) {
            if (!token.isInvalidated()) {
                this.authorizationService.save(OAuth2AuthenticationProviderUtils.invalidate(findByToken, token.getToken()));
            }
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        if (StringUtils.hasText(oAuth2AuthorizationRequest.getRedirectUri()) && !oAuth2AuthorizationRequest.getRedirectUri().equals(oAuth2AuthorizationCodeAuthenticationToken.getRedirectUri())) {
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        if (!token.isActive()) {
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        Authentication authentication2 = (Authentication) findByToken.getAttribute(Principal.class.getName());
        DefaultOAuth2TokenContext.Builder builder = (DefaultOAuth2TokenContext.Builder) DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal(authentication2).authorizationServerContext(AuthorizationServerContextHolder.getContext()).authorization(findByToken).authorizedScopes(findByToken.getAuthorizedScopes()).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).authorizationGrant(oAuth2AuthorizationCodeAuthenticationToken);
        OAuth2Authorization.Builder from = OAuth2Authorization.from(findByToken);
        OAuth2AccessToken createOAuth2AccessToken = createOAuth2AccessToken(builder, from, this.tokenGenerator, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        OAuth2RefreshToken creatOAuth2RefreshToken = creatOAuth2RefreshToken(builder, from, this.tokenGenerator, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2", authenticatedClientElseThrowInvalidClient, registeredClient);
        OidcIdToken createOidcIdToken = createOidcIdToken(builder, from, this.tokenGenerator, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2", oAuth2AuthorizationRequest.getScopes());
        this.authorizationService.save(OAuth2AuthenticationProviderUtils.invalidate(from.build(), token.getToken()));
        log.debug("[Herodotus] |- Authorization Code returning OAuth2AccessTokenAuthenticationToken.");
        return createOAuth2AccessTokenAuthenticationToken(authentication2, new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, createOAuth2AccessToken, creatOAuth2RefreshToken, idTokenAdditionalParameters(createOidcIdToken)));
    }

    public boolean supports(Class<?> cls) {
        return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(cls);
    }
}
