package cn.herodotus.engine.oauth2.server.authorization.granter;

import cn.herodotus.engine.oauth2.server.authorization.utils.JwtUtils;
import cn.herodotus.engine.oauth2.server.authorization.utils.OAuth2EndpointUtils;
import java.security.Principal;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AccountStatusException;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.jwt.JoseHeader;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:cn/herodotus/engine/oauth2/server/authorization/granter/OAuth2ResourceOwnerPasswordAuthenticationProvider.class */
public class OAuth2ResourceOwnerPasswordAuthenticationProvider implements AuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(OAuth2ResourceOwnerPasswordAuthenticationProvider.class);
    private static final StringKeyGenerator DEFAULT_REFRESH_TOKEN_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
    private final AuthenticationManager authenticationManager;
    private final OAuth2AuthorizationService authorizationService;
    private final JwtEncoder jwtEncoder;
    private OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = jwtEncodingContext -> {
    };
    private Supplier<String> refreshTokenGenerator;
    private ProviderSettings providerSettings;

    public OAuth2ResourceOwnerPasswordAuthenticationProvider(AuthenticationManager authenticationManager, OAuth2AuthorizationService oAuth2AuthorizationService, JwtEncoder jwtEncoder) {
        StringKeyGenerator stringKeyGenerator = DEFAULT_REFRESH_TOKEN_GENERATOR;
        stringKeyGenerator.getClass();
        this.refreshTokenGenerator = stringKeyGenerator::generateKey;
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(jwtEncoder, "jwtEncoder cannot be null");
        this.authenticationManager = authenticationManager;
        this.authorizationService = oAuth2AuthorizationService;
        this.jwtEncoder = jwtEncoder;
    }

    public void setJwtCustomizer(OAuth2TokenCustomizer<JwtEncodingContext> oAuth2TokenCustomizer) {
        Assert.notNull(oAuth2TokenCustomizer, "jwtCustomizer cannot be null");
        this.jwtCustomizer = oAuth2TokenCustomizer;
    }

    @Autowired(required = false)
    public void setProviderSettings(ProviderSettings providerSettings) {
        this.providerSettings = providerSettings;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2ResourceOwnerPasswordAuthenticationToken oAuth2ResourceOwnerPasswordAuthenticationToken = (OAuth2ResourceOwnerPasswordAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(oAuth2ResourceOwnerPasswordAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.PASSWORD)) {
            throw new OAuth2AuthenticationException(new OAuth2Error("unauthorized_client"));
        }
        Map additionalParameters = oAuth2ResourceOwnerPasswordAuthenticationToken.getAdditionalParameters();
        Authentication authentication2 = null;
        try {
            authentication2 = this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken((String) additionalParameters.get("username"), (String) additionalParameters.get("password")));
            log.debug("[Herodotus] |- Resource Owner Password username and password authenticate success ：[{}]", authentication2);
        } catch (AccountStatusException | BadCredentialsException e) {
            OAuth2EndpointUtils.throwError("invalid_grant", e.getMessage(), OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
        }
        Set scopes = registeredClient.getScopes();
        if (!CollectionUtils.isEmpty(oAuth2ResourceOwnerPasswordAuthenticationToken.getScopes())) {
            if (!CollectionUtils.isEmpty((Set) oAuth2ResourceOwnerPasswordAuthenticationToken.getScopes().stream().filter(str -> {
                return !registeredClient.getScopes().contains(str);
            }).collect(Collectors.toSet()))) {
                throw new OAuth2AuthenticationException("invalid_scope");
            }
            scopes = new LinkedHashSet(oAuth2ResourceOwnerPasswordAuthenticationToken.getScopes());
        }
        JwtEncodingContext build = JwtEncodingContext.with(JwtUtils.headers(), JwtUtils.accessTokenClaims(registeredClient, this.providerSettings != null ? this.providerSettings.getIssuer() : null, authentication2.getName(), scopes)).registeredClient(registeredClient).principal(authentication2).authorizedScopes(scopes).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(AuthorizationGrantType.PASSWORD).authorizationGrant(oAuth2ResourceOwnerPasswordAuthenticationToken).build();
        this.jwtCustomizer.customize(build);
        JoseHeader build2 = build.getHeaders().build();
        JwtClaimsSet build3 = build.getClaims().build();
        Jwt encode = this.jwtEncoder.encode(build2, build3);
        Set set = (Set) build3.getClaim("scope");
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, encode.getTokenValue(), encode.getIssuedAt(), encode.getExpiresAt(), set);
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
            oAuth2RefreshToken = generateRefreshToken(registeredClient.getTokenSettings().getRefreshTokenTimeToLive());
        }
        OAuth2Authorization.Builder attribute = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(authentication2.getName()).authorizationGrantType(AuthorizationGrantType.PASSWORD).token(oAuth2AccessToken, map -> {
            map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, encode.getClaims());
        }).attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, set).attribute(Principal.class.getName(), authentication2);
        if (oAuth2RefreshToken != null) {
            attribute.refreshToken(oAuth2RefreshToken);
        }
        this.authorizationService.save(attribute.build());
        log.debug("[Herodotus] |- Resource Owner Password OAuth2Authorization saved successfully.");
        HashMap hashMap = new HashMap();
        build3.getClaims().forEach((str2, obj) -> {
            if (str2.equals("scope") || str2.equals("iat") || str2.equals("exp") || str2.equals("nbf")) {
                return;
            }
            hashMap.put(str2, obj);
        });
        log.debug("[Herodotus] |- Resource Owner Password returning OAuth2AccessTokenAuthenticationToken.");
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, oAuth2AccessToken, oAuth2RefreshToken, hashMap);
    }

    public boolean supports(Class<?> cls) {
        boolean isAssignableFrom = OAuth2ResourceOwnerPasswordAuthenticationToken.class.isAssignableFrom(cls);
        log.debug("[Herodotus] |- Resource Owner Password Authentication is supports!");
        return isAssignableFrom;
    }

    private OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidClient(Authentication authentication) {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = null;
        if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication.getPrincipal().getClass())) {
            oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication.getPrincipal();
        }
        if (oAuth2ClientAuthenticationToken == null || !oAuth2ClientAuthenticationToken.isAuthenticated()) {
            throw new OAuth2AuthenticationException("invalid_client");
        }
        return oAuth2ClientAuthenticationToken;
    }

    private OAuth2RefreshToken generateRefreshToken(Duration duration) {
        Instant now = Instant.now();
        return new OAuth2RefreshToken(this.refreshTokenGenerator.get(), now, now.plus((TemporalAmount) duration));
    }
}
