package cn.herodotus.engine.oauth2.authorization.authentication;

import cn.herodotus.engine.assistant.core.domain.AccessPrincipal;
import cn.herodotus.engine.oauth2.authorization.constants.OAuth2SocialParameterNames;
import cn.herodotus.engine.oauth2.authorization.exception.SocialCredentialsParameterBindingFailedException;
import cn.herodotus.engine.oauth2.authorization.utils.OAuth2AuthenticationProviderUtils;
import cn.herodotus.engine.oauth2.core.definition.HerodotusGrantType;
import cn.herodotus.engine.oauth2.core.properties.OAuth2ComplianceProperties;
import cn.hutool.core.bean.BeanUtil;
import java.security.Principal;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.MutablePropertyValues;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.web.bind.support.WebRequestDataBinder;

/* loaded from: input_file:cn/herodotus/engine/oauth2/authorization/authentication/OAuth2SocialCredentialsAuthenticationProvider.class */
public class OAuth2SocialCredentialsAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(OAuth2SocialCredentialsAuthenticationProvider.class);
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;

    public OAuth2SocialCredentialsAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, UserDetailsService userDetailsService, OAuth2ComplianceProperties oAuth2ComplianceProperties) {
        super(oAuth2AuthorizationService, userDetailsService, oAuth2ComplianceProperties);
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
    }

    @Override // cn.herodotus.engine.oauth2.authorization.authentication.AbstractUserDetailsAuthenticationProvider
    protected void additionalAuthenticationChecks(UserDetails userDetails, Map<String, Object> map) throws AuthenticationException {
    }

    @Override // cn.herodotus.engine.oauth2.authorization.authentication.AbstractUserDetailsAuthenticationProvider
    protected UserDetails retrieveUser(Map<String, Object> map) throws AuthenticationException {
        String str = (String) map.get(OAuth2SocialParameterNames.SOURCE);
        try {
            UserDetails loadUserBySocial = getUserDetailsService().loadUserBySocial(str, parameterBinder(map));
            if (loadUserBySocial == null) {
                throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");
            }
            return loadUserBySocial;
        } catch (InternalAuthenticationServiceException e) {
            throw e;
        } catch (Exception e2) {
            throw new InternalAuthenticationServiceException(e2.getMessage(), e2);
        } catch (UsernameNotFoundException e3) {
            log.error("[Herodotus] |- User name can not found for：[{}]", str);
            throw e3;
        }
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2SocialCredentialsAuthenticationToken oAuth2SocialCredentialsAuthenticationToken = (OAuth2SocialCredentialsAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(oAuth2SocialCredentialsAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (!registeredClient.getAuthorizationGrantTypes().contains(HerodotusGrantType.SOCIAL)) {
            throw new OAuth2AuthenticationException("unauthorized_client");
        }
        Authentication usernamePasswordAuthentication = getUsernamePasswordAuthentication(oAuth2SocialCredentialsAuthenticationToken.getAdditionalParameters(), registeredClient.getId());
        Set scopes = registeredClient.getScopes();
        Set<String> scopes2 = oAuth2SocialCredentialsAuthenticationToken.getScopes();
        if (!CollectionUtils.isEmpty(scopes2)) {
            Iterator<String> it = scopes2.iterator();
            while (it.hasNext()) {
                if (!registeredClient.getScopes().contains(it.next())) {
                    throw new OAuth2AuthenticationException("invalid_scope");
                }
            }
            scopes = new LinkedHashSet(scopes2);
        }
        OAuth2Authorization.Builder attribute = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(usernamePasswordAuthentication.getName()).authorizationGrantType(HerodotusGrantType.SOCIAL).attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, scopes).attribute(Principal.class.getName(), usernamePasswordAuthentication);
        DefaultOAuth2TokenContext.Builder authorizationGrant = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal(usernamePasswordAuthentication).providerContext(ProviderContextHolder.getProviderContext()).authorizedScopes(scopes).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(HerodotusGrantType.SOCIAL).authorizationGrant(oAuth2SocialCredentialsAuthenticationToken);
        DefaultOAuth2TokenContext build = authorizationGrant.build();
        OAuth2Token generate = this.tokenGenerator.generate(build);
        if (generate == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the access token.", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"));
        }
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), build.getAuthorizedScopes());
        if (generate instanceof ClaimAccessor) {
            attribute.token(oAuth2AccessToken, map -> {
                map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generate).getClaims());
            });
        } else {
            attribute.accessToken(oAuth2AccessToken);
        }
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) && !authenticatedClientElseThrowInvalidClient.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
            OAuth2Token generate2 = this.tokenGenerator.generate(authorizationGrant.tokenType(OAuth2TokenType.REFRESH_TOKEN).build());
            if (!(generate2 instanceof OAuth2RefreshToken)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the refresh token.", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"));
            }
            oAuth2RefreshToken = (OAuth2RefreshToken) generate2;
            attribute.refreshToken(oAuth2RefreshToken);
        }
        this.authorizationService.save(attribute.build());
        log.debug("[Herodotus] |- Social Credential returning OAuth2AccessTokenAuthenticationToken.");
        return getOAuth2AccessTokenAuthenticationToken(usernamePasswordAuthentication, new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, oAuth2AccessToken, oAuth2RefreshToken));
    }

    public boolean supports(Class<?> cls) {
        boolean isAssignableFrom = OAuth2SocialCredentialsAuthenticationToken.class.isAssignableFrom(cls);
        log.trace("[Herodotus] |- Resource Owner Password Authentication is supports! [{}]", Boolean.valueOf(isAssignableFrom));
        return isAssignableFrom;
    }

    private AccessPrincipal parameterBinder(Map<String, Object> map) throws SocialCredentialsParameterBindingFailedException {
        AccessPrincipal accessPrincipal = new AccessPrincipal();
        new WebRequestDataBinder(accessPrincipal).bind(new MutablePropertyValues(map));
        if (BeanUtil.isNotEmpty(accessPrincipal, new String[0])) {
            return accessPrincipal;
        }
        throw new SocialCredentialsParameterBindingFailedException("Internet authentication parameter bindng is not correct!");
    }
}
