package cn.herodotus.engine.oauth2.authorization.authentication;

import cn.herodotus.engine.oauth2.authorization.utils.OAuth2AuthenticationProviderUtils;
import cn.herodotus.engine.oauth2.core.definition.service.ClientDetailsService;
import cn.hutool.core.util.ReflectUtil;
import java.util.Set;
import org.apache.commons.collections4.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;

/* loaded from: input_file:cn/herodotus/engine/oauth2/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.class */
public class OAuth2ClientCredentialsAuthenticationProvider extends AbstractAuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(OAuth2ClientCredentialsAuthenticationProvider.class);
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
    private final ClientDetailsService clientDetailsService;

    public OAuth2ClientCredentialsAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, ClientDetailsService clientDetailsService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
        this.clientDetailsService = clientDetailsService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2ClientCredentialsAuthenticationToken oAuth2ClientCredentialsAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientCredentialsAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.CLIENT_CREDENTIALS)) {
            throw new OAuth2AuthenticationException("unauthorized_client");
        }
        Set<String> validateScopes = validateScopes(oAuth2ClientCredentialsAuthenticationToken.getScopes(), registeredClient);
        Set findAuthoritiesById = this.clientDetailsService.findAuthoritiesById(registeredClient.getClientId());
        if (CollectionUtils.isNotEmpty(findAuthoritiesById)) {
            ReflectUtil.setFieldValue(authenticatedClientElseThrowInvalidClient, "authorities", findAuthoritiesById);
            log.debug("[Herodotus] |- Assign authorities to OAuth2ClientAuthenticationToken.");
        }
        OAuth2Authorization.Builder authorizedScopes = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(authenticatedClientElseThrowInvalidClient.getName()).authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).authorizedScopes(validateScopes);
        DefaultOAuth2TokenContext.Builder builder = (DefaultOAuth2TokenContext.Builder) DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal(authenticatedClientElseThrowInvalidClient).authorizationServerContext(AuthorizationServerContextHolder.getContext()).authorizedScopes(validateScopes).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).authorizationGrant(oAuth2ClientCredentialsAuthenticationToken);
        OAuth2AccessToken createOAuth2AccessToken = createOAuth2AccessToken(builder, authorizedScopes, this.tokenGenerator, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        OAuth2RefreshToken creatOAuth2RefreshToken = creatOAuth2RefreshToken(builder, authorizedScopes, this.tokenGenerator, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2", authenticatedClientElseThrowInvalidClient, registeredClient);
        this.authorizationService.save(authorizedScopes.build());
        log.debug("[Herodotus] |- Client Credentials returning OAuth2AccessTokenAuthenticationToken.");
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, createOAuth2AccessToken, creatOAuth2RefreshToken);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2ClientCredentialsAuthenticationToken.class.isAssignableFrom(cls);
    }
}
