package cn.herodotus.engine.oauth2.authentication.provider;

import cn.herodotus.engine.oauth2.authentication.utils.OAuth2AuthenticationProviderUtils;
import cn.herodotus.engine.oauth2.core.definition.service.ClientDetailsService;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.dromara.hutool.core.reflect.FieldUtil;
import org.jetbrains.annotations.NotNull;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:cn/herodotus/engine/oauth2/authentication/provider/OAuth2ClientCredentialsAuthenticationProvider.class */
public class OAuth2ClientCredentialsAuthenticationProvider extends AbstractAuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private final Log logger = LogFactory.getLog(getClass());
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
    private final ClientDetailsService clientDetailsService;

    public OAuth2ClientCredentialsAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, ClientDetailsService clientDetailsService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
        this.clientDetailsService = clientDetailsService;
    }

    @NotNull
    private static Set<String> getScopes(OAuth2ClientCredentialsAuthenticationToken oAuth2ClientCredentialsAuthenticationToken, RegisteredClient registeredClient) {
        Set<String> emptySet = Collections.emptySet();
        if (!CollectionUtils.isEmpty(oAuth2ClientCredentialsAuthenticationToken.getScopes())) {
            Iterator it = oAuth2ClientCredentialsAuthenticationToken.getScopes().iterator();
            while (it.hasNext()) {
                if (!registeredClient.getScopes().contains((String) it.next())) {
                    throw new OAuth2AuthenticationException("invalid_scope");
                }
            }
            emptySet = new LinkedHashSet(oAuth2ClientCredentialsAuthenticationToken.getScopes());
        }
        return emptySet;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2ClientCredentialsAuthenticationToken oAuth2ClientCredentialsAuthenticationToken = (OAuth2ClientCredentialsAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientCredentialsAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.CLIENT_CREDENTIALS)) {
            throw new OAuth2AuthenticationException("unauthorized_client");
        }
        Set<String> scopes = getScopes(oAuth2ClientCredentialsAuthenticationToken, registeredClient);
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated token request parameters");
        }
        Set findAuthoritiesById = this.clientDetailsService.findAuthoritiesById(registeredClient.getClientId());
        if (org.apache.commons.collections4.CollectionUtils.isNotEmpty(findAuthoritiesById)) {
            FieldUtil.setFieldValue(authenticatedClientElseThrowInvalidClient, "authorities", findAuthoritiesById);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("[Herodotus] |- Assign authorities to OAuth2ClientAuthenticationToken.");
            }
        }
        OAuth2Authorization.Builder authorizedScopes = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(authenticatedClientElseThrowInvalidClient.getName()).authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).authorizedScopes(scopes);
        OAuth2AccessToken createOAuth2AccessToken = createOAuth2AccessToken((DefaultOAuth2TokenContext.Builder) DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal(authenticatedClientElseThrowInvalidClient).authorizationServerContext(AuthorizationServerContextHolder.getContext()).authorizedScopes(scopes).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS).authorizationGrant(oAuth2ClientCredentialsAuthenticationToken), authorizedScopes, this.tokenGenerator, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        this.authorizationService.save(authorizedScopes.build());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Saved authorization");
            this.logger.trace("Authenticated token request");
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, createOAuth2AccessToken);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2ClientCredentialsAuthenticationToken.class.isAssignableFrom(cls);
    }
}
