package cn.herodotus.engine.oauth2.authentication.provider;

import cn.herodotus.engine.oauth2.core.definition.domain.HerodotusUser;
import cn.herodotus.engine.oauth2.core.utils.PrincipalUtils;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.SessionInformation;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:cn/herodotus/engine/oauth2/authentication/provider/AbstractAuthenticationProvider.class */
public abstract class AbstractAuthenticationProvider implements AuthenticationProvider {
    private final Log logger = LogFactory.getLog(getClass());
    private static final OAuth2TokenType ID_TOKEN_TOKEN_TYPE = new OAuth2TokenType("id_token");

    private static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuth2AccessToken createOAuth2AccessToken(DefaultOAuth2TokenContext.Builder builder, OAuth2Authorization.Builder builder2, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, String str) {
        DefaultOAuth2TokenContext build = builder.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
        OAuth2Token generate = oAuth2TokenGenerator.generate(build);
        if (generate == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the access token.", str));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Generated access token");
        }
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), build.getAuthorizedScopes());
        if (generate instanceof ClaimAccessor) {
            builder2.token(oAuth2AccessToken, map -> {
                map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generate).getClaims());
            });
        } else {
            builder2.accessToken(oAuth2AccessToken);
        }
        return oAuth2AccessToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuth2RefreshToken creatOAuth2RefreshToken(DefaultOAuth2TokenContext.Builder builder, OAuth2Authorization.Builder builder2, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, String str, OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken, RegisteredClient registeredClient) {
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
            OAuth2Token generate = oAuth2TokenGenerator.generate(builder.tokenType(OAuth2TokenType.REFRESH_TOKEN).build());
            if (!(generate instanceof OAuth2RefreshToken)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the refresh token.", str));
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Generated refresh token");
            }
            oAuth2RefreshToken = (OAuth2RefreshToken) generate;
            builder2.refreshToken(oAuth2RefreshToken);
        }
        return oAuth2RefreshToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OidcIdToken createOidcIdToken(Authentication authentication, SessionRegistry sessionRegistry, DefaultOAuth2TokenContext.Builder builder, OAuth2Authorization.Builder builder2, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, String str, Set<String> set) {
        OAuth2Token oAuth2Token;
        if (set.contains("openid")) {
            SessionInformation sessionInformation = getSessionInformation(authentication, sessionRegistry);
            if (sessionInformation != null) {
                try {
                    builder.put(SessionInformation.class, new SessionInformation(sessionInformation.getPrincipal(), createHash(sessionInformation.getSessionId()), sessionInformation.getLastRequest()));
                } catch (NoSuchAlgorithmException e) {
                    throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "Failed to compute hash for Session ID.", str));
                }
            }
            Jwt generate = oAuth2TokenGenerator.generate(builder.tokenType(ID_TOKEN_TOKEN_TYPE).authorization(builder2.build()).build());
            if (!(generate instanceof Jwt)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the ID token.", str));
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Generated id token");
            }
            oAuth2Token = new OidcIdToken(generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), generate.getClaims());
            builder2.token(oAuth2Token, map -> {
                map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, oAuth2Token.getClaims());
            });
        } else {
            oAuth2Token = null;
        }
        return oAuth2Token;
    }

    private SessionInformation getSessionInformation(Authentication authentication, SessionRegistry sessionRegistry) {
        SessionInformation sessionInformation = null;
        if (sessionRegistry != null) {
            List allSessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
            if (!CollectionUtils.isEmpty(allSessions)) {
                sessionInformation = (SessionInformation) allSessions.get(0);
                if (allSessions.size() > 1) {
                    ArrayList arrayList = new ArrayList(allSessions);
                    arrayList.sort(Comparator.comparing((v0) -> {
                        return v0.getLastRequest();
                    }));
                    sessionInformation = (SessionInformation) arrayList.get(arrayList.size() - 1);
                }
            }
        }
        return sessionInformation;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Object> idTokenAdditionalParameters(OidcIdToken oidcIdToken) {
        Map<String, Object> emptyMap = Collections.emptyMap();
        if (oidcIdToken != null) {
            emptyMap = new HashMap();
            emptyMap.put("id_token", oidcIdToken.getTokenValue());
        }
        return emptyMap;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<String> validateScopes(Set<String> set, RegisteredClient registeredClient) {
        Set<String> emptySet = Collections.emptySet();
        if (!CollectionUtils.isEmpty(set)) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                if (!registeredClient.getScopes().contains(it.next())) {
                    throw new OAuth2AuthenticationException("invalid_scope");
                }
            }
            emptySet = new LinkedHashSet(set);
        }
        return emptySet;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuth2AccessTokenAuthenticationToken createOAuth2AccessTokenAuthenticationToken(Authentication authentication, OAuth2AccessTokenAuthenticationToken oAuth2AccessTokenAuthenticationToken) {
        if (authentication instanceof UsernamePasswordAuthenticationToken) {
            Object principal = authentication.getPrincipal();
            if (principal instanceof HerodotusUser) {
                oAuth2AccessTokenAuthenticationToken.setDetails(PrincipalUtils.toPrincipalDetails((HerodotusUser) principal));
            }
        }
        return oAuth2AccessTokenAuthenticationToken;
    }
}
