package pl.edu.icm.unity.oauth.rp.local;

import com.google.common.collect.Sets;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.LocalAuthenticationResult;
import pl.edu.icm.unity.oauth.as.OAuthTokenRepository;
import pl.edu.icm.unity.oauth.rp.verificator.InternalTokenVerificator;
import pl.edu.icm.unity.oauth.rp.verificator.TokenStatus;

/* loaded from: input_file:pl/edu/icm/unity/oauth/rp/local/LocalBearerTokenVerificator.class */
class LocalBearerTokenVerificator {
    private static final Logger log = Log.getLogger("unity.server.oauth", LocalBearerTokenVerificator.class);
    private final InternalTokenVerificator tokenChecker;
    private final LocalOAuthRPProperties verificatorProperties;

    public LocalBearerTokenVerificator(OAuthTokenRepository oAuthTokenRepository, LocalOAuthRPProperties localOAuthRPProperties) {
        this.tokenChecker = new InternalTokenVerificator(oAuthTokenRepository);
        this.verificatorProperties = localOAuthRPProperties;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationResultWithTokenStatus checkToken(BearerAccessToken bearerAccessToken) throws AuthenticationException {
        try {
            return checkTokenInterruptible(bearerAccessToken);
        } catch (Exception e) {
            throw new AuthenticationException("Authentication error ocurred", e);
        } catch (AuthenticationException e2) {
            throw e2;
        }
    }

    AuthenticationResultWithTokenStatus checkTokenInterruptible(BearerAccessToken bearerAccessToken) throws Exception {
        TokenStatus checkToken = this.tokenChecker.checkToken(bearerAccessToken);
        if (!checkToken.isValid()) {
            return new AuthenticationResultWithTokenStatus(LocalAuthenticationResult.failed(), checkToken);
        }
        if (areMandatoryScopesPresent(checkToken)) {
            return new AuthenticationResultWithTokenStatus(LocalAuthenticationResult.successful(new AuthenticatedEntity(checkToken.getOwnerId().get(), checkToken.getSubject(), (String) null)), checkToken);
        }
        log.debug("Bearer access token " + bearerAccessToken.getValue() + " has no mandatory scopes");
        return new AuthenticationResultWithTokenStatus(LocalAuthenticationResult.failed(), checkToken);
    }

    private boolean areMandatoryScopesPresent(TokenStatus tokenStatus) {
        Set set = (Set) this.verificatorProperties.getListOfValues("requiredScopes.").stream().collect(Collectors.toSet());
        if (!set.isEmpty() && tokenStatus.getScope() == null) {
            log.debug("The token validation didn't provide any scope, but there are required scopes");
            return false;
        }
        Set set2 = (Set) tokenStatus.getScope().toStringList().stream().collect(Collectors.toSet());
        if (set2.containsAll(set)) {
            return true;
        }
        log.debug("The following required scopes are not present in token: " + Sets.difference(set, set2).toString());
        return false;
    }
}
