package org.nentangso.core.security.oauth2;

import java.net.URI;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Component;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.RestTemplate;

@Component
/* loaded from: input_file:org/nentangso/core/security/oauth2/AuthorizationHeaderUtil.class */
public class AuthorizationHeaderUtil {
    private final OAuth2AuthorizedClientService clientService;
    private final RestTemplateBuilder restTemplateBuilder;
    private final Logger log = LoggerFactory.getLogger(AuthorizationHeaderUtil.class);

    public AuthorizationHeaderUtil(OAuth2AuthorizedClientService oAuth2AuthorizedClientService, RestTemplateBuilder restTemplateBuilder) {
        this.clientService = oAuth2AuthorizedClientService;
        this.restTemplateBuilder = restTemplateBuilder;
    }

    public Optional<String> getAuthorizationHeader() {
        JwtAuthenticationToken authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof OAuth2AuthenticationToken) {
            OAuth2AuthenticationToken oAuth2AuthenticationToken = (OAuth2AuthenticationToken) authentication;
            OAuth2AuthorizedClient loadAuthorizedClient = this.clientService.loadAuthorizedClient(oAuth2AuthenticationToken.getAuthorizedClientRegistrationId(), oAuth2AuthenticationToken.getName());
            if (null == loadAuthorizedClient) {
                throw new OAuth2AuthorizationException(new OAuth2Error("access_denied", "The token is expired", (String) null));
            }
            OAuth2AccessToken accessToken = loadAuthorizedClient.getAccessToken();
            if (accessToken != null) {
                String value = accessToken.getTokenType().getValue();
                String tokenValue = accessToken.getTokenValue();
                if (isExpired(accessToken)) {
                    this.log.info("AccessToken expired, refreshing automatically");
                    tokenValue = refreshToken(loadAuthorizedClient, oAuth2AuthenticationToken);
                    if (null == tokenValue) {
                        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
                        throw new OAuth2AuthorizationException(new OAuth2Error("access_denied", "The token is expired", (String) null));
                    }
                }
                return Optional.of(String.format("%s %s", value, tokenValue));
            }
        } else if (authentication instanceof JwtAuthenticationToken) {
            return Optional.of(String.format("%s %s", OAuth2AccessToken.TokenType.BEARER.getValue(), authentication.getToken().getTokenValue()));
        }
        return Optional.empty();
    }

    private String refreshToken(OAuth2AuthorizedClient oAuth2AuthorizedClient, OAuth2AuthenticationToken oAuth2AuthenticationToken) {
        OAuth2AccessTokenResponse refreshTokenClient = refreshTokenClient(oAuth2AuthorizedClient);
        if (refreshTokenClient == null || refreshTokenClient.getAccessToken() == null) {
            this.log.info("Failed to refresh token for user");
            return null;
        }
        this.clientService.saveAuthorizedClient(new OAuth2AuthorizedClient(oAuth2AuthorizedClient.getClientRegistration(), oAuth2AuthorizedClient.getPrincipalName(), refreshTokenClient.getAccessToken(), refreshTokenClient.getRefreshToken() != null ? refreshTokenClient.getRefreshToken() : oAuth2AuthorizedClient.getRefreshToken()), oAuth2AuthenticationToken);
        return refreshTokenClient.getAccessToken().getTokenValue();
    }

    private OAuth2AccessTokenResponse refreshTokenClient(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", AuthorizationGrantType.REFRESH_TOKEN.getValue());
        linkedMultiValueMap.add("refresh_token", oAuth2AuthorizedClient.getRefreshToken().getTokenValue());
        linkedMultiValueMap.add("client_id", oAuth2AuthorizedClient.getClientRegistration().getClientId());
        try {
            return toOAuth2AccessTokenResponse((OAuthIdpTokenResponseDTO) restTemplate(oAuth2AuthorizedClient.getClientRegistration().getClientId(), oAuth2AuthorizedClient.getClientRegistration().getClientSecret()).exchange(RequestEntity.post(URI.create(oAuth2AuthorizedClient.getClientRegistration().getProviderDetails().getTokenUri())).contentType(MediaType.APPLICATION_FORM_URLENCODED).body(linkedMultiValueMap), OAuthIdpTokenResponseDTO.class).getBody());
        } catch (OAuth2AuthorizationException e) {
            this.log.error("Unable to refresh token", e);
            throw new OAuth2AuthenticationException(e.getError(), e);
        }
    }

    private OAuth2AccessTokenResponse toOAuth2AccessTokenResponse(OAuthIdpTokenResponseDTO oAuthIdpTokenResponseDTO) {
        HashMap hashMap = new HashMap();
        hashMap.put("id_token", oAuthIdpTokenResponseDTO.getIdToken());
        hashMap.put("not-before-policy", oAuthIdpTokenResponseDTO.getNotBefore());
        hashMap.put("refresh_expires_in", oAuthIdpTokenResponseDTO.getRefreshExpiresIn());
        hashMap.put("session_state", oAuthIdpTokenResponseDTO.getSessionState());
        return OAuth2AccessTokenResponse.withToken(oAuthIdpTokenResponseDTO.getAccessToken()).expiresIn(oAuthIdpTokenResponseDTO.getExpiresIn().longValue()).refreshToken(oAuthIdpTokenResponseDTO.getRefreshToken()).scopes((Set) Pattern.compile("\\s").splitAsStream(oAuthIdpTokenResponseDTO.getScope()).collect(Collectors.toSet())).tokenType(OAuth2AccessToken.TokenType.BEARER).additionalParameters(hashMap).build();
    }

    private RestTemplate restTemplate(String str, String str2) {
        return this.restTemplateBuilder.additionalMessageConverters(new HttpMessageConverter[]{new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()}).errorHandler(new OAuth2ErrorResponseErrorHandler()).basicAuthentication(str, str2).build();
    }

    private boolean isExpired(OAuth2AccessToken oAuth2AccessToken) {
        return Instant.now().isAfter(oAuth2AccessToken.getExpiresAt().minus((TemporalAmount) Duration.ofMinutes(1L)));
    }
}
