package team.sailboat.ms.ac.oauth2server;

import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Collections;
import java.util.Set;
import java.util.function.Function;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwsHeader;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import team.sailboat.commons.fan.excep.ExceptionAssist;
import team.sailboat.commons.fan.http.ISigner;
import team.sailboat.commons.fan.lang.JCommon;
import team.sailboat.commons.fan.text.XString;

/* loaded from: input_file:team/sailboat/ms/ac/oauth2server/CorsTokenAuthenticationProvider.class */
public class CorsTokenAuthenticationProvider implements AuthenticationProvider {
    static final Logger sLogger = LoggerFactory.getLogger(CorsTokenAuthenticationProvider.class);
    static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType("code");
    static final StringKeyGenerator TOKEN_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
    final OAuth2AuthorizationService mAuthorizationService;
    final RegisteredClientRepository mRegisteredClientRepository;
    final Function<String, String> mClientSecretPvd;
    OAuth2TokenGenerator<OAuth2AccessToken> mAccessTokenGenerator = null;

    public CorsTokenAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, Function<String, String> function) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.mRegisteredClientRepository = registeredClientRepository;
        this.mAuthorizationService = oAuth2AuthorizationService;
        this.mClientSecretPvd = function;
    }

    public final void setAccessTokenGenerator(OAuth2TokenGenerator<OAuth2AccessToken> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2TokenGenerator, "OAuth2AccessTokenGenrator为null!");
        this.mAccessTokenGenerator = oAuth2TokenGenerator;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        CorsToken corsToken = (CorsToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(corsToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        OAuth2Authorization findByToken = this.mAuthorizationService.findByToken(corsToken.getToken(), AUTHORIZATION_CODE_TOKEN_TYPE);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant", "无法通过token找到认证信息", (String) null));
        }
        if (!findByToken.getToken(OAuth2AuthorizationCode.class).isActive()) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant", "认证信息已经失效", (String) null));
        }
        if (XString.isNotEmpty(corsToken.getSignature())) {
            try {
                if (JCommon.unequals(corsToken.getSignature(), ISigner.signForUrlNoPadding(corsToken.getSignText(), "HmacSHA256", this.mClientSecretPvd.apply(this.mRegisteredClientRepository.findById(findByToken.getRegisteredClientId()).getId())))) {
                    sLogger.error("签名验证不通过！");
                    throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant"));
                }
            } catch (UnsupportedEncodingException | IllegalStateException | InvalidKeyException | NoSuchAlgorithmException e) {
                sLogger.info(ExceptionAssist.getClearMessage(getClass(), e));
            }
        }
        Set authorizedScopes = findByToken.getAuthorizedScopes();
        OAuth2AccessToken generate = this.mAccessTokenGenerator.generate(JwtEncodingContext.with(headers(), accessTokenClaims(registeredClient, "sailboat.org", findByToken.getPrincipalName(), authorizedScopes)).registeredClient(registeredClient).principal((Authentication) findByToken.getAttribute(Principal.class.getName())).authorization(findByToken).authorizedScopes(authorizedScopes).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(CorsToken.sGrantType_CorsToken).authorizationGrant(corsToken).build());
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
            oAuth2RefreshToken = generateRefreshToken(registeredClient.getTokenSettings().getRefreshTokenTimeToLive());
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, generate, oAuth2RefreshToken);
    }

    public boolean supports(Class<?> cls) {
        return CorsToken.class.isAssignableFrom(cls);
    }

    static OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidClient(Authentication authentication) {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = null;
        if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication.getPrincipal().getClass())) {
            oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication.getPrincipal();
        }
        if (oAuth2ClientAuthenticationToken == null || !oAuth2ClientAuthenticationToken.isAuthenticated()) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_client"));
        }
        return oAuth2ClientAuthenticationToken;
    }

    static OAuth2RefreshToken generateRefreshToken(Duration duration) {
        Instant now = Instant.now();
        return new OAuth2RefreshToken(TOKEN_GENERATOR.generateKey(), now, now.plus((TemporalAmount) duration));
    }

    static JwsHeader.Builder headers() {
        return JwsHeader.with(SignatureAlgorithm.RS256);
    }

    static JwtClaimsSet.Builder accessTokenClaims(RegisteredClient registeredClient, String str, String str2, Set<String> set) {
        Instant now = Instant.now();
        Instant plus = now.plus((TemporalAmount) registeredClient.getTokenSettings().getAccessTokenTimeToLive());
        JwtClaimsSet.Builder builder = JwtClaimsSet.builder();
        if (StringUtils.hasText(str)) {
            builder.issuer(str);
        }
        builder.subject(str2).audience(Collections.singletonList(registeredClient.getClientId())).issuedAt(now).expiresAt(plus).notBefore(now);
        if (!CollectionUtils.isEmpty(set)) {
            builder.claim("scope", set);
        }
        return builder;
    }
}
