package org.springframework.security.oauth2.server.authorization.authentication;

import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.Set;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.jose.JoseHeader;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationAttributeNames;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.class */
public class OAuth2AuthorizationCodeAuthenticationProvider implements AuthenticationProvider {
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final JwtEncoder jwtEncoder;

    public OAuth2AuthorizationCodeAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, JwtEncoder jwtEncoder) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(jwtEncoder, "jwtEncoder cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.jwtEncoder = jwtEncoder;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = null;
        if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(oAuth2AuthorizationCodeAuthenticationToken.getPrincipal().getClass())) {
            oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) oAuth2AuthorizationCodeAuthenticationToken.getPrincipal();
        }
        if (oAuth2ClientAuthenticationToken == null || !oAuth2ClientAuthenticationToken.isAuthenticated()) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_client"));
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2AuthorizationCodeAuthenticationToken.getCode(), TokenType.AUTHORIZATION_CODE);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant"));
        }
        if (!oAuth2ClientAuthenticationToken.getRegisteredClient().getId().equals(findByToken.getRegisteredClientId())) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant"));
        }
        OAuth2AuthorizationRequest oAuth2AuthorizationRequest = (OAuth2AuthorizationRequest) findByToken.getAttribute(OAuth2AuthorizationAttributeNames.AUTHORIZATION_REQUEST);
        if (StringUtils.hasText(oAuth2AuthorizationRequest.getRedirectUri()) && !oAuth2AuthorizationRequest.getRedirectUri().equals(oAuth2AuthorizationCodeAuthenticationToken.getRedirectUri())) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant"));
        }
        JoseHeader build = JoseHeader.withAlgorithm(SignatureAlgorithm.RS256).build();
        URL url = null;
        try {
            url = URI.create("https://oauth2.provider.com").toURL();
        } catch (MalformedURLException e) {
        }
        Instant now = Instant.now();
        Jwt encode = this.jwtEncoder.encode(build, JwtClaimsSet.withClaims().issuer(url).subject(findByToken.getPrincipalName()).audience(Collections.singletonList(oAuth2ClientAuthenticationToken.getRegisteredClient().getClientId())).issuedAt(now).expiresAt(now.plus(1L, (TemporalUnit) ChronoUnit.HOURS)).notBefore(now).claim("scope", oAuth2AuthorizationRequest.getScopes()).build());
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, encode.getTokenValue(), encode.getIssuedAt(), encode.getExpiresAt(), (Set) encode.getClaim("scope"));
        this.authorizationService.save(OAuth2Authorization.from(findByToken).attribute(OAuth2AuthorizationAttributeNames.ACCESS_TOKEN_ATTRIBUTES, encode).accessToken(oAuth2AccessToken).build());
        return new OAuth2AccessTokenAuthenticationToken(oAuth2ClientAuthenticationToken.getRegisteredClient(), oAuth2ClientAuthenticationToken, oAuth2AccessToken);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(cls);
    }
}
