package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import java.util.Base64;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2UserCode;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.class */
public final class OAuth2DeviceVerificationAuthenticationProvider implements AuthenticationProvider {
    static final OAuth2TokenType USER_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.USER_CODE);
    private static final StringKeyGenerator DEFAULT_STATE_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder());
    private final Log logger = LogFactory.getLog(getClass());
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2AuthorizationConsentService authorizationConsentService;

    public OAuth2DeviceVerificationAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2AuthorizationConsentService, "authorizationConsentService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.authorizationConsentService = oAuth2AuthorizationConsentService;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2DeviceVerificationAuthenticationToken oAuth2DeviceVerificationAuthenticationToken = (OAuth2DeviceVerificationAuthenticationToken) authentication;
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2DeviceVerificationAuthenticationToken.getUserCode(), USER_CODE_TOKEN_TYPE);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with user code");
        }
        Authentication authentication2 = (Authentication) oAuth2DeviceVerificationAuthenticationToken.getPrincipal();
        if (!isPrincipalAuthenticated(authentication2)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Did not authenticate device verification request since principal not authenticated");
            }
            return oAuth2DeviceVerificationAuthenticationToken;
        }
        RegisteredClient findById = this.registeredClientRepository.findById(findByToken.getRegisteredClientId());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        Set<String> set = (Set) findByToken.getAttribute("scope");
        OAuth2AuthorizationConsent findById2 = this.authorizationConsentService.findById(findById.getId(), authentication2.getName());
        if (!requiresAuthorizationConsent(set, findById2)) {
            this.authorizationService.save(OAuth2Authorization.from(findByToken).principalName(authentication2.getName()).authorizedScopes(set).invalidate((OAuth2UserCode) findByToken.getToken(OAuth2UserCode.class).getToken()).attribute(Principal.class.getName(), authentication2).attributes(map -> {
                map.remove("scope");
            }).build());
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Saved authorization with authorized scopes");
                this.logger.trace("Authenticated device verification request");
            }
            return new OAuth2DeviceVerificationAuthenticationToken(authentication2, oAuth2DeviceVerificationAuthenticationToken.getUserCode(), findById.getClientId());
        }
        String generateKey = DEFAULT_STATE_GENERATOR.generateKey();
        OAuth2Authorization build = OAuth2Authorization.from(findByToken).principalName(authentication2.getName()).attribute(Principal.class.getName(), authentication2).attribute(OAuth2ParameterNames.STATE, generateKey).build();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Generated device authorization consent state");
        }
        this.authorizationService.save(build);
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Saved authorization");
        }
        return new OAuth2DeviceAuthorizationConsentAuthenticationToken(AuthorizationServerContextHolder.getContext().getAuthorizationServerSettings().getDeviceVerificationEndpoint(), findById.getClientId(), authentication2, oAuth2DeviceVerificationAuthenticationToken.getUserCode(), generateKey, set, findById2 != null ? findById2.getScopes() : null);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return OAuth2DeviceVerificationAuthenticationToken.class.isAssignableFrom(cls);
    }

    private static boolean requiresAuthorizationConsent(Set<String> set, OAuth2AuthorizationConsent oAuth2AuthorizationConsent) {
        return oAuth2AuthorizationConsent == null || !oAuth2AuthorizationConsent.getScopes().containsAll(set);
    }

    private static boolean isPrincipalAuthenticated(Authentication authentication) {
        return (authentication == null || AnonymousAuthenticationToken.class.isAssignableFrom(authentication.getClass()) || !authentication.isAuthenticated()) ? false : true;
    }
}
