package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProvider.class */
public final class OAuth2TokenExchangeAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt";
    private static final String ACCESS_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:access_token";
    private static final String MAY_ACT = "may_act";
    private final Log logger = LogFactory.getLog(getClass());
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;

    public OAuth2TokenExchangeAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2TokenExchangeAuthenticationToken oAuth2TokenExchangeAuthenticationToken = (OAuth2TokenExchangeAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(oAuth2TokenExchangeAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.TOKEN_EXCHANGE)) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
        }
        if (JWT_TOKEN_TYPE_VALUE.equals(oAuth2TokenExchangeAuthenticationToken.getRequestedTokenType()) && !OAuth2TokenFormat.SELF_CONTAINED.equals(registeredClient.getTokenSettings().getAccessTokenFormat())) {
            throw new OAuth2AuthenticationException("invalid_request");
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2TokenExchangeAuthenticationToken.getSubjectToken(), OAuth2TokenType.ACCESS_TOKEN);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with subject token");
        }
        OAuth2Authorization.Token token = findByToken.getToken(oAuth2TokenExchangeAuthenticationToken.getSubjectToken());
        if (!token.isActive()) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
        }
        if (!isValidTokenType(oAuth2TokenExchangeAuthenticationToken.getSubjectTokenType(), token)) {
            throw new OAuth2AuthenticationException("invalid_request");
        }
        if (findByToken.getAttribute(Principal.class.getName()) == null) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
        }
        Map map = null;
        if (token.getClaims() != null && token.getClaims().containsKey(MAY_ACT)) {
            Object obj = token.getClaims().get(MAY_ACT);
            if (obj instanceof Map) {
                map = (Map) obj;
            }
        }
        OAuth2Authorization oAuth2Authorization = null;
        if (StringUtils.hasText(oAuth2TokenExchangeAuthenticationToken.getActorToken())) {
            oAuth2Authorization = this.authorizationService.findByToken(oAuth2TokenExchangeAuthenticationToken.getActorToken(), OAuth2TokenType.ACCESS_TOKEN);
            if (oAuth2Authorization == null) {
                throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Retrieved authorization with actor token");
            }
            OAuth2Authorization.Token token2 = oAuth2Authorization.getToken(oAuth2TokenExchangeAuthenticationToken.getActorToken());
            if (!token2.isActive()) {
                throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
            }
            if (!isValidTokenType(oAuth2TokenExchangeAuthenticationToken.getActorTokenType(), token2)) {
                throw new OAuth2AuthenticationException("invalid_request");
            }
            if (map != null) {
                validateClaims(map, token2.getClaims(), "iss", "sub");
            }
        } else if (map != null) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
        }
        Set<String> emptySet = Collections.emptySet();
        if (!CollectionUtils.isEmpty(oAuth2TokenExchangeAuthenticationToken.getScopes())) {
            emptySet = validateRequestedScopes(registeredClient, oAuth2TokenExchangeAuthenticationToken.getScopes());
        } else if (!CollectionUtils.isEmpty(findByToken.getAuthorizedScopes())) {
            emptySet = validateRequestedScopes(registeredClient, findByToken.getAuthorizedScopes());
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated token request parameters");
        }
        Authentication principal = getPrincipal(findByToken, oAuth2Authorization);
        DefaultOAuth2TokenContext build = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).authorization(findByToken).principal(principal).authorizationServerContext(AuthorizationServerContextHolder.getContext()).authorizedScopes(emptySet).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE).authorizationGrant(oAuth2TokenExchangeAuthenticationToken).build();
        OAuth2Token generate = this.tokenGenerator.generate(build);
        if (generate == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.SERVER_ERROR, "The token generator failed to generate the access token.", ERROR_URI));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Generated access token");
        }
        OAuth2Authorization.Builder attribute = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(findByToken.getPrincipalName()).authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE).authorizedScopes(emptySet).attribute(Principal.class.getName(), principal);
        OAuth2AccessToken accessToken = OAuth2AuthenticationProviderUtils.accessToken(attribute, generate, build);
        this.authorizationService.save(attribute.build());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Saved authorization");
        }
        HashMap hashMap = new HashMap();
        hashMap.put(OAuth2ParameterNames.ISSUED_TOKEN_TYPE, oAuth2TokenExchangeAuthenticationToken.getRequestedTokenType());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated token request");
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, accessToken, null, hashMap);
    }

    private static boolean isValidTokenType(String str, OAuth2Authorization.Token<OAuth2Token> token) {
        return ACCESS_TOKEN_TYPE_VALUE.equals(str) || (JWT_TOKEN_TYPE_VALUE.equals(str) && OAuth2TokenFormat.SELF_CONTAINED.getValue().equals((String) token.getMetadata(OAuth2TokenFormat.class.getName())));
    }

    private static Set<String> validateRequestedScopes(RegisteredClient registeredClient, Set<String> set) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (!registeredClient.getScopes().contains(it.next())) {
                throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_SCOPE);
            }
        }
        return new LinkedHashSet(set);
    }

    private static void validateClaims(Map<String, Object> map, Map<String, Object> map2, String... strArr) {
        if (map2 == null) {
            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
        }
        for (String str : strArr) {
            if (!Objects.equals(map.get(str), map2.get(str))) {
                throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
            }
        }
    }

    private static Authentication getPrincipal(OAuth2Authorization oAuth2Authorization, OAuth2Authorization oAuth2Authorization2) {
        Authentication authentication = (Authentication) oAuth2Authorization.getAttribute(Principal.class.getName());
        if (oAuth2Authorization2 == null) {
            return authentication instanceof OAuth2TokenExchangeCompositeAuthenticationToken ? ((OAuth2TokenExchangeCompositeAuthenticationToken) authentication).getSubject() : authentication;
        }
        OAuth2TokenExchangeActor oAuth2TokenExchangeActor = new OAuth2TokenExchangeActor(oAuth2Authorization2.getAccessToken().getClaims());
        LinkedList linkedList = new LinkedList();
        linkedList.add(oAuth2TokenExchangeActor);
        if (authentication instanceof OAuth2TokenExchangeCompositeAuthenticationToken) {
            OAuth2TokenExchangeCompositeAuthenticationToken oAuth2TokenExchangeCompositeAuthenticationToken = (OAuth2TokenExchangeCompositeAuthenticationToken) authentication;
            authentication = oAuth2TokenExchangeCompositeAuthenticationToken.getSubject();
            linkedList.addAll(oAuth2TokenExchangeCompositeAuthenticationToken.getActors());
        }
        return new OAuth2TokenExchangeCompositeAuthenticationToken(authentication, linkedList);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return OAuth2TokenExchangeAuthenticationToken.class.isAssignableFrom(cls);
    }
}
