package com.fuhouyu.framework.security.core.provider.oidc;

import com.fuhouyu.framework.common.utils.LoggerUtil;
import com.fuhouyu.framework.security.core.ExtensionUserDetailsService;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:com/fuhouyu/framework/security/core/provider/oidc/OidcAuthenticationProvider.class */
public class OidcAuthenticationProvider implements AuthenticationProvider {
    public static final String ACCOUNT_TYPE = "OIDC";
    private static final String INVALID_TOKEN_RESPONSE_ERROR_CODE = "invalid_token_response";
    private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";
    private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";
    private final ExtensionUserDetailsService userDetailsService;
    private final OAuth2UserService<OAuth2UserRequest, OAuth2User> userService;
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final RestOperations restOperations;

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OidcAuthenticationProvider.class);
    private static final MediaType APPLICATION_FORM_URLENCODED_UTF8 = new MediaType(MediaType.APPLICATION_FORM_URLENCODED, StandardCharsets.UTF_8);
    private final GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private final JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = new OidcIdTokenDecoderFactory();

    public OidcAuthenticationProvider(OAuth2UserService<OAuth2UserRequest, OAuth2User> oAuth2UserService, ExtensionUserDetailsService extensionUserDetailsService, ClientRegistrationRepository clientRegistrationRepository) {
        this.userService = oAuth2UserService;
        this.userDetailsService = extensionUserDetailsService;
        this.clientRegistrationRepository = clientRegistrationRepository;
        RestTemplate restTemplate = new RestTemplate(Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
        restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
        this.restOperations = restTemplate;
    }

    static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OidcAuthenticationToken oidcAuthenticationToken = (OidcAuthenticationToken) authentication;
        ClientRegistration findByRegistrationId = this.clientRegistrationRepository.findByRegistrationId(oidcAuthenticationToken.getClientId());
        if (Objects.isNull(findByRegistrationId)) {
            throw new IllegalArgumentException("invalid client id " + oidcAuthenticationToken.getClientId());
        }
        OAuth2AccessTokenResponse response = getResponse(createRequestEntity(findByRegistrationId, oidcAuthenticationToken));
        Map<String, Object> additionalParameters = getAdditionalParameters(response, findByRegistrationId);
        OidcIdToken createOidcToken = createOidcToken(findByRegistrationId, response);
        validateNonce(oidcAuthenticationToken.getNonce(), createOidcToken);
        OAuth2User loadUser = this.userService.loadUser(new OidcUserRequest(findByRegistrationId, response.getAccessToken(), createOidcToken, additionalParameters));
        UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(loadUser.getName(), ACCOUNT_TYPE);
        OidcAuthenticationToken oidcAuthenticationToken2 = new OidcAuthenticationToken(oidcAuthenticationToken.getCode(), oidcAuthenticationToken.getState(), findByRegistrationId.getClientId(), loadUser, this.authoritiesMapper.mapAuthorities(loadUser.getAuthorities()), response.getAccessToken(), response.getRefreshToken());
        oidcAuthenticationToken2.setDetails(loadUserByUsername);
        return oidcAuthenticationToken2;
    }

    private Map<String, Object> getAdditionalParameters(OAuth2AccessTokenResponse oAuth2AccessTokenResponse, ClientRegistration clientRegistration) {
        Map<String, Object> additionalParameters = oAuth2AccessTokenResponse.getAdditionalParameters();
        if (additionalParameters.containsKey("id_token")) {
            return additionalParameters;
        }
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Missing (required) ID Token in Token Response for Client Registration: " + clientRegistration.getRegistrationId(), (String) null);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        Jwt jwt = getJwt(oAuth2AccessTokenResponse, this.jwtDecoderFactory.createDecoder(clientRegistration));
        return new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
    }

    private Jwt getJwt(OAuth2AccessTokenResponse oAuth2AccessTokenResponse, JwtDecoder jwtDecoder) {
        try {
            return jwtDecoder.decode((String) oAuth2AccessTokenResponse.getAdditionalParameters().get("id_token"));
        } catch (JwtException e) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, e.getMessage(), (String) null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), e);
        }
    }

    private void validateNonce(String str, OidcIdToken oidcIdToken) {
        if (str == null) {
            return;
        }
        String nonceHash = getNonceHash(str);
        String nonce = oidcIdToken.getNonce();
        if (nonce == null || !nonce.equals(nonceHash)) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
    }

    private String getNonceHash(String str) {
        try {
            return createHash(str);
        } catch (NoSuchAlgorithmException e) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
    }

    private OAuth2AccessTokenResponse getResponse(RequestEntity<?> requestEntity) {
        try {
            ResponseEntity exchange = this.restOperations.exchange(requestEntity, OAuth2AccessTokenResponse.class);
            Assert.notNull(exchange, "The authorization server responded to this Authorization Code grant request with an empty body; as such, it cannot be materialized into an OAuth2AccessTokenResponse instance. Please check the HTTP response code in your server logs for more details.");
            OAuth2AccessTokenResponse oAuth2AccessTokenResponse = (OAuth2AccessTokenResponse) exchange.getBody();
            Assert.notNull(oAuth2AccessTokenResponse, "Response Body is null");
            return oAuth2AccessTokenResponse;
        } catch (OAuth2AuthorizationException e) {
            LoggerUtil.error(log, "第三方平台使用失败，entity:{} , 失败原因:{}", new Object[]{requestEntity, e.getError()});
            throw new IllegalArgumentException("第三方平台登录失败");
        } catch (RestClientException e2) {
            throw new OAuth2AuthorizationException(new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE, "An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + e2.getMessage(), (String) null), e2);
        }
    }

    private RequestEntity<?> createRequestEntity(ClientRegistration clientRegistration, OidcAuthenticationToken oidcAuthenticationToken) {
        return new RequestEntity<>(createParameters(clientRegistration, oidcAuthenticationToken), createHttpHeaders(clientRegistration), HttpMethod.POST, UriComponentsBuilder.fromUriString(clientRegistration.getProviderDetails().getTokenUri()).build().toUri());
    }

    private HttpHeaders createHttpHeaders(ClientRegistration clientRegistration) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(List.of(MediaType.APPLICATION_JSON));
        httpHeaders.setContentType(APPLICATION_FORM_URLENCODED_UTF8);
        if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
            httpHeaders.setBasicAuth(URLEncoder.encode(clientRegistration.getClientId(), StandardCharsets.UTF_8), URLEncoder.encode(clientRegistration.getClientSecret(), StandardCharsets.UTF_8));
        }
        return httpHeaders;
    }

    private MultiValueMap<String, String> createParameters(ClientRegistration clientRegistration, OidcAuthenticationToken oidcAuthenticationToken) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.set("grant_type", AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
        linkedMultiValueMap.set("code", oidcAuthenticationToken.getCode());
        if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())) {
            linkedMultiValueMap.set("client_id", clientRegistration.getClientId());
        }
        if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())) {
            linkedMultiValueMap.set("client_secret", clientRegistration.getClientSecret());
        }
        String redirectUri = clientRegistration.getRedirectUri();
        if (redirectUri != null) {
            linkedMultiValueMap.add("redirect_uri", redirectUri);
        }
        return linkedMultiValueMap;
    }

    public boolean supports(Class<?> cls) {
        return OidcAuthenticationToken.class.isAssignableFrom(cls);
    }
}
