package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken2;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.security.oauth2.server.authorization.config.TokenSettings;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2RefreshTokenAuthenticationProvider.class */
public class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationProvider {
    private static final OAuth2TokenType ID_TOKEN_TOKEN_TYPE = new OAuth2TokenType("id_token");
    private static final StringKeyGenerator TOKEN_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
    private final OAuth2AuthorizationService authorizationService;
    private final JwtEncoder jwtEncoder;
    private OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer = jwtEncodingContext -> {
    };
    private ProviderSettings providerSettings;

    public OAuth2RefreshTokenAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, JwtEncoder jwtEncoder) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(jwtEncoder, "jwtEncoder cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.jwtEncoder = jwtEncoder;
    }

    public final void setJwtCustomizer(OAuth2TokenCustomizer<JwtEncodingContext> oAuth2TokenCustomizer) {
        Assert.notNull(oAuth2TokenCustomizer, "jwtCustomizer cannot be null");
        this.jwtCustomizer = oAuth2TokenCustomizer;
    }

    @Autowired(required = false)
    protected void setProviderSettings(ProviderSettings providerSettings) {
        this.providerSettings = providerSettings;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Authentication authentication2 = (OAuth2RefreshTokenAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(authentication2);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        OAuth2Authorization findByToken = this.authorizationService.findByToken(authentication2.getRefreshToken(), OAuth2TokenType.REFRESH_TOKEN);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant"));
        }
        if (!registeredClient.getId().equals(findByToken.getRegisteredClientId())) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_client"));
        }
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
            throw new OAuth2AuthenticationException(new OAuth2Error("unauthorized_client"));
        }
        OAuth2Authorization.Token<OAuth2RefreshToken> refreshToken = findByToken.getRefreshToken();
        if (!refreshToken.isActive()) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_grant"));
        }
        Set<String> scopes = authentication2.getScopes();
        Set<String> set = (Set) findByToken.getAttribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME);
        if (!set.containsAll(scopes)) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_scope"));
        }
        if (scopes.isEmpty()) {
            scopes = set;
        }
        String issuer = this.providerSettings != null ? this.providerSettings.issuer() : null;
        JwtEncodingContext build = JwtEncodingContext.with(JwtUtils.headers(), JwtUtils.accessTokenClaims(registeredClient, issuer, findByToken.getPrincipalName(), scopes)).registeredClient(registeredClient).principal((Authentication) findByToken.getAttribute(Principal.class.getName())).authorization(findByToken).authorizedScopes(set).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN).authorizationGrant(authentication2).build();
        this.jwtCustomizer.customize(build);
        Jwt encode = this.jwtEncoder.encode(build.getHeaders().build(), build.getClaims().build());
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, encode.getTokenValue(), encode.getIssuedAt(), encode.getExpiresAt(), scopes);
        TokenSettings tokenSettings = registeredClient.getTokenSettings();
        OAuth2RefreshToken token = refreshToken.getToken();
        if (!tokenSettings.reuseRefreshTokens()) {
            token = generateRefreshToken(tokenSettings.refreshTokenTimeToLive());
        }
        Jwt jwt = null;
        if (set.contains("openid")) {
            JwtEncodingContext build2 = JwtEncodingContext.with(JwtUtils.headers(), JwtUtils.idTokenClaims(registeredClient, issuer, findByToken.getPrincipalName(), null)).registeredClient(registeredClient).principal((Authentication) findByToken.getAttribute(Principal.class.getName())).authorization(findByToken).authorizedScopes(set).tokenType(ID_TOKEN_TOKEN_TYPE).authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN).authorizationGrant(authentication2).build();
            this.jwtCustomizer.customize(build2);
            jwt = this.jwtEncoder.encode(build2.getHeaders().build(), build2.getClaims().build());
        }
        OidcIdToken oidcIdToken = jwt != null ? new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims()) : null;
        OAuth2Authorization.Builder refreshToken2 = OAuth2Authorization.from(findByToken).token(oAuth2AccessToken, map -> {
            map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, encode.getClaims());
        }).refreshToken(token);
        if (oidcIdToken != null) {
            OidcIdToken oidcIdToken2 = oidcIdToken;
            refreshToken2.token(oidcIdToken, map2 -> {
                map2.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, oidcIdToken2.getClaims());
            });
        }
        this.authorizationService.save(refreshToken2.build());
        Map emptyMap = Collections.emptyMap();
        if (oidcIdToken != null) {
            emptyMap = new HashMap();
            emptyMap.put("id_token", oidcIdToken.getTokenValue());
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, oAuth2AccessToken, token, emptyMap);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2RefreshTokenAuthenticationToken.class.isAssignableFrom(cls);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OAuth2RefreshToken generateRefreshToken(Duration duration) {
        Instant now = Instant.now();
        return new OAuth2RefreshToken2(TOKEN_GENERATOR.generateKey(), now, now.plus((TemporalAmount) duration));
    }
}
