package cn.wic4j.seurity.authorization.provider;

import cn.wi4j.security.core.code.SecurityCode;
import cn.wic4j.seurity.authorization.exception.Wic4jOauth2AuthenticationException;
import java.security.Principal;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Map;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:cn/wic4j/seurity/authorization/provider/AbstractWic4jAuthenticationProvider.class */
public abstract class AbstractWic4jAuthenticationProvider implements AuthenticationProvider {
    private static final Logger log;
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
    static final /* synthetic */ boolean $assertionsDisabled;

    public AbstractWic4jAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator not null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
    }

    public abstract AuthorizationGrantType getAuthorizationGrantType();

    public abstract void checkedClient(RegisteredClient registeredClient, AbstractAuthenticationToken abstractAuthenticationToken);

    public abstract Authentication doAuthenticate(AbstractAuthenticationToken abstractAuthenticationToken);

    public abstract OAuth2TokenContext getOauth2TokenContext(RegisteredClient registeredClient, Authentication authentication);

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        AbstractAuthenticationToken abstractAuthenticationToken = (AbstractAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(authentication);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (!$assertionsDisabled && registeredClient == null) {
            throw new AssertionError();
        }
        AuthorizationGrantType authorizationGrantType = getAuthorizationGrantType();
        if (ObjectUtils.isEmpty(registeredClient.getAuthorizationGrantTypes())) {
            log.error("认证失败,客户端信息");
            throw new Wic4jOauth2AuthenticationException(SecurityCode.CLIENT_INVALID);
        }
        if (null == authorizationGrantType || !registeredClient.getAuthorizationGrantTypes().contains(authorizationGrantType)) {
            throw new Wic4jOauth2AuthenticationException(SecurityCode.GRANT_TYPE_ERROR);
        }
        checkedClient(registeredClient, abstractAuthenticationToken);
        Authentication doAuthenticate = doAuthenticate(abstractAuthenticationToken);
        if (null == doAuthenticate) {
            throw new Wic4jOauth2AuthenticationException(SecurityCode.AUTHENTICATION_FAIL);
        }
        OAuth2Authorization.Builder principalName = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(doAuthenticate.getName());
        OAuth2TokenContext oauth2TokenContext = getOauth2TokenContext(registeredClient, authentication);
        OAuth2Token generate = this.tokenGenerator.generate(oauth2TokenContext);
        if (generate == null) {
            throw new Wic4jOauth2AuthenticationException(SecurityCode.GENERATOR_ACCESS_TOKEN_ERROR);
        }
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), oauth2TokenContext.getAuthorizedScopes());
        if (generate instanceof ClaimAccessor) {
            principalName.id(oAuth2AccessToken.getTokenValue()).token(oAuth2AccessToken, map -> {
                map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generate).getClaims());
            }).attribute(Principal.class.getName(), doAuthenticate);
        } else {
            principalName.id(oAuth2AccessToken.getTokenValue()).accessToken(oAuth2AccessToken);
        }
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) && !authenticatedClientElseThrowInvalidClient.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
            Instant now = Instant.now();
            Instant plus = now.plus((TemporalAmount) oauth2TokenContext.getRegisteredClient().getTokenSettings().getRefreshTokenTimeToLive());
            OAuth2Token generate2 = this.tokenGenerator.generate(oauth2TokenContext);
            if (generate2 == null) {
                throw new Wic4jOauth2AuthenticationException(SecurityCode.GENERATOR_REFRESH_TOKEN_ERROR);
            }
            oAuth2RefreshToken = new OAuth2RefreshToken(generate2.getTokenValue(), now, plus);
            principalName.refreshToken(oAuth2RefreshToken);
        }
        principalName.authorizationGrantType(authorizationGrantType);
        OAuth2Authorization build = principalName.build();
        if (null != this.authorizationService) {
            this.authorizationService.save(build);
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, oAuth2AccessToken, oAuth2RefreshToken, (Map) Objects.requireNonNull(build.getAccessToken().getClaims()));
    }

    private OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidClient(Authentication authentication) {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = null;
        if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication.getPrincipal().getClass())) {
            oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication.getPrincipal();
        }
        if (oAuth2ClientAuthenticationToken != null && oAuth2ClientAuthenticationToken.isAuthenticated()) {
            return oAuth2ClientAuthenticationToken;
        }
        log.error("获取客户端信息为空,认证失败");
        throw new Wic4jOauth2AuthenticationException(SecurityCode.CLIENT_INVALID);
    }

    static {
        $assertionsDisabled = !AbstractWic4jAuthenticationProvider.class.desiredAssertionStatus();
        log = LoggerFactory.getLogger(AbstractWic4jAuthenticationProvider.class);
    }
}
