package org.minbox.framework.on.security.authorization.server.oauth2.authentication.support;

import java.security.Principal;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.minbox.framework.on.security.core.authorization.AbstractOnSecurityAuthenticationProvider;
import org.minbox.framework.on.security.core.authorization.data.region.SecurityRegion;
import org.minbox.framework.on.security.core.authorization.data.region.SecurityRegionJdbcRepository;
import org.minbox.framework.on.security.core.authorization.data.region.SecurityRegionRepository;
import org.minbox.framework.on.security.core.authorization.data.user.SecurityUser;
import org.minbox.framework.on.security.core.authorization.data.user.SecurityUserAuthorizeApplicationJdbcRepository;
import org.minbox.framework.on.security.core.authorization.data.user.SecurityUserAuthorizeApplicationRepository;
import org.minbox.framework.on.security.core.authorization.data.user.SecurityUserJdbcRepository;
import org.minbox.framework.on.security.core.authorization.data.user.SecurityUserRepository;
import org.minbox.framework.on.security.core.authorization.exception.OnSecurityError;
import org.minbox.framework.on.security.core.authorization.exception.OnSecurityErrorCodes;
import org.minbox.framework.on.security.core.authorization.exception.OnSecurityOAuth2AuthenticationException;
import org.minbox.framework.on.security.core.authorization.util.OnSecurityThrowErrorUtils;
import org.springframework.context.ApplicationContext;
import org.springframework.jdbc.core.JdbcOperations;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.ObjectUtils;

/* loaded from: input_file:org/minbox/framework/on/security/authorization/server/oauth2/authentication/support/OnSecurityOAuth2UsernamePasswordAuthenticationProvider.class */
public class OnSecurityOAuth2UsernamePasswordAuthenticationProvider extends AbstractOnSecurityAuthenticationProvider {
    private final Log logger;
    private static final OAuth2TokenType ID_TOKEN_TOKEN_TYPE = new OAuth2TokenType("id_token");
    private SecurityUserRepository userRepository;
    private SecurityUserAuthorizeApplicationRepository userAuthorizeClientRepository;
    private SecurityRegionRepository regionRepository;
    private PasswordEncoder passwordEncoder;
    private OAuth2AuthorizationService authorizationService;
    private UserDetailsService userDetailsService;

    public OnSecurityOAuth2UsernamePasswordAuthenticationProvider(Map<Class<?>, Object> map) {
        super(map);
        this.logger = LogFactory.getLog(getClass());
        ApplicationContext applicationContext = (ApplicationContext) map.get(ApplicationContext.class);
        JdbcOperations jdbcOperations = (JdbcOperations) applicationContext.getBean(JdbcOperations.class);
        this.authorizationService = (OAuth2AuthorizationService) applicationContext.getBean(OAuth2AuthorizationService.class);
        this.userDetailsService = (UserDetailsService) applicationContext.getBean(UserDetailsService.class);
        this.userRepository = new SecurityUserJdbcRepository(jdbcOperations);
        this.userAuthorizeClientRepository = new SecurityUserAuthorizeApplicationJdbcRepository(jdbcOperations);
        this.regionRepository = new SecurityRegionJdbcRepository(jdbcOperations);
        this.passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2TokenGenerator oAuth2TokenGenerator = (OAuth2TokenGenerator) getSharedObject(OAuth2TokenGenerator.class);
        OnSecurityOAuth2UsernamePasswordAuthenticationToken onSecurityOAuth2UsernamePasswordAuthenticationToken = (OnSecurityOAuth2UsernamePasswordAuthenticationToken) authentication;
        RegisteredClient registeredClient = onSecurityOAuth2UsernamePasswordAuthenticationToken.getRegisteredClient();
        String id = registeredClient.getId();
        try {
            if (ObjectUtils.isEmpty(registeredClient.getAuthorizationGrantTypes()) || !registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.PASSWORD)) {
                OnSecurityThrowErrorUtils.throwError(OnSecurityErrorCodes.UNSUPPORTED_GRANT_TYPE, "grant_type", "Unauthorized grant_type : " + AuthorizationGrantType.PASSWORD.getValue());
            }
            SecurityUser findByUsername = this.userRepository.findByUsername(onSecurityOAuth2UsernamePasswordAuthenticationToken.getUsername());
            if (findByUsername == null || !findByUsername.isEnabled() || findByUsername.isDeleted()) {
                OnSecurityThrowErrorUtils.throwError(OnSecurityErrorCodes.INVALID_USER, "username", "Username: " + onSecurityOAuth2UsernamePasswordAuthenticationToken.getUsername() + ", no valid user found.");
            }
            List findByUserId = this.userAuthorizeClientRepository.findByUserId(findByUsername.getId());
            if (ObjectUtils.isEmpty(findByUserId)) {
                OnSecurityThrowErrorUtils.throwError(OnSecurityErrorCodes.UNAUTHORIZED_APPLICATION, "client_id", "Username: " + onSecurityOAuth2UsernamePasswordAuthenticationToken.getUsername() + ", did not authorize application: " + id + ".");
            }
            if (!((Set) findByUserId.stream().map((v0) -> {
                return v0.getApplicationId();
            }).collect(Collectors.toSet())).contains(id)) {
                OnSecurityThrowErrorUtils.throwError(OnSecurityErrorCodes.UNAUTHORIZED_APPLICATION, "client_id", "Username: " + onSecurityOAuth2UsernamePasswordAuthenticationToken.getUsername() + ", did not authorize application: " + id + ".");
            }
            SecurityRegion findById = this.regionRepository.findById(findByUsername.getRegionId());
            if (findById == null || !findById.isEnabled() || findById.isDeleted()) {
                OnSecurityThrowErrorUtils.throwError(OnSecurityErrorCodes.INVALID_REGION, (String) null, "Invalid Region：" + (findById == null ? findByUsername.getRegionId() : findById.getRegionId()) + "，Please check data validity.");
            }
            if (!this.passwordEncoder.matches(onSecurityOAuth2UsernamePasswordAuthenticationToken.getPassword(), findByUsername.getPassword())) {
                OnSecurityThrowErrorUtils.throwError(OnSecurityErrorCodes.AUTHENTICATION_FAILED, "password", "Username: " + onSecurityOAuth2UsernamePasswordAuthenticationToken.getUsername() + ", password authentication failed.");
            }
            UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(findByUsername.getUsername());
            onSecurityOAuth2UsernamePasswordAuthenticationToken.setUserDetails(loadUserByUsername);
            OAuth2ClientAuthenticationToken authentication2 = SecurityContextHolder.getContext().getAuthentication();
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(loadUserByUsername, (Object) null);
            DefaultOAuth2TokenContext.Builder authorizationGrantType = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal(usernamePasswordAuthenticationToken).authorizationServerContext(AuthorizationServerContextHolder.getContext()).authorizationGrant(authentication2).authorizedScopes(registeredClient.getScopes()).authorizationGrantType(AuthorizationGrantType.PASSWORD);
            OAuth2Authorization.Builder attribute = OAuth2Authorization.withRegisteredClient(registeredClient).id(UUID.randomUUID().toString()).principalName(onSecurityOAuth2UsernamePasswordAuthenticationToken.getUsername()).authorizedScopes(registeredClient.getScopes()).authorizationGrantType(AuthorizationGrantType.PASSWORD).attribute(Principal.class.getName(), usernamePasswordAuthenticationToken);
            DefaultOAuth2TokenContext build = authorizationGrantType.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
            OAuth2Token generate = oAuth2TokenGenerator.generate(build);
            if (generate == null) {
                throw new OnSecurityOAuth2AuthenticationException(new OnSecurityError(OnSecurityErrorCodes.UNKNOWN_EXCEPTION.getValue(), (String) null, "The token generator failed to generate the access token.", "https://github.com/On-Security/on-security/issues"));
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Generated access token");
            }
            OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), build.getAuthorizedScopes());
            if (generate instanceof ClaimAccessor) {
                attribute.token(oAuth2AccessToken, map -> {
                    map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generate).getClaims());
                });
            } else {
                attribute.accessToken(oAuth2AccessToken);
            }
            OAuth2RefreshToken oAuth2RefreshToken = null;
            if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) && !registeredClient.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.NONE)) {
                OAuth2Token generate2 = oAuth2TokenGenerator.generate(authorizationGrantType.tokenType(OAuth2TokenType.REFRESH_TOKEN).build());
                if (!(generate2 instanceof OAuth2RefreshToken)) {
                    throw new OnSecurityOAuth2AuthenticationException(new OnSecurityError(OnSecurityErrorCodes.UNKNOWN_EXCEPTION.getValue(), (String) null, "The token generator failed to generate the refresh token.", "https://github.com/On-Security/on-security/issues"));
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Generated refresh token");
                }
                oAuth2RefreshToken = (OAuth2RefreshToken) generate2;
                attribute.refreshToken(oAuth2RefreshToken);
            }
            if (registeredClient.getScopes().contains("openid")) {
                Jwt generate3 = oAuth2TokenGenerator.generate(authorizationGrantType.tokenType(ID_TOKEN_TOKEN_TYPE).authorization(attribute.build()).build());
                if (!(generate3 instanceof Jwt)) {
                    throw new OnSecurityOAuth2AuthenticationException(new OnSecurityError(OnSecurityErrorCodes.UNKNOWN_EXCEPTION.getValue(), (String) null, "The token generator failed to generate the ID token.", "https://github.com/On-Security/on-security/issues"));
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Generated id token");
                }
                OidcIdToken oidcIdToken = new OidcIdToken(generate3.getTokenValue(), generate3.getIssuedAt(), generate3.getExpiresAt(), generate3.getClaims());
                attribute.token(oidcIdToken, map2 -> {
                    map2.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, oidcIdToken.getClaims());
                });
            }
            this.authorizationService.save(attribute.build());
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Saved authorization");
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Authenticated token request");
            }
            OAuth2AccessTokenAuthenticationToken oAuth2AccessTokenAuthenticationToken = new OAuth2AccessTokenAuthenticationToken(registeredClient, onSecurityOAuth2UsernamePasswordAuthenticationToken, oAuth2AccessToken, oAuth2RefreshToken, authentication2.getAdditionalParameters());
            oAuth2AccessTokenAuthenticationToken.setAuthenticated(authentication2.isAuthenticated());
            return oAuth2AccessTokenAuthenticationToken;
        } catch (Exception e) {
            this.logger.error(e.getMessage(), e);
            throw new OnSecurityOAuth2AuthenticationException(new OnSecurityError(OnSecurityErrorCodes.UNKNOWN_EXCEPTION.getValue(), (String) null, "Authentication encountered an unknown exception.", "https://github.com/On-Security/on-security/issues"));
        } catch (OnSecurityOAuth2AuthenticationException e2) {
            throw e2;
        }
    }

    public boolean supports(Class<?> cls) {
        return OnSecurityOAuth2UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
        this.passwordEncoder = passwordEncoder;
    }
}
