package cn.kduck.security.mfa.oauth2;

import cn.kduck.security.mfa.MfaAuthenticationValidationFilter;
import cn.kduck.security.mfa.MfaTokenService;
import cn.kduck.security.mfa.MfaUserDetailsService;
import com.gold.kduck.utils.SpringBeanUtils;
import java.util.LinkedHashMap;
import java.util.Set;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;

/* loaded from: input_file:cn/kduck/security/mfa/oauth2/MfaTokenGranter.class */
public class MfaTokenGranter extends AbstractTokenGranter {
    private static final String GRANT_TYPE = "mfa";
    private final TokenStore tokenStore;
    private final ClientDetailsService clientDetailsService;
    private final AuthenticationManager authenticationManager;
    private MfaTokenService mfaTokenService;
    private MfaUserDetailsService mfaUserDetailsService;

    public MfaTokenGranter(AuthorizationServerEndpointsConfigurer authorizationServerEndpointsConfigurer, AuthenticationManager authenticationManager, MfaAuthenticatorService mfaAuthenticatorService) {
        super(authorizationServerEndpointsConfigurer.getTokenServices(), authorizationServerEndpointsConfigurer.getClientDetailsService(), authorizationServerEndpointsConfigurer.getOAuth2RequestFactory(), GRANT_TYPE);
        this.tokenStore = authorizationServerEndpointsConfigurer.getTokenStore();
        this.clientDetailsService = authorizationServerEndpointsConfigurer.getClientDetailsService();
        this.authenticationManager = authenticationManager;
    }

    public MfaTokenGranter(AuthorizationServerTokenServices authorizationServerTokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory oAuth2RequestFactory, AuthenticationManager authenticationManager, TokenStore tokenStore) {
        super(authorizationServerTokenServices, clientDetailsService, oAuth2RequestFactory, GRANT_TYPE);
        this.tokenStore = tokenStore;
        this.clientDetailsService = clientDetailsService;
        this.authenticationManager = authenticationManager;
    }

    protected OAuth2Authentication getOAuth2Authentication(ClientDetails clientDetails, TokenRequest tokenRequest) {
        LinkedHashMap linkedHashMap = new LinkedHashMap(tokenRequest.getRequestParameters());
        String str = (String) linkedHashMap.get(MfaAuthenticationValidationFilter.DEFAULT_MFA_PARAMETER_NAME);
        if (str == null) {
            throw new InvalidRequestException("Missing MFA token");
        }
        OAuth2Authentication loadAuthentication = loadAuthentication(str);
        String name = loadAuthentication.getName();
        if (!linkedHashMap.containsKey("mfa_code")) {
            throw new InvalidRequestException("Missing MFA code");
        }
        String str2 = (String) linkedHashMap.get("mfa_code");
        if (this.mfaTokenService == null) {
            this.mfaTokenService = (MfaTokenService) SpringBeanUtils.getBean(MfaTokenService.class);
        }
        if (this.mfaUserDetailsService == null) {
            this.mfaUserDetailsService = (MfaUserDetailsService) SpringBeanUtils.getBean(MfaUserDetailsService.class);
        }
        if (this.mfaTokenService.isTokenValid(this.mfaUserDetailsService.loadUserByUsername(name), str2)) {
            return getAuthentication(tokenRequest, loadAuthentication);
        }
        throw new InvalidGrantException("Invalid MFA code");
    }

    private OAuth2Authentication loadAuthentication(String str) {
        OAuth2AccessToken readAccessToken = this.tokenStore.readAccessToken(str);
        if (readAccessToken == null) {
            throw new InvalidTokenException("Invalid access token: " + str);
        }
        if (readAccessToken.isExpired()) {
            this.tokenStore.removeAccessToken(readAccessToken);
            throw new InvalidTokenException("Access token expired: " + str);
        }
        OAuth2Authentication readAuthentication = this.tokenStore.readAuthentication(readAccessToken);
        if (readAuthentication == null) {
            throw new InvalidTokenException("Invalid access token: " + str);
        }
        return readAuthentication;
    }

    private OAuth2Authentication getAuthentication(TokenRequest tokenRequest, OAuth2Authentication oAuth2Authentication) {
        Authentication authenticate = this.authenticationManager.authenticate(oAuth2Authentication.getUserAuthentication());
        Object details = oAuth2Authentication.getDetails();
        OAuth2Authentication oAuth2Authentication2 = new OAuth2Authentication(oAuth2Authentication.getOAuth2Request(), authenticate);
        oAuth2Authentication2.setDetails(details);
        String clientId = oAuth2Authentication2.getOAuth2Request().getClientId();
        if (clientId == null || !clientId.equals(tokenRequest.getClientId())) {
            throw new InvalidGrantException("Client is missing or does not correspond to the MFA token");
        }
        if (this.clientDetailsService != null) {
            try {
                this.clientDetailsService.loadClientByClientId(clientId);
            } catch (ClientRegistrationException e) {
                throw new InvalidTokenException("Client not valid: " + clientId, e);
            }
        }
        return refreshAuthentication(oAuth2Authentication2, tokenRequest);
    }

    private OAuth2Authentication refreshAuthentication(OAuth2Authentication oAuth2Authentication, TokenRequest tokenRequest) {
        Set scope = tokenRequest.getScope();
        OAuth2Request refresh = oAuth2Authentication.getOAuth2Request().refresh(tokenRequest);
        if (scope != null && !scope.isEmpty()) {
            Set scope2 = refresh.getScope();
            if (scope2 == null || !scope2.containsAll(scope)) {
                throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope + ".", scope2);
            }
            refresh = refresh.narrowScope(scope);
        }
        return new OAuth2Authentication(refresh, oAuth2Authentication.getUserAuthentication());
    }
}
