package io.gardenerframework.camellia.authentication.server.main.spring.oauth2;

import io.gardenerframework.camellia.authentication.server.common.annotation.AuthenticationServerEngineComponent;
import io.gardenerframework.camellia.authentication.server.main.schema.OAuth2ClientUserAuthenticationToken;
import io.gardenerframework.camellia.authentication.server.main.schema.UserAuthenticatedAuthentication;
import io.gardenerframework.camellia.authentication.server.main.utils.JwtUtils;
import io.gardenerframework.fragrans.log.GenericLoggerStaticAccessor;
import io.gardenerframework.fragrans.log.common.schema.reason.NotFound;
import io.gardenerframework.fragrans.log.schema.content.GenericBasicLogContent;
import io.gardenerframework.fragrans.log.schema.details.Detail;
import java.security.Principal;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.lang.Nullable;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;

@AuthenticationServerEngineComponent
/* loaded from: input_file:io/gardenerframework/camellia/authentication/server/main/spring/oauth2/UserAuthenticationOAuth2AccessTokenGranter.class */
public class UserAuthenticationOAuth2AccessTokenGranter {
    private static final Logger log = LoggerFactory.getLogger(UserAuthenticationOAuth2AccessTokenGranter.class);
    private static final StringKeyGenerator DEFAULT_REFRESH_TOKEN_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
    private final OAuth2AuthorizationService oAuth2AuthorizationService;
    private final JwtEncoder jwtEncoder;
    private final AuthorizationServerSettings authorizationServerSettings;
    private final OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer;

    /* loaded from: input_file:io/gardenerframework/camellia/authentication/server/main/spring/oauth2/UserAuthenticationOAuth2AccessTokenGranter$JwtOAuth2AccessToken.class */
    public static class JwtOAuth2AccessToken extends OAuth2AccessToken {
        private final Jwt jwtAccessToken;

        public JwtOAuth2AccessToken(Jwt jwt, OAuth2AccessToken.TokenType tokenType, String str, Instant instant, Instant instant2) {
            super(tokenType, str, instant, instant2);
            this.jwtAccessToken = jwt;
        }

        public JwtOAuth2AccessToken(Jwt jwt, OAuth2AccessToken.TokenType tokenType, String str, Instant instant, Instant instant2, Set<String> set) {
            super(tokenType, str, instant, instant2, set);
            this.jwtAccessToken = jwt;
        }

        public Jwt getJwtAccessToken() {
            return this.jwtAccessToken;
        }
    }

    private OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidClient(OAuth2ClientUserAuthenticationToken oAuth2ClientUserAuthenticationToken) {
        final OAuth2ClientAuthenticationToken m16getPrincipal = oAuth2ClientUserAuthenticationToken.m16getPrincipal();
        if (m16getPrincipal != null && m16getPrincipal.isAuthenticated()) {
            return m16getPrincipal;
        }
        GenericLoggerStaticAccessor.basicLogger().info(log, GenericBasicLogContent.builder().what(OAuth2ClientAuthenticationToken.class).how(new NotFound()).detail(new Detail() { // from class: io.gardenerframework.camellia.authentication.server.main.spring.oauth2.UserAuthenticationOAuth2AccessTokenGranter.1
            private final OAuth2ClientAuthenticationToken client;

            {
                this.client = m16getPrincipal;
            }
        }).build(), (Throwable) null);
        throw new OAuth2AuthenticationException("unauthorized_client");
    }

    private JwtOAuth2AccessToken grantAccessToken(OAuth2ClientUserAuthenticationToken oAuth2ClientUserAuthenticationToken, UserAuthenticatedAuthentication userAuthenticatedAuthentication) {
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientUserAuthenticationToken);
        String issuer = this.authorizationServerSettings != null ? this.authorizationServerSettings.getIssuer() : null;
        Set<String> scopes = oAuth2ClientUserAuthenticationToken.getScopes();
        JwtEncodingContext build = JwtEncodingContext.with(JwtUtils.headers(), JwtUtils.accessTokenClaims((RegisteredClient) Objects.requireNonNull(authenticatedClientElseThrowInvalidClient.getRegisteredClient()), issuer, userAuthenticatedAuthentication.getUser().getId(), scopes)).registeredClient(authenticatedClientElseThrowInvalidClient.getRegisteredClient()).principal(userAuthenticatedAuthentication).authorizedScopes(scopes).tokenType(OAuth2TokenType.ACCESS_TOKEN).authorizationGrantType(oAuth2ClientUserAuthenticationToken.getGrantType()).authorizationGrant(oAuth2ClientUserAuthenticationToken).build();
        this.tokenCustomizer.customize(build);
        Jwt encode = this.jwtEncoder.encode(JwtEncoderParameters.from(build.getJwsHeader().build(), build.getClaims().build()));
        return new JwtOAuth2AccessToken(encode, OAuth2AccessToken.TokenType.BEARER, encode.getTokenValue(), encode.getIssuedAt(), encode.getExpiresAt(), scopes);
    }

    @Nullable
    private OAuth2RefreshToken grantRefreshToken(OAuth2ClientUserAuthenticationToken oAuth2ClientUserAuthenticationToken) {
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientUserAuthenticationToken);
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (authenticatedClientElseThrowInvalidClient.getRegisteredClient().getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) && !authenticatedClientElseThrowInvalidClient.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
            oAuth2RefreshToken = generateRefreshToken(authenticatedClientElseThrowInvalidClient.getRegisteredClient().getTokenSettings().getRefreshTokenTimeToLive());
        }
        return oAuth2RefreshToken;
    }

    @Nullable
    private OidcIdToken grantIdToken(OAuth2ClientUserAuthenticationToken oAuth2ClientUserAuthenticationToken, UserAuthenticatedAuthentication userAuthenticatedAuthentication) {
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientUserAuthenticationToken);
        Jwt jwt = null;
        String issuer = this.authorizationServerSettings != null ? this.authorizationServerSettings.getIssuer() : null;
        if (oAuth2ClientUserAuthenticationToken.getScopes().contains("openid")) {
            JwtEncodingContext build = JwtEncodingContext.with(JwtUtils.headers(), JwtUtils.idTokenClaims(authenticatedClientElseThrowInvalidClient.getRegisteredClient(), issuer, userAuthenticatedAuthentication.getUser().getId(), (String) oAuth2ClientUserAuthenticationToken.getAdditionalParameters().get("nonce"))).registeredClient(authenticatedClientElseThrowInvalidClient.getRegisteredClient()).principal(userAuthenticatedAuthentication).authorizedScopes(oAuth2ClientUserAuthenticationToken.getScopes()).tokenType(new OAuth2TokenType("id_token")).authorizationGrantType(oAuth2ClientUserAuthenticationToken.getGrantType()).authorizationGrant(oAuth2ClientUserAuthenticationToken).build();
            this.tokenCustomizer.customize(build);
            jwt = this.jwtEncoder.encode(JwtEncoderParameters.from(build.getJwsHeader().build(), build.getClaims().build()));
        }
        if (jwt != null) {
            return new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
        }
        return null;
    }

    private OAuth2Authorization createAuthorization(OAuth2ClientUserAuthenticationToken oAuth2ClientUserAuthenticationToken, UserAuthenticatedAuthentication userAuthenticatedAuthentication, JwtOAuth2AccessToken jwtOAuth2AccessToken, @Nullable OAuth2RefreshToken oAuth2RefreshToken, @Nullable OidcIdToken oidcIdToken) {
        OAuth2Authorization.Builder builder = OAuth2Authorization.withRegisteredClient(getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientUserAuthenticationToken).getRegisteredClient()).principalName(userAuthenticatedAuthentication.getUser().getId()).authorizationGrantType(oAuth2ClientUserAuthenticationToken.getGrantType()).attribute(Principal.class.getName(), userAuthenticatedAuthentication).authorizedScopes(oAuth2ClientUserAuthenticationToken.getScopes() == null ? Collections.emptySet() : oAuth2ClientUserAuthenticationToken.getScopes()).id(UUID.randomUUID().toString()).token(new OAuth2AccessToken(jwtOAuth2AccessToken.getTokenType(), jwtOAuth2AccessToken.getTokenValue(), jwtOAuth2AccessToken.getIssuedAt(), jwtOAuth2AccessToken.getExpiresAt(), jwtOAuth2AccessToken.getScopes()), map -> {
            map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, jwtOAuth2AccessToken.getJwtAccessToken().getClaims());
        });
        if (oAuth2RefreshToken != null) {
            builder.refreshToken(oAuth2RefreshToken);
        }
        if (oidcIdToken != null) {
            builder.token(oidcIdToken, map2 -> {
                map2.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, oidcIdToken.getClaims());
            });
        }
        return builder.build();
    }

    public OAuth2AccessTokenAuthenticationToken createOAuth2AccessTokenAuthenticationToken(OAuth2ClientUserAuthenticationToken oAuth2ClientUserAuthenticationToken, UserAuthenticatedAuthentication userAuthenticatedAuthentication) {
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(oAuth2ClientUserAuthenticationToken);
        JwtOAuth2AccessToken grantAccessToken = grantAccessToken(oAuth2ClientUserAuthenticationToken, userAuthenticatedAuthentication);
        OAuth2RefreshToken grantRefreshToken = grantRefreshToken(oAuth2ClientUserAuthenticationToken);
        OidcIdToken grantIdToken = grantIdToken(oAuth2ClientUserAuthenticationToken, userAuthenticatedAuthentication);
        this.oAuth2AuthorizationService.save(createAuthorization(oAuth2ClientUserAuthenticationToken, userAuthenticatedAuthentication, grantAccessToken, grantRefreshToken, grantIdToken));
        Map emptyMap = Collections.emptyMap();
        if (grantIdToken != null) {
            emptyMap = new HashMap();
            emptyMap.put("id_token", grantIdToken.getTokenValue());
        }
        return new OAuth2AccessTokenAuthenticationToken((RegisteredClient) Objects.requireNonNull(authenticatedClientElseThrowInvalidClient.getRegisteredClient()), oAuth2ClientUserAuthenticationToken, grantAccessToken, grantRefreshToken, emptyMap);
    }

    private OAuth2RefreshToken generateRefreshToken(Duration duration) {
        Instant now = Instant.now();
        return new OAuth2RefreshToken(DEFAULT_REFRESH_TOKEN_GENERATOR.generateKey(), now, now.plus((TemporalAmount) duration));
    }

    public UserAuthenticationOAuth2AccessTokenGranter(OAuth2AuthorizationService oAuth2AuthorizationService, JwtEncoder jwtEncoder, AuthorizationServerSettings authorizationServerSettings, OAuth2TokenCustomizer<JwtEncodingContext> oAuth2TokenCustomizer) {
        this.oAuth2AuthorizationService = oAuth2AuthorizationService;
        this.jwtEncoder = jwtEncoder;
        this.authorizationServerSettings = authorizationServerSettings;
        this.tokenCustomizer = oAuth2TokenCustomizer;
    }
}
