package org.springframework.security.oauth2.server.authorization.authentication;

import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2DeviceCode;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2UserCode;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.class */
public final class OAuth2DeviceAuthorizationConsentAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    static final OAuth2TokenType STATE_TOKEN_TYPE = new OAuth2TokenType("state");
    private final Log logger = LogFactory.getLog(getClass());
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2AuthorizationConsentService authorizationConsentService;
    private Consumer<OAuth2AuthorizationConsentAuthenticationContext> authorizationConsentCustomizer;

    public OAuth2DeviceAuthorizationConsentAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2AuthorizationConsentService, "authorizationConsentService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.authorizationConsentService = oAuth2AuthorizationConsentService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2AuthorizationConsent.Builder withId;
        OAuth2DeviceAuthorizationConsentAuthenticationToken oAuth2DeviceAuthorizationConsentAuthenticationToken = (OAuth2DeviceAuthorizationConsentAuthenticationToken) authentication;
        OAuth2Authorization findByToken = this.authorizationService.findByToken(oAuth2DeviceAuthorizationConsentAuthenticationToken.getState(), STATE_TOKEN_TYPE);
        if (findByToken == null) {
            throwError("invalid_request", "state");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with device authorization consent state");
        }
        Authentication authentication2 = (Authentication) oAuth2DeviceAuthorizationConsentAuthenticationToken.getPrincipal();
        if (!isPrincipalAuthenticated(authentication2) || !authentication2.getName().equals(findByToken.getPrincipalName())) {
            throwError("invalid_request", "state");
        }
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2DeviceAuthorizationConsentAuthenticationToken.getClientId());
        if (findByClientId == null || !findByClientId.getId().equals(findByToken.getRegisteredClientId())) {
            throwError("invalid_request", OidcClientMetadataClaimNames.CLIENT_ID);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        Set<String> set = (Set) findByToken.getAttribute(OidcClientMetadataClaimNames.SCOPE);
        HashSet hashSet = new HashSet(oAuth2DeviceAuthorizationConsentAuthenticationToken.getScopes());
        if (!set.containsAll(hashSet)) {
            throwError("invalid_scope", OidcClientMetadataClaimNames.SCOPE);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated device authorization consent request parameters");
        }
        OAuth2AuthorizationConsent findById = this.authorizationConsentService.findById(findByToken.getRegisteredClientId(), authentication2.getName());
        Set<String> scopes = findById != null ? findById.getScopes() : Collections.emptySet();
        if (!scopes.isEmpty()) {
            for (String str : set) {
                if (scopes.contains(str)) {
                    hashSet.add(str);
                }
            }
        }
        if (findById != null) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Retrieved existing authorization consent");
            }
            withId = OAuth2AuthorizationConsent.from(findById);
        } else {
            withId = OAuth2AuthorizationConsent.withId(findByToken.getRegisteredClientId(), authentication2.getName());
        }
        OAuth2AuthorizationConsent.Builder builder = withId;
        Objects.requireNonNull(builder);
        hashSet.forEach(builder::scope);
        if (this.authorizationConsentCustomizer != null) {
            this.authorizationConsentCustomizer.accept(OAuth2AuthorizationConsentAuthenticationContext.with(oAuth2DeviceAuthorizationConsentAuthenticationToken).authorizationConsent(withId).registeredClient(findByClientId).authorization(findByToken).build());
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Customized authorization consent");
            }
        }
        HashSet hashSet2 = new HashSet();
        Objects.requireNonNull(hashSet2);
        withId.authorities((v1) -> {
            r1.addAll(v1);
        });
        OAuth2Authorization.Token token = findByToken.getToken(OAuth2DeviceCode.class);
        OAuth2Authorization.Token token2 = findByToken.getToken(OAuth2UserCode.class);
        if (hashSet2.isEmpty()) {
            if (findById != null) {
                this.authorizationConsentService.remove(findById);
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Revoked authorization consent");
                }
            }
            findByToken = OAuth2Authorization.from(findByToken).invalidate(token.getToken()).invalidate(token2.getToken()).attributes(map -> {
                map.remove("state");
            }).build();
            this.authorizationService.save(findByToken);
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Invalidated device code and user code because authorization consent was denied");
            }
            throwError("access_denied", OidcClientMetadataClaimNames.CLIENT_ID);
        }
        OAuth2AuthorizationConsent build = withId.build();
        if (!build.equals(findById)) {
            this.authorizationConsentService.save(build);
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Saved authorization consent");
            }
        }
        this.authorizationService.save(OAuth2Authorization.from(findByToken).authorizedScopes(hashSet).invalidate(token2.getToken()).attributes(map2 -> {
            map2.remove("state");
        }).attributes(map3 -> {
            map3.remove(OidcClientMetadataClaimNames.SCOPE);
        }).build());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Saved authorization with authorized scopes");
            this.logger.trace("Authenticated device authorization consent request");
        }
        return new OAuth2DeviceVerificationAuthenticationToken(authentication2, oAuth2DeviceAuthorizationConsentAuthenticationToken.getUserCode(), findByClientId.getClientId());
    }

    public boolean supports(Class<?> cls) {
        return OAuth2DeviceAuthorizationConsentAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setAuthorizationConsentCustomizer(Consumer<OAuth2AuthorizationConsentAuthenticationContext> consumer) {
        Assert.notNull(consumer, "authorizationConsentCustomizer cannot be null");
        this.authorizationConsentCustomizer = consumer;
    }

    private static boolean isPrincipalAuthenticated(Authentication authentication) {
        return (authentication == null || AnonymousAuthenticationToken.class.isAssignableFrom(authentication.getClass()) || !authentication.isAuthenticated()) ? false : true;
    }

    private static void throwError(String str, String str2) {
        throw new OAuth2AuthenticationException(new OAuth2Error(str, "OAuth 2.0 Parameter: " + str2, ERROR_URI));
    }
}
