package com.geoway.landteam.gas.oauth2.server.password;

import com.geoway.landteam.gas.servface.user.GasUserDetails;
import com.geoway.landteam.gas.servface.user.GasUserDetailsService;
import com.geoway.landteam.gas.servface.util.TimeMaskUtil;
import com.gw.base.Gw;
import com.gw.base.log.GiLoger;
import com.gw.base.log.GwLoger;
import com.gw.base.util.GutilStr;
import java.security.Principal;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:com/geoway/landteam/gas/oauth2/server/password/PasswordAuthenticationProvider.class */
public class PasswordAuthenticationProvider implements AuthenticationProvider {
    private static final GiLoger logger = GwLoger.getLoger(PasswordAuthenticationProvider.class);
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private final AuthenticationManager authenticationManager;
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;
    private final PasswordTypeUserDetailsService passwordTypeUserDetailsService;
    private static final String PASSWORD_TYPE = "password_type";
    private static final String USERNAME_TYPE = "username_type";
    private PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();

    public PasswordAuthenticationProvider(AuthenticationManager authenticationManager, OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator, PasswordTypeUserDetailsService passwordTypeUserDetailsService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authenticationManager = authenticationManager;
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
        this.passwordTypeUserDetailsService = passwordTypeUserDetailsService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Authentication usernamePasswordAuthentication;
        Oauth2PasswordAuthenticationToken oauth2PasswordAuthenticationToken = (Oauth2PasswordAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = getAuthenticatedClientElseThrowInvalidClient(oauth2PasswordAuthenticationToken);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.PASSWORD)) {
            throw new OAuth2AuthenticationException("unauthorized_client");
        }
        String str = (String) oauth2PasswordAuthenticationToken.getAdditionalParameters().get(PASSWORD_TYPE);
        if (StringUtils.hasText(str)) {
            usernamePasswordAuthentication = getUsernamePasswordTypeAuthentication(oauth2PasswordAuthenticationToken, str);
            if (usernamePasswordAuthentication == null || !usernamePasswordAuthentication.isAuthenticated()) {
                return null;
            }
        } else {
            usernamePasswordAuthentication = getUsernamePasswordAuthentication(oauth2PasswordAuthenticationToken);
            if (usernamePasswordAuthentication == null || !usernamePasswordAuthentication.isAuthenticated()) {
                throw new OAuth2AuthenticationException(new OAuth2Error("access_denied", "用户名或密码错误", (String) null));
            }
        }
        Set scopes = registeredClient.getScopes();
        Set<String> scopes2 = oauth2PasswordAuthenticationToken.getScopes();
        if (!CollectionUtils.isEmpty(scopes2)) {
            if (!CollectionUtils.isEmpty((Set) scopes2.stream().filter(str2 -> {
                return !registeredClient.getScopes().contains(str2);
            }).collect(Collectors.toSet()))) {
                throw new OAuth2AuthenticationException("invalid_scope");
            }
            scopes = new LinkedHashSet(scopes2);
        }
        DefaultOAuth2TokenContext.Builder authorizationGrant = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal(usernamePasswordAuthentication).providerContext(ProviderContextHolder.getProviderContext()).authorizedScopes(scopes).authorizationGrantType(AuthorizationGrantType.PASSWORD).authorizationGrant(oauth2PasswordAuthenticationToken);
        DefaultOAuth2TokenContext build = authorizationGrant.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
        OAuth2Token generate = this.tokenGenerator.generate(build);
        if (generate == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the access token.", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"));
        }
        OAuth2AccessToken oAuth2AccessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, generate.getTokenValue(), generate.getIssuedAt(), generate.getExpiresAt(), build.getAuthorizedScopes());
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN) && !authenticatedClientElseThrowInvalidClient.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
            OAuth2Token generate2 = this.tokenGenerator.generate(authorizationGrant.tokenType(OAuth2TokenType.REFRESH_TOKEN).build());
            if (!(generate2 instanceof OAuth2RefreshToken)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the refresh token.", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2"));
            }
            oAuth2RefreshToken = (OAuth2RefreshToken) generate2;
        }
        OAuth2Authorization.Builder attribute = OAuth2Authorization.withRegisteredClient(registeredClient).principalName(usernamePasswordAuthentication.getName()).authorizationGrantType(AuthorizationGrantType.PASSWORD).attribute(OAuth2Authorization.AUTHORIZED_SCOPE_ATTRIBUTE_NAME, scopes).attribute(Principal.class.getName(), usernamePasswordAuthentication);
        if (generate instanceof ClaimAccessor) {
            attribute.token(oAuth2AccessToken, map -> {
                map.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, ((ClaimAccessor) generate).getClaims());
            });
        } else {
            attribute.accessToken(oAuth2AccessToken);
        }
        this.authorizationService.save(attribute.build());
        logger.debug("OAuth2Authorization saved successfully", new Object[0]);
        logger.debug("returning OAuth2AccessTokenAuthenticationToken", new Object[0]);
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, oAuth2AccessToken, oAuth2RefreshToken, Collections.emptyMap());
    }

    public boolean supports(Class<?> cls) {
        boolean isAssignableFrom = Oauth2PasswordAuthenticationToken.class.isAssignableFrom(cls);
        logger.debug("supports authentication=" + cls + " returning " + isAssignableFrom, new Object[0]);
        return isAssignableFrom;
    }

    private Authentication getUsernamePasswordAuthentication(Oauth2PasswordAuthenticationToken oauth2PasswordAuthenticationToken) {
        Map<String, Object> additionalParameters = oauth2PasswordAuthenticationToken.getAdditionalParameters();
        String str = (String) additionalParameters.get("username");
        String str2 = (String) additionalParameters.get("password");
        String str3 = (String) additionalParameters.get(USERNAME_TYPE);
        GasUserDetailsService gasUserDetailsService = (GasUserDetailsService) Gw.beans.getBean(GasUserDetailsService.class);
        GasUserDetails loadUserByPhone = GutilStr.equalsIgnoreCase(str3, "phone") ? gasUserDetailsService.loadUserByPhone(str) : gasUserDetailsService.loadUserByUsername(str);
        if (loadUserByPhone == null) {
            throw new OAuth2AuthenticationException("账户或密码不正确");
        }
        if (this.passwordEncoder.matches(TimeMaskUtil.decode(str2), loadUserByPhone.getPassword())) {
            return new Oauth2PasswordAuthenticationToken(loadUserByPhone.getUserId(), oauth2PasswordAuthenticationToken.getScopes(), additionalParameters);
        }
        throw new OAuth2AuthenticationException("账户或密码不正确");
    }

    private Authentication getUsernamePasswordTypeAuthentication(Oauth2PasswordAuthenticationToken oauth2PasswordAuthenticationToken, String str) {
        Map<String, Object> additionalParameters = oauth2PasswordAuthenticationToken.getAdditionalParameters();
        GasUserDetails loadUser = this.passwordTypeUserDetailsService.loadUser((String) additionalParameters.get("username"), (String) additionalParameters.get("password"), str);
        if (loadUser != null) {
            return new Oauth2PasswordAuthenticationToken(loadUser.getUserId(), oauth2PasswordAuthenticationToken.getScopes(), additionalParameters);
        }
        return null;
    }

    private OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidClient(Authentication authentication) {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = null;
        if (OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication.getPrincipal().getClass())) {
            oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) authentication.getPrincipal();
        }
        if (oAuth2ClientAuthenticationToken == null || !oAuth2ClientAuthenticationToken.isAuthenticated()) {
            throw new OAuth2AuthenticationException("invalid_client");
        }
        return oAuth2ClientAuthenticationToken;
    }
}
