package org.mitre.oauth2.token;

import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Set;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
import org.springframework.stereotype.Component;

@Component("chainedTokenGranter")
/* loaded from: input_file:org/mitre/oauth2/token/ChainedTokenGranter.class */
public class ChainedTokenGranter extends AbstractTokenGranter {
    private static final String grantType = "urn:ietf:params:oauth:grant_type:redelegate";
    private OAuth2TokenEntityService tokenServices;

    @Autowired
    public ChainedTokenGranter(OAuth2TokenEntityService oAuth2TokenEntityService, ClientDetailsEntityService clientDetailsEntityService, OAuth2RequestFactory oAuth2RequestFactory) {
        super(oAuth2TokenEntityService, clientDetailsEntityService, oAuth2RequestFactory, grantType);
        this.tokenServices = oAuth2TokenEntityService;
    }

    protected OAuth2Authentication getOAuth2Authentication(ClientDetails clientDetails, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
        OAuth2AccessTokenEntity readAccessToken = this.tokenServices.readAccessToken((String) tokenRequest.getRequestParameters().get("token"));
        Set scope = readAccessToken.getScope();
        Set scope2 = tokenRequest.getScope();
        if (scope2 == null) {
            scope2 = new HashSet();
        }
        if (clientDetails.getScope().equals(scope2)) {
            scope2 = new HashSet();
        }
        if (!scope.containsAll(scope2)) {
            throw new InvalidScopeException("Invalid scope requested in chained request", scope);
        }
        if (scope2.isEmpty()) {
            tokenRequest.setScope(scope);
        } else {
            tokenRequest.setScope(Sets.intersection(scope2, scope));
        }
        return new OAuth2Authentication(getRequestFactory().createOAuth2Request(clientDetails, tokenRequest), readAccessToken.getAuthenticationHolder().getAuthentication().getUserAuthentication());
    }
}
