package org.springframework.cloud.common.security.support;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.boot.autoconfigure.security.oauth2.resource.AuthoritiesExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.FixedAuthoritiesExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.FixedPrincipalExtractor;
import org.springframework.boot.autoconfigure.security.oauth2.resource.PrincipalExtractor;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.OAuth2RestOperations;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.DefaultResponseErrorHandler;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/springframework/cloud/common/security/support/TokenValidatingUserInfoTokenServices.class */
public class TokenValidatingUserInfoTokenServices extends DefaultTokenServices {
    private TokenStore tokenStore;
    private ClientDetailsService clientDetailsService;
    private final String userInfoEndpointUrl;
    private final String tokenInfoUri;
    private final String clientId;
    private final String clientSecret;
    private OAuth2RestOperations restTemplate;
    private RestOperations remoteTokenRestTemplate;
    protected final Log logger = LogFactory.getLog(getClass());
    private String tokenName = "token";
    private AuthoritiesExtractor authoritiesExtractor = new FixedAuthoritiesExtractor();
    private PrincipalExtractor principalExtractor = new FixedPrincipalExtractor();
    private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();

    public TokenValidatingUserInfoTokenServices(String str, String str2, String str3, String str4) {
        Assert.hasText(str, "The userInfoEndpointUrl must be set.");
        Assert.hasText(str2, "The tokenInfoUri must be set.");
        Assert.hasText(str3, "The clientId must be set.");
        Assert.hasText(str4, "The clientSecret must be set.");
        this.userInfoEndpointUrl = str;
        this.tokenInfoUri = str2;
        this.clientId = str3;
        this.clientSecret = str4;
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.configure(DeserializationFeature.USE_LONG_FOR_INTS, true);
        RestTemplate restTemplate = new RestTemplate();
        MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter = new MappingJackson2HttpMessageConverter();
        mappingJackson2HttpMessageConverter.setPrettyPrint(false);
        mappingJackson2HttpMessageConverter.setObjectMapper(objectMapper);
        restTemplate.getMessageConverters().removeIf(httpMessageConverter -> {
            return httpMessageConverter.getClass().getName().equals(MappingJackson2HttpMessageConverter.class.getName());
        });
        restTemplate.getMessageConverters().add(mappingJackson2HttpMessageConverter);
        restTemplate.setErrorHandler(new DefaultResponseErrorHandler() { // from class: org.springframework.cloud.common.security.support.TokenValidatingUserInfoTokenServices.1
            public void handleError(ClientHttpResponse clientHttpResponse) throws IOException {
                if (clientHttpResponse.getRawStatusCode() != 400) {
                    super.handleError(clientHttpResponse);
                }
            }
        });
        this.remoteTokenRestTemplate = restTemplate;
    }

    public void setRestTemplate(OAuth2RestOperations oAuth2RestOperations) {
        this.restTemplate = oAuth2RestOperations;
    }

    public void setAuthoritiesExtractor(AuthoritiesExtractor authoritiesExtractor) {
        Assert.notNull(authoritiesExtractor, "AuthoritiesExtractor must not be null");
        this.authoritiesExtractor = authoritiesExtractor;
    }

    public void setPrincipalExtractor(PrincipalExtractor principalExtractor) {
        Assert.notNull(principalExtractor, "PrincipalExtractor must not be null");
        this.principalExtractor = principalExtractor;
    }

    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException, InvalidTokenException {
        OAuth2Authentication oAuth2Authentication;
        boolean z = false;
        OAuth2AccessToken readAccessToken = this.tokenStore.readAccessToken(str);
        if (readAccessToken == null) {
            z = true;
        } else if (readAccessToken.isExpired()) {
            this.tokenStore.removeAccessToken(readAccessToken);
            throw new InvalidTokenException("Access token expired: " + str);
        }
        if (z) {
            oAuth2Authentication = retrieveOAuth2AuthenticationFromOAuthServer(str);
        } else {
            OAuth2Authentication readAuthentication = this.tokenStore.readAuthentication(readAccessToken);
            if (readAuthentication == null) {
                throw new InvalidTokenException("Invalid access token: " + str);
            }
            if (this.clientDetailsService != null) {
                String clientId = readAuthentication.getOAuth2Request().getClientId();
                try {
                    this.clientDetailsService.loadClientByClientId(clientId);
                } catch (ClientRegistrationException e) {
                    throw new InvalidTokenException("Client not valid: " + clientId, e);
                }
            }
            oAuth2Authentication = readAuthentication;
        }
        return oAuth2Authentication;
    }

    private OAuth2Authentication retrieveOAuth2AuthenticationFromOAuthServer(String str) {
        OAuth2AccessToken retrieveAccessTokenFromOAuthServer = retrieveAccessTokenFromOAuthServer(str);
        this.restTemplate.getOAuth2ClientContext().setAccessToken(retrieveAccessTokenFromOAuthServer);
        Map<String, Object> userInfoMap = getUserInfoMap(this.userInfoEndpointUrl);
        if (userInfoMap.containsKey("error")) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("userinfo returned error: " + userInfoMap.get("error"));
            }
            throw new InvalidTokenException(str);
        }
        OAuth2Authentication extractAuthentication = extractAuthentication(userInfoMap);
        this.tokenStore.storeAccessToken(retrieveAccessTokenFromOAuthServer, extractAuthentication);
        return extractAuthentication;
    }

    private OAuth2Authentication extractAuthentication(Map<String, Object> map) {
        Object principal = getPrincipal(map);
        List extractAuthorities = this.authoritiesExtractor.extractAuthorities(map);
        OAuth2Request oAuth2Request = new OAuth2Request((Map) null, this.clientId, (Collection) null, true, (Set) null, (Set) null, (String) null, (Set) null, (Map) null);
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(principal, "N/A", extractAuthorities);
        usernamePasswordAuthenticationToken.setDetails(map);
        return new OAuth2Authentication(oAuth2Request, usernamePasswordAuthenticationToken);
    }

    protected Object getPrincipal(Map<String, Object> map) {
        Object extractPrincipal = this.principalExtractor.extractPrincipal(map);
        return extractPrincipal == null ? "unknown" : extractPrincipal;
    }

    public OAuth2AccessToken readAccessToken(String str) {
        throw new UnsupportedOperationException("Not supported: read access token");
    }

    private Map<String, Object> getUserInfoMap(String str) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Getting user info from: " + str);
        }
        try {
            return (Map) this.restTemplate.getForEntity(str, Map.class, new Object[0]).getBody();
        } catch (Exception e) {
            this.logger.warn("Could not fetch user details: " + e.getClass() + ", " + e.getMessage());
            return Collections.singletonMap("error", "Could not fetch user details");
        }
    }

    protected OAuth2AccessToken retrieveAccessTokenFromOAuthServer(String str) {
        Assert.hasText(str, "accessToken must not be null or empty.");
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add(this.tokenName, str);
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.set("Authorization", getAuthorizationHeader(this.clientId, this.clientSecret));
        Map<String, Object> postForMap = postForMap(this.tokenInfoUri, linkedMultiValueMap, httpHeaders);
        if (!postForMap.containsKey("error")) {
            return this.tokenConverter.extractAccessToken(str, postForMap);
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("userinfo returned error: " + postForMap.get("error"));
        }
        throw new InvalidTokenException(str);
    }

    protected String getAuthorizationHeader(String str, String str2) {
        if (str == null || str2 == null) {
            this.logger.warn("Null Client ID or Client Secret detected. Endpoint that requires authentication will reject request with 401 error.");
        }
        try {
            return "Basic " + new String(Base64.getEncoder().encode(String.format("%s:%s", str, str2).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("Could not convert String");
        }
    }

    protected Map<String, Object> postForMap(String str, MultiValueMap<String, String> multiValueMap, HttpHeaders httpHeaders) {
        if (httpHeaders.getContentType() == null) {
            httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        }
        return (Map) this.remoteTokenRestTemplate.exchange(str, HttpMethod.POST, new HttpEntity(multiValueMap, httpHeaders), Map.class, new Object[0]).getBody();
    }

    public void setTokenStore(TokenStore tokenStore) {
        Assert.notNull(tokenStore, "tokenStore cannot be null.");
        super.setTokenStore(tokenStore);
        this.tokenStore = tokenStore;
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        Assert.notNull(clientDetailsService, "clientDetailsService cannot be null.");
        super.setClientDetailsService(clientDetailsService);
        this.clientDetailsService = clientDetailsService;
    }

    public void setTokenName(String str) {
        Assert.hasText(str, "tokenName cannot be null nor empty.");
        this.tokenName = str;
    }
}
