package org.springframework.security.oauth2.server.authorization.oidc.authentication;

import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientRegistration;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProvider.class */
public final class OidcClientConfigurationAuthenticationProvider implements AuthenticationProvider {
    static final String DEFAULT_CLIENT_CONFIGURATION_AUTHORIZED_SCOPE = "client.read";
    private final Log logger = LogFactory.getLog(getClass());
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final Converter<RegisteredClient, OidcClientRegistration> clientRegistrationConverter;

    public OidcClientConfigurationAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.clientRegistrationConverter = new RegisteredClientOidcClientRegistrationConverter();
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OidcClientRegistrationAuthenticationToken oidcClientRegistrationAuthenticationToken = (OidcClientRegistrationAuthenticationToken) authentication;
        if (!StringUtils.hasText(oidcClientRegistrationAuthenticationToken.getClientId())) {
            return null;
        }
        AbstractOAuth2TokenAuthenticationToken abstractOAuth2TokenAuthenticationToken = null;
        if (AbstractOAuth2TokenAuthenticationToken.class.isAssignableFrom(oidcClientRegistrationAuthenticationToken.getPrincipal().getClass())) {
            abstractOAuth2TokenAuthenticationToken = (AbstractOAuth2TokenAuthenticationToken) oidcClientRegistrationAuthenticationToken.getPrincipal();
        }
        if (abstractOAuth2TokenAuthenticationToken == null || !abstractOAuth2TokenAuthenticationToken.isAuthenticated()) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken(abstractOAuth2TokenAuthenticationToken.getToken().getTokenValue(), OAuth2TokenType.ACCESS_TOKEN);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with access token");
        }
        OAuth2Authorization.Token<OAuth2AccessToken> accessToken = findByToken.getAccessToken();
        if (!accessToken.isActive()) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
        checkScope(accessToken, Collections.singleton(DEFAULT_CLIENT_CONFIGURATION_AUTHORIZED_SCOPE));
        return findRegistration(oidcClientRegistrationAuthenticationToken, findByToken);
    }

    public boolean supports(Class<?> cls) {
        return OidcClientRegistrationAuthenticationToken.class.isAssignableFrom(cls);
    }

    private OidcClientRegistrationAuthenticationToken findRegistration(OidcClientRegistrationAuthenticationToken oidcClientRegistrationAuthenticationToken, OAuth2Authorization oAuth2Authorization) {
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oidcClientRegistrationAuthenticationToken.getClientId());
        if (findByClientId == null) {
            throw new OAuth2AuthenticationException("invalid_client");
        }
        if (!findByClientId.getId().equals(oAuth2Authorization.getRegisteredClientId())) {
            throw new OAuth2AuthenticationException("invalid_client");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated client configuration request parameters");
        }
        OidcClientRegistration oidcClientRegistration = (OidcClientRegistration) this.clientRegistrationConverter.convert(findByClientId);
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated client configuration request");
        }
        return new OidcClientRegistrationAuthenticationToken((Authentication) oidcClientRegistrationAuthenticationToken.getPrincipal(), oidcClientRegistration);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v13, types: [java.util.Collection] */
    private static void checkScope(OAuth2Authorization.Token<OAuth2AccessToken> token, Set<String> set) {
        Set emptySet = Collections.emptySet();
        if (token.getClaims().containsKey(OidcClientMetadataClaimNames.SCOPE)) {
            emptySet = (Collection) token.getClaims().get(OidcClientMetadataClaimNames.SCOPE);
        }
        if (!emptySet.containsAll(set)) {
            throw new OAuth2AuthenticationException("insufficient_scope");
        }
        if (emptySet.size() != set.size()) {
            throw new OAuth2AuthenticationException("invalid_token");
        }
    }
}
