package com.sap.cloud.security.adapter.spring;

import com.sap.cloud.security.config.Environments;
import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.token.AccessToken;
import com.sap.cloud.security.token.GrantType;
import com.sap.cloud.security.token.ScopeConverter;
import com.sap.cloud.security.token.SecurityContext;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.XsuaaScopeConverter;
import com.sap.cloud.security.token.XsuaaToken;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.token.validation.validators.JwtValidatorBuilder;
import com.sap.cloud.security.xsuaa.Assertions;
import com.sap.cloud.security.xsuaa.client.SpringOAuth2TokenKeyService;
import com.sap.cloud.security.xsuaa.client.SpringOidcConfigurationService;
import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:com/sap/cloud/security/adapter/spring/SAPOfflineTokenServicesCloud.class */
public class SAPOfflineTokenServicesCloud implements ResourceServerTokenServices, InitializingBean {
    private static final Logger LOGGER = LoggerFactory.getLogger(SAPOfflineTokenServicesCloud.class);
    private final OAuth2ServiceConfiguration serviceConfiguration;
    private Validator<Token> tokenValidator;
    private JwtValidatorBuilder jwtValidatorBuilder;
    private boolean useLocalScopeAsAuthorities;
    private ScopeConverter xsuaaScopeConverter;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.sap.cloud.security.adapter.spring.SAPOfflineTokenServicesCloud$1, reason: invalid class name */
    /* loaded from: input_file:com/sap/cloud/security/adapter/spring/SAPOfflineTokenServicesCloud$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$sap$cloud$security$config$Service = new int[Service.values().length];

        static {
            try {
                $SwitchMap$com$sap$cloud$security$config$Service[Service.XSUAA.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sap/cloud/security/adapter/spring/SAPOfflineTokenServicesCloud$UserAuthenticationToken.class */
    public static class UserAuthenticationToken extends AbstractAuthenticationToken {
        private final String username;

        public UserAuthenticationToken(Token token, Set<String> set) {
            super(SAPOfflineTokenServicesCloud.createAuthorities(set));
            this.username = token.getClaimAsString("user_name");
            setAuthenticated(true);
            setDetails(token);
        }

        public String getName() {
            return this.username;
        }

        public Object getCredentials() {
            return "N/A";
        }

        public Object getPrincipal() {
            return this.username;
        }
    }

    public SAPOfflineTokenServicesCloud() {
        this(Environments.getCurrent().getXsuaaConfiguration());
    }

    @Deprecated
    public SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        this(oAuth2ServiceConfiguration, (RestOperations) new RestTemplate());
    }

    public SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, RestOperations restOperations) {
        this(oAuth2ServiceConfiguration, JwtValidatorBuilder.getInstance(oAuth2ServiceConfiguration).withOAuth2TokenKeyService(new SpringOAuth2TokenKeyService(restOperations)).withOidcConfigurationService(new SpringOidcConfigurationService(restOperations)));
    }

    SAPOfflineTokenServicesCloud(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, JwtValidatorBuilder jwtValidatorBuilder) {
        Assertions.assertNotNull(oAuth2ServiceConfiguration, "serviceConfiguration is required.");
        Assertions.assertNotNull(jwtValidatorBuilder, "jwtValidatorBuilder is required.");
        this.serviceConfiguration = oAuth2ServiceConfiguration;
        this.jwtValidatorBuilder = jwtValidatorBuilder;
        if (oAuth2ServiceConfiguration.hasProperty("xsappname")) {
            this.xsuaaScopeConverter = new XsuaaScopeConverter(oAuth2ServiceConfiguration.getProperty("xsappname"));
        }
    }

    public SAPOfflineTokenServicesCloud withAnotherServiceConfiguration(OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        this.jwtValidatorBuilder.configureAnotherServiceInstance(oAuth2ServiceConfiguration);
        return this;
    }

    public OAuth2Authentication loadAuthentication(@Nonnull String str) throws AuthenticationException, InvalidTokenException {
        Token checkAndCreateToken = checkAndCreateToken(str);
        ValidationResult validate = this.tokenValidator.validate(checkAndCreateToken);
        if (validate.isErroneous()) {
            throw new InvalidTokenException(validate.getErrorDescription());
        }
        SecurityContext.setToken(checkAndCreateToken);
        String clientId = checkAndCreateToken.getClientId();
        if (LOGGER.isInfoEnabled() && clientId != this.serviceConfiguration.getClientId()) {
            LOGGER.info("Creates OAuth2Authentication with token clientId {} which differs from oauth client id {}.", clientId, this.serviceConfiguration.getClientId());
        }
        return createOAuth2Authentication(clientId, getScopes(checkAndCreateToken), checkAndCreateToken);
    }

    static OAuth2Authentication createOAuth2Authentication(String str, Set<String> set, Token token) {
        UserAuthenticationToken userAuthentication = getUserAuthentication(token, set);
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(str, set);
        authorizationRequest.setAuthorities(createAuthorities(set));
        authorizationRequest.setApproved(true);
        return new OAuth2Authentication(authorizationRequest.createOAuth2Request(), userAuthentication);
    }

    @Nullable
    private static UserAuthenticationToken getUserAuthentication(Token token, Set<String> set) {
        GrantType grantType = null;
        if (token instanceof AccessToken) {
            grantType = ((AccessToken) token).getGrantType();
        }
        if (grantType == GrantType.CLIENT_CREDENTIALS || grantType == GrantType.CLIENT_X509 || token.getClaimAsString("user_name") == null) {
            return null;
        }
        return new UserAuthenticationToken(token, set);
    }

    private Set<String> getScopes(Token token) {
        Set<String> scopes = token instanceof AccessToken ? ((AccessToken) token).getScopes() : Collections.emptySet();
        if (this.useLocalScopeAsAuthorities) {
            scopes = this.xsuaaScopeConverter.convert(scopes);
        }
        return scopes;
    }

    public void afterPropertiesSet() {
        this.tokenValidator = this.jwtValidatorBuilder.build();
    }

    public OAuth2AccessToken readAccessToken(String str) {
        throw new UnsupportedOperationException("Not supported: readAccessToken()");
    }

    public SAPOfflineTokenServicesCloud setLocalScopeAsAuthorities(boolean z) {
        this.useLocalScopeAsAuthorities = z;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Set<GrantedAuthority> createAuthorities(Collection<String> collection) {
        return (Set) collection.stream().map(SimpleGrantedAuthority::new).collect(Collectors.toSet());
    }

    private Token checkAndCreateToken(@Nonnull String str) {
        try {
            switch (AnonymousClass1.$SwitchMap$com$sap$cloud$security$config$Service[this.serviceConfiguration.getService().ordinal()]) {
                case 1:
                    return new XsuaaToken(str).withScopeConverter(this.xsuaaScopeConverter);
                default:
                    throw new InvalidTokenException("AccessToken of service " + this.serviceConfiguration.getService() + " is not supported.");
            }
        } catch (Exception e) {
            throw new InvalidTokenException(e.getMessage());
        }
    }
}
