package org.mitre.oauth2.token;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Date;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.model.OAuth2AccessTokenEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.service.OAuth2TokenEntityService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
import org.springframework.stereotype.Component;

@Component("jwtAssertionTokenGranter")
/* loaded from: input_file:org/mitre/oauth2/token/JWTAssertionTokenGranter.class */
public class JWTAssertionTokenGranter extends AbstractTokenGranter {
    private static final String grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer";
    private OAuth2TokenEntityService tokenServices;

    @Autowired
    private JWTSigningAndValidationService jwtService;

    @Autowired
    private ConfigurationPropertiesBean config;

    @Autowired
    public JWTAssertionTokenGranter(OAuth2TokenEntityService oAuth2TokenEntityService, ClientDetailsEntityService clientDetailsEntityService, OAuth2RequestFactory oAuth2RequestFactory) {
        super(oAuth2TokenEntityService, clientDetailsEntityService, oAuth2RequestFactory, grantType);
        this.tokenServices = oAuth2TokenEntityService;
    }

    protected OAuth2AccessToken getAccessToken(ClientDetails clientDetails, TokenRequest tokenRequest) throws AuthenticationException, InvalidTokenException {
        String str = (String) tokenRequest.getRequestParameters().get("assertion");
        OAuth2AccessTokenEntity readAccessToken = this.tokenServices.readAccessToken(str);
        if (!readAccessToken.getScope().contains("id-token")) {
            return null;
        }
        if (!clientDetails.getClientId().equals(tokenRequest.getClientId())) {
            throw new InvalidClientException("Not the right client for this token");
        }
        try {
            JWT parse = JWTParser.parse(str);
            OAuth2AccessTokenEntity accessTokenForIdToken = this.tokenServices.getAccessTokenForIdToken(readAccessToken);
            if (accessTokenForIdToken == null) {
                return null;
            }
            OAuth2AccessTokenEntity oAuth2AccessTokenEntity = new OAuth2AccessTokenEntity();
            JWTClaimsSet jWTClaimsSet = new JWTClaimsSet(parse.getJWTClaimsSet());
            if (!(clientDetails instanceof ClientDetailsEntity)) {
                this.logger.fatal("SEVERE: Client is not an instance of OAuth2AccessTokenEntity.");
                throw new BadCredentialsException("SEVERE: Client is not an instance of ClientDetailsEntity; JwtAssertionTokenGranter cannot process this request.");
            }
            if (((ClientDetailsEntity) clientDetails).getIdTokenValiditySeconds() != null) {
                Date date = new Date(System.currentTimeMillis() + (r0.getIdTokenValiditySeconds().intValue() * 1000));
                jWTClaimsSet.setExpirationTime(date);
                oAuth2AccessTokenEntity.setExpiration(date);
            }
            jWTClaimsSet.setIssueTime(new Date());
            SignedJWT signedJWT = new SignedJWT(parse.getHeader(), jWTClaimsSet);
            this.jwtService.signJwt(signedJWT);
            oAuth2AccessTokenEntity.setJwt(signedJWT);
            oAuth2AccessTokenEntity.setAuthenticationHolder(readAccessToken.getAuthenticationHolder());
            oAuth2AccessTokenEntity.setScope(readAccessToken.getScope());
            oAuth2AccessTokenEntity.setClient(readAccessToken.getClient());
            OAuth2AccessTokenEntity saveAccessToken = this.tokenServices.saveAccessToken(oAuth2AccessTokenEntity);
            accessTokenForIdToken.setIdToken(saveAccessToken);
            this.tokenServices.saveAccessToken(accessTokenForIdToken);
            this.tokenServices.revokeAccessToken(readAccessToken);
            return saveAccessToken;
        } catch (ParseException e) {
            this.logger.warn("Couldn't parse id token", e);
            return null;
        }
    }
}
