package org.springframework.security.oauth2.client.token;

import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-2.3.3.RELEASE.jar:org/springframework/security/oauth2/client/token/AccessTokenProviderChain.class */
public class AccessTokenProviderChain extends OAuth2AccessTokenSupport implements AccessTokenProvider {
    private final List<AccessTokenProvider> chain;
    private ClientTokenServices clientTokenServices;

    public AccessTokenProviderChain(List<? extends AccessTokenProvider> list) {
        this.chain = list == null ? Collections.emptyList() : Collections.unmodifiableList(list);
    }

    public void setClientTokenServices(ClientTokenServices clientTokenServices) {
        this.clientTokenServices = clientTokenServices;
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public boolean supportsResource(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails) {
        Iterator<AccessTokenProvider> it = this.chain.iterator();
        while (it.hasNext()) {
            if (it.next().supportsResource(oAuth2ProtectedResourceDetails)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public boolean supportsRefresh(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails) {
        Iterator<AccessTokenProvider> it = this.chain.iterator();
        while (it.hasNext()) {
            if (it.next().supportsRefresh(oAuth2ProtectedResourceDetails)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, AccessTokenRequest accessTokenRequest) throws UserRedirectRequiredException, AccessDeniedException {
        OAuth2AccessToken oAuth2AccessToken = null;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if ((authentication instanceof AnonymousAuthenticationToken) && !oAuth2ProtectedResourceDetails.isClientOnly()) {
            throw new InsufficientAuthenticationException("Authentication is required to obtain an access token (anonymous not allowed)");
        }
        if (oAuth2ProtectedResourceDetails.isClientOnly() || (authentication != null && authentication.isAuthenticated())) {
            OAuth2AccessToken existingToken = accessTokenRequest.getExistingToken();
            if (existingToken == null && this.clientTokenServices != null) {
                existingToken = this.clientTokenServices.getAccessToken(oAuth2ProtectedResourceDetails, authentication);
            }
            if (existingToken != null) {
                if (existingToken.isExpired()) {
                    if (this.clientTokenServices != null) {
                        this.clientTokenServices.removeAccessToken(oAuth2ProtectedResourceDetails, authentication);
                    }
                    OAuth2RefreshToken refreshToken = existingToken.getRefreshToken();
                    if (refreshToken != null && !oAuth2ProtectedResourceDetails.isClientOnly()) {
                        oAuth2AccessToken = refreshAccessToken(oAuth2ProtectedResourceDetails, refreshToken, accessTokenRequest);
                    }
                } else {
                    oAuth2AccessToken = existingToken;
                }
            }
        }
        if (oAuth2AccessToken == null) {
            oAuth2AccessToken = obtainNewAccessTokenInternal(oAuth2ProtectedResourceDetails, accessTokenRequest);
            if (oAuth2AccessToken == null) {
                throw new IllegalStateException("An OAuth 2 access token must be obtained or an exception thrown.");
            }
        }
        if (this.clientTokenServices != null && (oAuth2ProtectedResourceDetails.isClientOnly() || (authentication != null && authentication.isAuthenticated()))) {
            this.clientTokenServices.saveAccessToken(oAuth2ProtectedResourceDetails, authentication, oAuth2AccessToken);
        }
        return oAuth2AccessToken;
    }

    protected OAuth2AccessToken obtainNewAccessTokenInternal(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, AccessTokenRequest accessTokenRequest) throws UserRedirectRequiredException, AccessDeniedException {
        if (accessTokenRequest.isError()) {
            throw OAuth2Exception.valueOf(accessTokenRequest.toSingleValueMap());
        }
        for (AccessTokenProvider accessTokenProvider : this.chain) {
            if (accessTokenProvider.supportsResource(oAuth2ProtectedResourceDetails)) {
                return accessTokenProvider.obtainAccessToken(oAuth2ProtectedResourceDetails, accessTokenRequest);
            }
        }
        throw new OAuth2AccessDeniedException("Unable to obtain a new access token for resource '" + oAuth2ProtectedResourceDetails.getId() + "'. The provider manager is not configured to support it.", oAuth2ProtectedResourceDetails);
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, OAuth2RefreshToken oAuth2RefreshToken, AccessTokenRequest accessTokenRequest) throws UserRedirectRequiredException {
        for (AccessTokenProvider accessTokenProvider : this.chain) {
            if (accessTokenProvider.supportsRefresh(oAuth2ProtectedResourceDetails)) {
                DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(accessTokenProvider.refreshAccessToken(oAuth2ProtectedResourceDetails, oAuth2RefreshToken, accessTokenRequest));
                if (defaultOAuth2AccessToken.getRefreshToken() == null) {
                    defaultOAuth2AccessToken.setRefreshToken(oAuth2RefreshToken);
                }
                return defaultOAuth2AccessToken;
            }
        }
        throw new OAuth2AccessDeniedException("Unable to obtain a new access token for resource '" + oAuth2ProtectedResourceDetails.getId() + "'. The provider manager is not configured to support it.", oAuth2ProtectedResourceDetails);
    }
}
