package org.alfresco.repo.security.authentication.identityservice;

import java.time.Instant;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.alfresco.repo.forms.processor.node.FormFieldConstants;
import org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest;
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.DefaultPasswordTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.DefaultRefreshTokenTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest;
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade.class */
class SpringBasedIdentityServiceFacade implements IdentityServiceFacade {
    private static final Log LOGGER = LogFactory.getLog(SpringBasedIdentityServiceFacade.class);
    private static final Instant SOME_INSIGNIFICANT_DATE_IN_THE_PAST = Instant.MIN.plusSeconds(12345);
    private final Map<AuthorizationGrantType, OAuth2AccessTokenResponseClient> clients;
    private final ClientRegistration clientRegistration;
    private final JwtDecoder jwtDecoder;

    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade$SpringAccessToken.class */
    private static class SpringAccessToken implements IdentityServiceFacade.AccessToken {
        private final AbstractOAuth2Token token;

        private SpringAccessToken(AbstractOAuth2Token abstractOAuth2Token) {
            this.token = (AbstractOAuth2Token) Objects.requireNonNull(abstractOAuth2Token);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessToken
        public String getTokenValue() {
            return this.token.getTokenValue();
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessToken
        public Instant getExpiresAt() {
            return this.token.getExpiresAt();
        }

        /* synthetic */ SpringAccessToken(AbstractOAuth2Token abstractOAuth2Token, SpringAccessToken springAccessToken) {
            this(abstractOAuth2Token);
        }

        /* synthetic */ SpringAccessToken(AbstractOAuth2Token abstractOAuth2Token, SpringAccessToken springAccessToken, SpringAccessToken springAccessToken2) {
            this(abstractOAuth2Token);
        }
    }

    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade$SpringAccessTokenAuthorization.class */
    private static class SpringAccessTokenAuthorization implements IdentityServiceFacade.AccessTokenAuthorization {
        private final OAuth2AccessTokenResponse tokenResponse;

        private SpringAccessTokenAuthorization(OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
            this.tokenResponse = (OAuth2AccessTokenResponse) Objects.requireNonNull(oAuth2AccessTokenResponse);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization
        public IdentityServiceFacade.AccessToken getAccessToken() {
            return new SpringAccessToken(this.tokenResponse.getAccessToken(), null);
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.AccessTokenAuthorization
        public String getRefreshTokenValue() {
            return (String) Optional.of(this.tokenResponse).map((v0) -> {
                return v0.getRefreshToken();
            }).map((v0) -> {
                return v0.getTokenValue();
            }).orElse(null);
        }

        /* synthetic */ SpringAccessTokenAuthorization(OAuth2AccessTokenResponse oAuth2AccessTokenResponse, SpringAccessTokenAuthorization springAccessTokenAuthorization) {
            this(oAuth2AccessTokenResponse);
        }
    }

    /* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/SpringBasedIdentityServiceFacade$SpringDecodedAccessToken.class */
    private static class SpringDecodedAccessToken extends SpringAccessToken implements IdentityServiceFacade.DecodedAccessToken {
        private final Jwt jwt;

        private SpringDecodedAccessToken(Jwt jwt) {
            super(jwt, null, null);
            this.jwt = jwt;
        }

        @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade.DecodedAccessToken
        public Object getClaim(String str) {
            return this.jwt.getClaim(str);
        }

        /* synthetic */ SpringDecodedAccessToken(Jwt jwt, SpringDecodedAccessToken springDecodedAccessToken) {
            this(jwt);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SpringBasedIdentityServiceFacade(RestOperations restOperations, ClientRegistration clientRegistration, JwtDecoder jwtDecoder) {
        Objects.requireNonNull(restOperations);
        this.clientRegistration = (ClientRegistration) Objects.requireNonNull(clientRegistration);
        this.jwtDecoder = (JwtDecoder) Objects.requireNonNull(jwtDecoder);
        this.clients = Map.of(AuthorizationGrantType.AUTHORIZATION_CODE, createAuthorizationCodeClient(restOperations), AuthorizationGrantType.REFRESH_TOKEN, createRefreshTokenClient(restOperations), AuthorizationGrantType.PASSWORD, createPasswordClient(restOperations));
    }

    @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
    public IdentityServiceFacade.AccessTokenAuthorization authorize(IdentityServiceFacade.AuthorizationGrant authorizationGrant) {
        AbstractOAuth2AuthorizationGrantRequest createRequest = createRequest(authorizationGrant);
        try {
            return new SpringAccessTokenAuthorization(getClient(createRequest).getTokenResponse(createRequest), null);
        } catch (OAuth2AuthorizationException e) {
            LOGGER.debug("Failed to authorize against Authorization Server. Reason: " + e.getError() + FormFieldConstants.DOT_CHARACTER);
            throw new IdentityServiceFacade.AuthorizationException("Failed to obtain access token. " + e.getError(), e);
        } catch (RuntimeException e2) {
            LOGGER.warn("Failed to authorize against Authorization Server. Reason: " + e2.getMessage());
            throw new IdentityServiceFacade.AuthorizationException("Failed to obtain access token.", e2);
        }
    }

    @Override // org.alfresco.repo.security.authentication.identityservice.IdentityServiceFacade
    public IdentityServiceFacade.DecodedAccessToken decodeToken(String str) {
        try {
            Jwt decode = this.jwtDecoder.decode(str);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Bearer token outcome: " + decode.getClaims());
            }
            return new SpringDecodedAccessToken(decode, null);
        } catch (RuntimeException e) {
            throw new IdentityServiceFacade.TokenDecodingException("Failed to decode token. " + e.getMessage(), e);
        }
    }

    private AbstractOAuth2AuthorizationGrantRequest createRequest(IdentityServiceFacade.AuthorizationGrant authorizationGrant) {
        if (authorizationGrant.isPassword()) {
            return new OAuth2PasswordGrantRequest(this.clientRegistration, authorizationGrant.getUsername(), authorizationGrant.getPassword());
        }
        if (authorizationGrant.isRefreshToken()) {
            return new OAuth2RefreshTokenGrantRequest(this.clientRegistration, new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "JUST_FOR_FULFILLING_THE_SPRING_API", SOME_INSIGNIFICANT_DATE_IN_THE_PAST, SOME_INSIGNIFICANT_DATE_IN_THE_PAST.plusSeconds(1L)), new OAuth2RefreshToken(authorizationGrant.getRefreshToken(), (Instant) null), this.clientRegistration.getScopes());
        }
        if (!authorizationGrant.isAuthorizationCode()) {
            throw new UnsupportedOperationException("Unsupported grant type.");
        }
        return new OAuth2AuthorizationCodeGrantRequest(this.clientRegistration, new OAuth2AuthorizationExchange(OAuth2AuthorizationRequest.authorizationCode().clientId(this.clientRegistration.getClientId()).authorizationUri(this.clientRegistration.getProviderDetails().getAuthorizationUri()).redirectUri(authorizationGrant.getRedirectUri()).scopes(this.clientRegistration.getScopes()).build(), OAuth2AuthorizationResponse.success(authorizationGrant.getAuthorizationCode()).redirectUri(authorizationGrant.getRedirectUri()).build()));
    }

    private OAuth2AccessTokenResponseClient getClient(AbstractOAuth2AuthorizationGrantRequest abstractOAuth2AuthorizationGrantRequest) {
        AuthorizationGrantType grantType = abstractOAuth2AuthorizationGrantRequest.getGrantType();
        OAuth2AccessTokenResponseClient oAuth2AccessTokenResponseClient = this.clients.get(grantType);
        if (oAuth2AccessTokenResponseClient == null) {
            throw new UnsupportedOperationException("Unsupported grant type `" + grantType + "`.");
        }
        return oAuth2AccessTokenResponseClient;
    }

    private static OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> createAuthorizationCodeClient(RestOperations restOperations) {
        DefaultAuthorizationCodeTokenResponseClient defaultAuthorizationCodeTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
        defaultAuthorizationCodeTokenResponseClient.setRestOperations(restOperations);
        return defaultAuthorizationCodeTokenResponseClient;
    }

    private static OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> createRefreshTokenClient(RestOperations restOperations) {
        DefaultRefreshTokenTokenResponseClient defaultRefreshTokenTokenResponseClient = new DefaultRefreshTokenTokenResponseClient();
        defaultRefreshTokenTokenResponseClient.setRestOperations(restOperations);
        return defaultRefreshTokenTokenResponseClient;
    }

    private static OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> createPasswordClient(RestOperations restOperations) {
        DefaultPasswordTokenResponseClient defaultPasswordTokenResponseClient = new DefaultPasswordTokenResponseClient();
        defaultPasswordTokenResponseClient.setRestOperations(restOperations);
        return defaultPasswordTokenResponseClient;
    }
}
