package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2DeviceCode;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.OAuth2UserCode;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.class */
public final class OAuth2DeviceCodeAuthenticationProvider implements AuthenticationProvider {
    private static final String DEFAULT_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
    private static final String DEVICE_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc8628#section-3.5";
    static final OAuth2TokenType DEVICE_CODE_TOKEN_TYPE = new OAuth2TokenType("device_code");
    static final String EXPIRED_TOKEN = "expired_token";
    static final String AUTHORIZATION_PENDING = "authorization_pending";
    private final Log logger = LogFactory.getLog(getClass());
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;

    public OAuth2DeviceCodeAuthenticationProvider(OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        this.authorizationService = oAuth2AuthorizationService;
        this.tokenGenerator = oAuth2TokenGenerator;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Authentication authentication2 = (OAuth2DeviceCodeAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken authenticatedClientElseThrowInvalidClient = OAuth2AuthenticationProviderUtils.getAuthenticatedClientElseThrowInvalidClient(authentication2);
        RegisteredClient registeredClient = authenticatedClientElseThrowInvalidClient.getRegisteredClient();
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        OAuth2Authorization findByToken = this.authorizationService.findByToken(authentication2.getDeviceCode(), DEVICE_CODE_TOKEN_TYPE);
        if (findByToken == null) {
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved authorization with device code");
        }
        OAuth2Authorization.Token token = findByToken.getToken(OAuth2UserCode.class);
        OAuth2Authorization.Token token2 = findByToken.getToken(OAuth2DeviceCode.class);
        if (!registeredClient.getId().equals(findByToken.getRegisteredClientId())) {
            if (!token2.isInvalidated()) {
                OAuth2Authorization build = OAuth2Authorization.from(findByToken).invalidate(token2.getToken()).build();
                this.authorizationService.save(build);
                if (this.logger.isWarnEnabled()) {
                    this.logger.warn(LogMessage.format("Invalidated device code used by registered client '%s'", build.getRegisteredClientId()));
                }
            }
            throw new OAuth2AuthenticationException("invalid_grant");
        }
        if (token2.isExpired()) {
            if (!token2.isInvalidated()) {
                OAuth2Authorization build2 = OAuth2Authorization.from(findByToken).invalidate(token2.getToken()).build();
                this.authorizationService.save(build2);
                if (this.logger.isWarnEnabled()) {
                    this.logger.warn(LogMessage.format("Invalidated device code used by registered client '%s'", build2.getRegisteredClientId()));
                }
            }
            throw new OAuth2AuthenticationException(new OAuth2Error(EXPIRED_TOKEN, (String) null, DEVICE_ERROR_URI));
        }
        if (!token.isInvalidated()) {
            throw new OAuth2AuthenticationException(new OAuth2Error(AUTHORIZATION_PENDING, (String) null, DEVICE_ERROR_URI));
        }
        if (token2.isInvalidated()) {
            throw new OAuth2AuthenticationException(new OAuth2Error("access_denied", (String) null, DEVICE_ERROR_URI));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated device token request parameters");
        }
        DefaultOAuth2TokenContext.Builder authorizationGrant = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal((Authentication) findByToken.getAttribute(Principal.class.getName())).authorizationServerContext(AuthorizationServerContextHolder.getContext()).authorization(findByToken).authorizedScopes(findByToken.getAuthorizedScopes()).authorizationGrantType(AuthorizationGrantType.DEVICE_CODE).authorizationGrant(authentication2);
        OAuth2Authorization.Builder invalidate = OAuth2Authorization.from(findByToken).invalidate(token2.getToken());
        DefaultOAuth2TokenContext build3 = authorizationGrant.tokenType(OAuth2TokenType.ACCESS_TOKEN).build();
        OAuth2Token generate = this.tokenGenerator.generate(build3);
        if (generate == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the access token.", DEFAULT_ERROR_URI));
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Generated access token");
        }
        OAuth2AccessToken accessToken = OAuth2AuthenticationProviderUtils.accessToken(invalidate, generate, build3);
        OAuth2RefreshToken oAuth2RefreshToken = null;
        if (registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.REFRESH_TOKEN)) {
            OAuth2Token generate2 = this.tokenGenerator.generate(authorizationGrant.tokenType(OAuth2TokenType.REFRESH_TOKEN).build());
            if (!(generate2 instanceof OAuth2RefreshToken)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the refresh token.", DEFAULT_ERROR_URI));
            }
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Generated refresh token");
            }
            oAuth2RefreshToken = (OAuth2RefreshToken) generate2;
            invalidate.refreshToken(oAuth2RefreshToken);
        }
        this.authorizationService.save(invalidate.build());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Saved authorization");
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated device token request");
        }
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, authenticatedClientElseThrowInvalidClient, accessToken, oAuth2RefreshToken);
    }

    public boolean supports(Class<?> cls) {
        return OAuth2DeviceCodeAuthenticationToken.class.isAssignableFrom(cls);
    }
}
