package com.azure.spring.cloud.autoconfigure.aad.implementation.webapp;

import com.azure.spring.cloud.autoconfigure.aad.AadClientRegistrationRepository;
import com.azure.spring.cloud.autoconfigure.aad.properties.AadAuthorizationGrantType;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.util.Assert;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/aad/implementation/webapp/AadAzureDelegatedOAuth2AuthorizedClientProvider.class */
public class AadAzureDelegatedOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
    private final Clock clock = Clock.systemUTC();
    private final Duration clockSkew = Duration.ofSeconds(60);
    private final OAuth2AuthorizedClientProvider provider;
    private final OAuth2AuthorizedClientRepository authorizedClientRepository;

    public AadAzureDelegatedOAuth2AuthorizedClientProvider(RefreshTokenOAuth2AuthorizedClientProvider refreshTokenOAuth2AuthorizedClientProvider, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository) {
        this.provider = refreshTokenOAuth2AuthorizedClientProvider;
        this.authorizedClientRepository = oAuth2AuthorizedClientRepository;
    }

    public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext oAuth2AuthorizationContext) {
        Assert.notNull(oAuth2AuthorizationContext, "context cannot be null");
        ClientRegistration clientRegistration = oAuth2AuthorizationContext.getClientRegistration();
        if (!AadAuthorizationGrantType.AZURE_DELEGATED.isSameGrantType(clientRegistration.getAuthorizationGrantType())) {
            return null;
        }
        OAuth2AuthorizedClient authorizedClient = oAuth2AuthorizationContext.getAuthorizedClient();
        if (authorizedClient != null && tokenNotExpired(authorizedClient.getAccessToken())) {
            return null;
        }
        Authentication principal = oAuth2AuthorizationContext.getPrincipal();
        OAuth2AuthorizedClient loadAuthorizedClient = this.authorizedClientRepository.loadAuthorizedClient(AadClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID, principal, getHttpServletRequestOrDefault(oAuth2AuthorizationContext));
        if (loadAuthorizedClient == null) {
            throw new ClientAuthorizationRequiredException(AadClientRegistrationRepository.AZURE_CLIENT_REGISTRATION_ID);
        }
        OAuth2AuthorizedClient createClientWithExpiredToken = createClientWithExpiredToken(loadAuthorizedClient, clientRegistration, principal);
        String[] strArr = (String[]) clientRegistration.getScopes().toArray(new String[0]);
        return this.provider.authorize(OAuth2AuthorizationContext.withAuthorizedClient(createClientWithExpiredToken).principal(principal).attributes(map -> {
            map.put(OAuth2AuthorizationContext.REQUEST_SCOPE_ATTRIBUTE_NAME, strArr);
        }).build());
    }

    private boolean tokenNotExpired(OAuth2Token oAuth2Token) {
        return ((Boolean) Optional.ofNullable(oAuth2Token).map((v0) -> {
            return v0.getExpiresAt();
        }).map(instant -> {
            return Boolean.valueOf(this.clock.instant().isBefore(instant.minus((TemporalAmount) this.clockSkew)));
        }).orElse(false)).booleanValue();
    }

    private OAuth2AuthorizedClient createClientWithExpiredToken(OAuth2AuthorizedClient oAuth2AuthorizedClient, ClientRegistration clientRegistration, Authentication authentication) {
        Assert.notNull(oAuth2AuthorizedClient, "azureClient cannot be null");
        Assert.notNull(clientRegistration, "clientRegistration cannot be null");
        return new OAuth2AuthorizedClient(clientRegistration, authentication.getName(), new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, "non-access-token", Instant.MIN, Instant.now().minus(100L, (TemporalUnit) ChronoUnit.DAYS)), oAuth2AuthorizedClient.getRefreshToken());
    }

    private static HttpServletRequest getHttpServletRequestOrDefault(OAuth2AuthorizationContext oAuth2AuthorizationContext) {
        return (HttpServletRequest) Optional.ofNullable(oAuth2AuthorizationContext).map((v0) -> {
            return v0.getAttributes();
        }).map(map -> {
            return (HttpServletRequest) map.get(HttpServletRequest.class.getName());
        }).orElseGet(AadAzureDelegatedOAuth2AuthorizedClientProvider::getDefaultHttpServletRequest);
    }

    private static HttpServletRequest getDefaultHttpServletRequest() {
        return (HttpServletRequest) Optional.ofNullable(RequestContextHolder.getRequestAttributes()).filter(requestAttributes -> {
            return requestAttributes instanceof ServletRequestAttributes;
        }).map(requestAttributes2 -> {
            return ((ServletRequestAttributes) requestAttributes2).getRequest();
        }).orElse(null);
    }
}
