package io.gitee.mingbaobaba.security.oauth2.service;

import io.gitee.mingbaobaba.security.core.context.SecurityContext;
import io.gitee.mingbaobaba.security.core.domain.SecurityLoginParams;
import io.gitee.mingbaobaba.security.core.domain.SecuritySession;
import io.gitee.mingbaobaba.security.core.domain.SecurityToken;
import io.gitee.mingbaobaba.security.core.domain.SecurityUserDetails;
import io.gitee.mingbaobaba.security.core.exception.SecurityBusinessException;
import io.gitee.mingbaobaba.security.core.factory.SecurityFactory;
import io.gitee.mingbaobaba.security.core.request.SecurityRequest;
import io.gitee.mingbaobaba.security.core.service.SecurityService;
import io.gitee.mingbaobaba.security.core.service.SecurityUserDetailsService;
import io.gitee.mingbaobaba.security.core.utils.CommonUtil;
import io.gitee.mingbaobaba.security.core.utils.SecurityUtil;
import io.gitee.mingbaobaba.security.oauth2.SecurityOauth2Manager;
import io.gitee.mingbaobaba.security.oauth2.constants.SecurityOauth2CommonConstant;
import io.gitee.mingbaobaba.security.oauth2.constants.SecurityOauth2ErrorCodeConstant;
import io.gitee.mingbaobaba.security.oauth2.constants.SecurityOauth2ParamConstant;
import io.gitee.mingbaobaba.security.oauth2.domain.SecurityOauth2AccessToken;
import io.gitee.mingbaobaba.security.oauth2.domain.SecurityOauth2Application;
import io.gitee.mingbaobaba.security.oauth2.domain.SecurityOauth2Client;
import io.gitee.mingbaobaba.security.oauth2.domain.SecurityOauth2RefreshToken;
import io.gitee.mingbaobaba.security.oauth2.enums.GrantType;
import io.gitee.mingbaobaba.security.oauth2.exception.SecurityOauth2Exception;
import io.gitee.mingbaobaba.security.oauth2.repository.SecurityOauth2ApplicationRepository;
import io.gitee.mingbaobaba.security.oauth2.repository.SecurityOauth2Repository;
import java.util.Arrays;
import java.util.Base64;
import java.util.Objects;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:io/gitee/mingbaobaba/security/oauth2/service/SecurityOauth2ServiceImpl.class */
public class SecurityOauth2ServiceImpl implements SecurityOauth2Service {
    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public SecurityOauth2Client buildLoginModel(GrantType grantType) {
        SecurityRequest securityRequest = (SecurityRequest) SecurityFactory.getSecurityRequest.get();
        SecurityOauth2ApplicationRepository securityOauth2ApplicationRepository = SecurityOauth2Manager.getSecurityOauth2ApplicationRepository();
        String header = securityRequest.getHeader(SecurityOauth2CommonConstant.HEADER_NAME_BASIC);
        String str = SecurityOauth2CommonConstant.EMPTY_STR;
        String str2 = SecurityOauth2CommonConstant.EMPTY_STR;
        if (StringUtils.isNoneBlank(new CharSequence[]{header})) {
            String[] split = Arrays.toString(Base64.getDecoder().decode(header)).split(",");
            if (split.length == 2) {
                str = Objects.isNull(split[0]) ? SecurityOauth2CommonConstant.EMPTY_STR : split[0];
                str2 = Objects.isNull(split[1]) ? SecurityOauth2CommonConstant.EMPTY_STR : split[1];
            }
        } else {
            str = securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.CLIENT_ID);
            str2 = securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.CLIENT_SECRET);
        }
        SecurityOauth2Application oauth2ApplicationByClientId = securityOauth2ApplicationRepository.getOauth2ApplicationByClientId(str);
        if (Objects.isNull(oauth2ApplicationByClientId)) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_CLIENT_NO_AUTH, "客户端未授权");
        }
        if (!str2.equals(oauth2ApplicationByClientId.getClientSecret())) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_CLIENT_SECRET_ERR, "客户端密钥错误");
        }
        String validScope = validScope(securityRequest, oauth2ApplicationByClientId);
        String validResponseType = validResponseType(securityRequest);
        validGrantType(grantType, oauth2ApplicationByClientId);
        return SecurityOauth2Client.builder().clientId(str).clientName(StringUtils.defaultString(oauth2ApplicationByClientId.getClientName(), str)).clientSecret(str2).responseType(validResponseType).scope(validScope).redirectUri(validRedirectUri(securityRequest, grantType, oauth2ApplicationByClientId)).state(securityRequest.getParameter(SecurityOauth2ParamConstant.STATE)).build();
    }

    private static String validScope(SecurityRequest securityRequest, SecurityOauth2Application securityOauth2Application) {
        String parameterNonNull = securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.SCOPE);
        if (Objects.isNull(securityOauth2Application.getScope()) || Stream.of((Object[]) securityOauth2Application.getScope().split(",")).noneMatch(str -> {
            return str.equals(parameterNonNull);
        })) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_CLIENT_SCOPE_ERR, "客户端授权范围错误");
        }
        return parameterNonNull;
    }

    private static String validResponseType(SecurityRequest securityRequest) {
        String parameter = securityRequest.getParameter(SecurityOauth2ParamConstant.RESPONSE_TYPE);
        if (StringUtils.isBlank(parameter)) {
            parameter = (String) securityRequest.getAttribute(SecurityOauth2ParamConstant.RESPONSE_TYPE);
        }
        if ("code".equals(parameter) || SecurityOauth2CommonConstant.RESPONSE_TYPE_TOKEN.equals(parameter)) {
            return parameter;
        }
        throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_CLIENT_RESPONSE_TYPE_ERR, "客户端请求返回类型错误");
    }

    private static void validGrantType(GrantType grantType, SecurityOauth2Application securityOauth2Application) {
        if (Objects.isNull(securityOauth2Application.getGrantType()) || Stream.of((Object[]) securityOauth2Application.getGrantType().split(",")).noneMatch(str -> {
            return str.equals(grantType.getCode());
        })) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_CLIENT_RESPONSE_TYPE_ERR, "不支持此授权类型");
        }
    }

    private static String validRedirectUri(SecurityRequest securityRequest, GrantType grantType, SecurityOauth2Application securityOauth2Application) {
        String str;
        if (GrantType.PASSWORD.getCode().equals(grantType.getCode()) || GrantType.CLIENT_CREDENTIALS.getCode().equals(grantType.getCode())) {
            str = null;
        } else {
            str = securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.REDIRECT_URI);
            if (Objects.isNull(securityOauth2Application.getRedirectUri()) || Stream.of((Object[]) securityOauth2Application.getRedirectUri().split(",")).noneMatch(str2 -> {
                return str2.equals(str);
            })) {
                throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_CLIENT_REDIRECT_URI_ERR, "客户端回调地址未授权");
            }
        }
        return str;
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public String generateAuthorizationCode() {
        SecurityRequest securityRequest = (SecurityRequest) SecurityFactory.getSecurityRequest.get();
        String parameterNonNull = securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.USERNAME);
        String parameterNonNull2 = securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.PASSWORD);
        SecurityUserDetailsService securityUserDetailsService = (SecurityUserDetailsService) SecurityFactory.getSecurityUserDetailsService.get();
        SecurityContext securityContext = (SecurityContext) SecurityFactory.getSecurityContext.get();
        SecurityLoginParams securityLoginParams = new SecurityLoginParams();
        SecurityUserDetails findSecurityUserDetailsByUsername = securityUserDetailsService.findSecurityUserDetailsByUsername(parameterNonNull);
        if (Objects.isNull(findSecurityUserDetailsByUsername) || StringUtils.isBlank(findSecurityUserDetailsByUsername.getLoginId())) {
            throw new SecurityOauth2Exception("1019", "获取登录用户不存在");
        }
        if (!securityUserDetailsService.preHandle(parameterNonNull, securityLoginParams, securityContext)) {
            throw new SecurityOauth2Exception("1022", "登录操作被限制");
        }
        if (StringUtils.isBlank(findSecurityUserDetailsByUsername.getPassword()) || !findSecurityUserDetailsByUsername.getPassword().equals(securityUserDetailsService.passwordPolicy(parameterNonNull2, findSecurityUserDetailsByUsername, securityContext))) {
            throw new SecurityOauth2Exception("1020", "密码错误");
        }
        SecurityOauth2Client buildLoginModel = buildLoginModel(GrantType.AUTHORIZATION_CODE);
        buildLoginModel.setUsername(parameterNonNull);
        buildLoginModel.setPassword(parameterNonNull2);
        String str = (String) CommonUtil.generateToken.get();
        SecurityOauth2Manager.getSecurityOauth2Repository().saveAuthorizationCode(str, buildLoginModel, 600L);
        return str;
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public String buildAuthorizationCodeUri(String str) {
        SecurityOauth2Client clientModelByAuthorizationCode = SecurityOauth2Manager.getSecurityOauth2Repository().getClientModelByAuthorizationCode(str);
        if (null == clientModelByAuthorizationCode) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_INVALID_AUTHORIZATION_CODE, "授权码已失效");
        }
        String redirectUri = clientModelByAuthorizationCode.getRedirectUri();
        return redirectUri + (redirectUri.contains("?") ? "&" : "?") + "code=" + str + "&state=" + (StringUtils.isNoneBlank(new CharSequence[]{clientModelByAuthorizationCode.getState()}) ? clientModelByAuthorizationCode.getState() : SecurityOauth2CommonConstant.EMPTY_STR);
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public SecurityOauth2AccessToken getAccessTokenByAuthorizationCode(String str) {
        SecurityOauth2Repository securityOauth2Repository = SecurityOauth2Manager.getSecurityOauth2Repository();
        SecurityOauth2Client clientModelByAuthorizationCode = securityOauth2Repository.getClientModelByAuthorizationCode(str);
        if (Objects.isNull(clientModelByAuthorizationCode)) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_INVALID_AUTHORIZATION_CODE, "无效的授权码");
        }
        securityOauth2Repository.removeAuthorizationCode(str);
        return grantAuthorizationLogin(clientModelByAuthorizationCode, GrantType.AUTHORIZATION_CODE);
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public void revokeAuthorization(String str) {
        SecurityOauth2Manager.getSecurityOauth2Repository().removeAuthorizationCode(str);
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public SecurityOauth2AccessToken grantAuthorizationLogin(SecurityOauth2Client securityOauth2Client, GrantType grantType) {
        SecurityRequest securityRequest = (SecurityRequest) SecurityFactory.getSecurityRequest.get();
        SecurityContext securityContext = (SecurityContext) SecurityFactory.getSecurityContext.get();
        SecurityLoginParams securityLoginParams = new SecurityLoginParams();
        securityLoginParams.setTokenAttribute(SecurityOauth2ParamConstant.CLIENT_ID, securityOauth2Client.getClientId()).setTokenAttribute(SecurityOauth2ParamConstant.GRANT_TYPE, grantType.getCode()).setTokenAttribute(SecurityOauth2ParamConstant.SCOPE, securityOauth2Client.getScope()).setTokenAttribute(SecurityOauth2ParamConstant.STATE, securityOauth2Client.getState()).setTimeout(SecurityOauth2Manager.getConfig().getRefreshTokenTimeout()).setActivityTimeout(SecurityOauth2Manager.getConfig().getAccessTokenTimeout());
        SecurityOauth2Repository securityOauth2Repository = SecurityOauth2Manager.getSecurityOauth2Repository();
        if (GrantType.CLIENT_CREDENTIALS.getCode().equals(grantType.getCode())) {
            SecurityUtil.doLogin(securityOauth2Client.getClientId(), securityLoginParams);
        } else {
            SecurityUserDetailsService securityUserDetailsService = (SecurityUserDetailsService) SecurityFactory.getSecurityUserDetailsService.get();
            if (StringUtils.isBlank(securityOauth2Client.getUsername())) {
                securityOauth2Client.setUsername(securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.USERNAME));
            }
            SecurityUserDetails findSecurityUserDetailsByUsername = securityUserDetailsService.findSecurityUserDetailsByUsername(securityOauth2Client.getUsername());
            if (Objects.isNull(findSecurityUserDetailsByUsername) || StringUtils.isBlank(findSecurityUserDetailsByUsername.getLoginId())) {
                throw new SecurityOauth2Exception("1019", "获取登录用户不存在");
            }
            if (Boolean.FALSE.equals(Boolean.valueOf(((SecurityUserDetailsService) SecurityFactory.getSecurityUserDetailsService.get()).preHandle(securityOauth2Client.getUsername(), securityLoginParams, securityContext)))) {
                throw new SecurityBusinessException("1022", "登录操作被限制");
            }
            if (StringUtils.isBlank(securityOauth2Client.getPassword())) {
                securityOauth2Client.setPassword(securityRequest.getParameterNonNull(SecurityOauth2ParamConstant.PASSWORD));
            }
            if (StringUtils.isBlank(findSecurityUserDetailsByUsername.getPassword()) || !findSecurityUserDetailsByUsername.getPassword().equals(securityUserDetailsService.passwordPolicy(securityOauth2Client.getPassword(), findSecurityUserDetailsByUsername, securityContext))) {
                throw new SecurityOauth2Exception("1020", "密码错误");
            }
            SecurityUtil.doLogin(findSecurityUserDetailsByUsername.getLoginId(), securityLoginParams);
            securityUserDetailsService.afterCompletion();
        }
        SecuritySession currentSecuritySession = SecurityUtil.getCurrentSecuritySession();
        SecurityToken currentSecurityToken = currentSecuritySession.getCurrentSecurityToken();
        SecurityOauth2AccessToken securityOauth2AccessToken = new SecurityOauth2AccessToken();
        securityOauth2AccessToken.setAccessToken(currentSecurityToken.getToken());
        securityOauth2AccessToken.setExpiresIn(currentSecurityToken.getActivityTimeout());
        securityOauth2AccessToken.setIssuedAt(currentSecuritySession.getCreateTime());
        if (GrantType.AUTHORIZATION_CODE.getCode().equals(grantType.getCode()) || GrantType.PASSWORD.getCode().equals(grantType.getCode())) {
            securityOauth2AccessToken.setRefreshToken((String) CommonUtil.generateToken.get());
            securityOauth2AccessToken.setRefreshExpiresIn(currentSecurityToken.getTimeout());
            if (!securityOauth2Repository.saveAccessAndRefreshToken(securityOauth2AccessToken.getAccessToken(), securityOauth2AccessToken.getRefreshToken(), securityOauth2AccessToken.getRefreshExpiresIn())) {
                throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_SAVE_ACCESS_CODE_ERR, "保存Oauth2AccessToken异常");
            }
        }
        return securityOauth2AccessToken;
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public String buildImplicitGrantUri() {
        SecurityOauth2Client buildLoginModel = buildLoginModel(GrantType.IMPLICIT);
        SecurityOauth2AccessToken grantAuthorizationLogin = grantAuthorizationLogin(buildLoginModel, GrantType.IMPLICIT);
        String redirectUri = buildLoginModel.getRedirectUri();
        return redirectUri + (redirectUri.contains("?") ? "&" : "?") + "accessToken=" + grantAuthorizationLogin.getAccessToken() + "&expiresIn=" + grantAuthorizationLogin.getExpiresIn() + "&tokenType=" + grantAuthorizationLogin.getTokenType() + "&state=" + (StringUtils.isNoneBlank(new CharSequence[]{buildLoginModel.getState()}) ? buildLoginModel.getState() : SecurityOauth2CommonConstant.EMPTY_STR);
    }

    @Override // io.gitee.mingbaobaba.security.oauth2.service.SecurityOauth2Service
    public SecurityOauth2RefreshToken refreshToken() {
        String parameterNonNull = ((SecurityRequest) SecurityFactory.getSecurityRequest.get()).getParameterNonNull(SecurityOauth2ParamConstant.REFRESH_TOKEN);
        SecurityOauth2Repository securityOauth2Repository = SecurityOauth2Manager.getSecurityOauth2Repository();
        String accessTokenByRefreshToken = securityOauth2Repository.accessTokenByRefreshToken(parameterNonNull);
        if (StringUtils.isBlank(accessTokenByRefreshToken)) {
            throw new SecurityOauth2Exception(SecurityOauth2ErrorCodeConstant.OAUTH2_CODE_INVALID_REFRESH_TOKEN, "refreshToken已失效");
        }
        SecurityService securityService = (SecurityService) SecurityFactory.getSecurityService.get();
        SecuritySession securitySessionByToken = securityService.getSecuritySessionByToken(accessTokenByRefreshToken);
        if (Objects.isNull(securitySessionByToken) || Objects.isNull(securitySessionByToken.getCurrentSecurityToken())) {
            throw new SecurityOauth2Exception("1007", "续约用户信息已失效");
        }
        securitySessionByToken.renewalToken(accessTokenByRefreshToken, SecurityOauth2Manager.getConfig().getAccessTokenTimeout());
        SecurityOauth2RefreshToken securityOauth2RefreshToken = new SecurityOauth2RefreshToken();
        securityOauth2RefreshToken.setAccessToken(accessTokenByRefreshToken);
        securityOauth2RefreshToken.setExpiresIn(securityService.tokenTimeout(accessTokenByRefreshToken));
        securityOauth2RefreshToken.setRefreshToken(parameterNonNull);
        securityOauth2RefreshToken.setRefreshExpiresIn(securityOauth2Repository.refreshTokenTimeOut(parameterNonNull));
        return securityOauth2RefreshToken;
    }
}
