package pl.sparkbit.security.login.social;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.io.IOException;
import java.security.GeneralSecurityException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.Assert;
import pl.sparkbit.security.login.LoginPrincipal;
import pl.sparkbit.security.login.social.resolver.GoogleResolver;

/* loaded from: input_file:pl/sparkbit/security/login/social/GoogleAuthenticationProvider.class */
public class GoogleAuthenticationProvider implements AuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(GoogleAuthenticationProvider.class);
    private final UserDetailsService userDetailsService;
    private final GoogleResolver resolver;
    private final UserDetailsChecker authenticationChecks = new AccountStatusUserDetailsChecker();
    private final HttpTransport transport = GoogleNetHttpTransport.newTrustedTransport();
    private final JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();

    public GoogleAuthenticationProvider(GoogleResolver googleResolver, UserDetailsService userDetailsService) throws GeneralSecurityException, IOException {
        this.resolver = googleResolver;
        this.userDetailsService = userDetailsService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        Assert.isInstanceOf(GoogleAuthenticationToken.class, authentication, "Only GoogleAuthenticationToken supported");
        GoogleAuthenticationToken googleAuthenticationToken = (GoogleAuthenticationToken) authentication;
        try {
            UserDetails verify = verify(googleAuthenticationToken);
            Assert.notNull(verify, "verify returned null - a violation of the interface contract");
            this.authenticationChecks.check(verify);
            return new GoogleAuthenticationToken(googleAuthenticationToken.getIdToken(), verify, verify.getAuthorities());
        } catch (UsernameNotFoundException e) {
            throw new BadCredentialsException("Bad credentials");
        }
    }

    private UserDetails verify(GoogleAuthenticationToken googleAuthenticationToken) throws AuthenticationException {
        try {
            GoogleIdToken verify = new GoogleIdTokenVerifier.Builder(this.transport, this.jsonFactory).setAudience(this.resolver.resolve(((LoginPrincipal) googleAuthenticationToken.getPrincipal()).getAuthnAttributes()).getGoogleClientIds()).build().verify((String) googleAuthenticationToken.getCredentials());
            if (verify == null) {
                throw new BadCredentialsException("Google Id Token is invalid");
            }
            String str = ((LoginPrincipal) googleAuthenticationToken.getPrincipal()).getAuthnAttributes().get("email");
            if (str == null) {
                throw new BadCredentialsException("No email given");
            }
            if (str.equals(verify.getPayload().getEmail())) {
                return this.userDetailsService.loadUserByUsername(googleAuthenticationToken.getName());
            }
            throw new BadCredentialsException("ID token does not match the given email");
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            throw new BadCredentialsException("Google Id Token is invalid", e);
        }
    }

    public boolean supports(Class<?> cls) {
        return GoogleAuthenticationToken.class.isAssignableFrom(cls);
    }
}
