package org.cloudfoundry.identity.uaa.oauth.token;

import org.cloudfoundry.identity.uaa.oauth.UaaOauth2Authentication;
import org.cloudfoundry.identity.uaa.zone.ClientServicesExtension;
import org.cloudfoundry.identity.uaa.zone.IdentityZoneHolder;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.token.AbstractTokenGranter;
import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.6.0.jar:org/cloudfoundry/identity/uaa/oauth/token/UserTokenGranter.class */
public class UserTokenGranter extends AbstractTokenGranter {
    private ClientServicesExtension clientDetailsService;
    private RevocableTokenProvisioning tokenStore;

    public UserTokenGranter(AuthorizationServerTokenServices authorizationServerTokenServices, ClientServicesExtension clientServicesExtension, OAuth2RequestFactory oAuth2RequestFactory, RevocableTokenProvisioning revocableTokenProvisioning) {
        super(authorizationServerTokenServices, clientServicesExtension, oAuth2RequestFactory, TokenConstants.GRANT_TYPE_USER_TOKEN);
        this.clientDetailsService = clientServicesExtension;
        this.tokenStore = revocableTokenProvisioning;
    }

    @Override // org.springframework.security.oauth2.provider.token.AbstractTokenGranter, org.springframework.security.oauth2.provider.TokenGranter
    public OAuth2AccessToken grant(String str, TokenRequest tokenRequest) {
        return super.grant(str, new TokenRequest(tokenRequest.getRequestParameters(), (String) tokenRequest.getRequestParameters().get(TokenConstants.USER_TOKEN_REQUESTING_CLIENT_ID), tokenRequest.getScope(), tokenRequest.getGrantType()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.oauth2.provider.token.AbstractTokenGranter
    public void validateGrantType(String str, ClientDetails clientDetails) {
    }

    protected Authentication validateRequest(TokenRequest tokenRequest) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !authentication.isAuthenticated() || !(authentication instanceof UaaOauth2Authentication)) {
            throw new InsufficientAuthenticationException("Invalid authentication object:" + authentication);
        }
        UaaOauth2Authentication uaaOauth2Authentication = (UaaOauth2Authentication) authentication;
        if (uaaOauth2Authentication.getUserAuthentication() == null || !uaaOauth2Authentication.getUserAuthentication().isAuthenticated()) {
            throw new InsufficientAuthenticationException("Authentication containing a user is required");
        }
        if (tokenRequest.getRequestParameters() == null || tokenRequest.getRequestParameters().get(TokenConstants.USER_TOKEN_REQUESTING_CLIENT_ID) == null) {
            throw new InvalidGrantException("Parameter requesting_client_id is required.");
        }
        if (!TokenConstants.GRANT_TYPE_USER_TOKEN.equals(tokenRequest.getGrantType())) {
            throw new InvalidGrantException("Invalid grant type");
        }
        super.validateGrantType(TokenConstants.GRANT_TYPE_USER_TOKEN, this.clientDetailsService.loadClientByClientId((String) tokenRequest.getRequestParameters().get(TokenConstants.USER_TOKEN_REQUESTING_CLIENT_ID), IdentityZoneHolder.get().getId()));
        super.validateGrantType("refresh_token", this.clientDetailsService.loadClientByClientId((String) tokenRequest.getRequestParameters().get("client_id"), IdentityZoneHolder.get().getId()));
        return uaaOauth2Authentication.getUserAuthentication();
    }

    @Override // org.springframework.security.oauth2.provider.token.AbstractTokenGranter
    protected OAuth2Authentication getOAuth2Authentication(ClientDetails clientDetails, TokenRequest tokenRequest) {
        return new OAuth2Authentication(getRequestFactory().createOAuth2Request(clientDetails, tokenRequest), validateRequest(tokenRequest));
    }

    protected DefaultOAuth2AccessToken prepareForSerialization(DefaultOAuth2AccessToken defaultOAuth2AccessToken) {
        String value = defaultOAuth2AccessToken.getValue();
        defaultOAuth2AccessToken.setValue(null);
        defaultOAuth2AccessToken.getAdditionalInformation().put("jti", defaultOAuth2AccessToken.getRefreshToken().getValue());
        this.tokenStore.delete(value, 0, IdentityZoneHolder.get().getId());
        return defaultOAuth2AccessToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.oauth2.provider.token.AbstractTokenGranter
    public OAuth2AccessToken getAccessToken(ClientDetails clientDetails, TokenRequest tokenRequest) {
        return prepareForSerialization((DefaultOAuth2AccessToken) super.getAccessToken(this.clientDetailsService.loadClientByClientId((String) tokenRequest.getRequestParameters().get("client_id"), IdentityZoneHolder.get().getId()), tokenRequest));
    }
}
