package com.mulesoft.modules.oauth2.provider.internal.token;

import com.mulesoft.modules.oauth2.provider.api.token.AccessTokenStoreHolder;
import com.mulesoft.modules.oauth2.provider.api.token.Token;
import com.mulesoft.modules.oauth2.provider.internal.OAuth2ProviderSecurityException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.mule.runtime.api.security.Authentication;
import org.mule.runtime.api.security.SecurityException;
import org.mule.runtime.core.api.security.AbstractSecurityProvider;

/* loaded from: input_file:com/mulesoft/modules/oauth2/provider/internal/token/TokenSecurityProvider.class */
public class TokenSecurityProvider extends AbstractSecurityProvider {
    public static final String NAME = "tokenSecurityProvider";
    private TokenManager tokenManager;

    public TokenSecurityProvider(String str, TokenManager tokenManager) {
        super(str + "." + NAME);
        this.tokenManager = tokenManager;
    }

    public boolean supports(Class<?> cls) {
        return TokenAuthentication.class.isAssignableFrom(cls);
    }

    public Authentication authenticate(Authentication authentication) throws SecurityException {
        if (!supports(authentication.getClass())) {
            throw new OAuth2ProviderSecurityException("Provider can't authenticate token class");
        }
        TokenAuthentication tokenAuthentication = (TokenAuthentication) authentication;
        String token = tokenAuthentication.getToken();
        AccessTokenStoreHolder nonExpiredAccessTokenHolder = this.tokenManager.getNonExpiredAccessTokenHolder(token);
        if (nonExpiredAccessTokenHolder == null) {
            throw new UnauthorizedSecurityException(String.format("The token received: %s , is not valid", token));
        }
        Set<String> resourceOwnerRoles = tokenAuthentication.getResourceOwnerRoles();
        if (CollectionUtils.isNotEmpty(resourceOwnerRoles)) {
            if (CollectionUtils.isEmpty(CollectionUtils.intersection(resourceOwnerRoles, nonExpiredAccessTokenHolder.getResourceOwnerAuthentication() == null ? Collections.emptySet() : nonExpiredAccessTokenHolder.getResourceOwnerAuthentication().getRoles()))) {
                throw new UnauthorizedSecurityException("Resource owner roles do not match");
            }
        }
        Set<String> scopes = tokenAuthentication.getScopes();
        if (CollectionUtils.isNotEmpty(scopes) && CollectionUtils.isEmpty(CollectionUtils.intersection(scopes, new HashSet(nonExpiredAccessTokenHolder.getAccessToken().getScopes())))) {
            throw new ForbiddenSecurityException("Scopes do not match");
        }
        Token accessToken = nonExpiredAccessTokenHolder.getAccessToken();
        if (!token.equals(accessToken.getAccessToken())) {
            throw new UnauthorizedSecurityException("Tokens do not match");
        }
        if (this.tokenManager.isTokenExpired(accessToken.getAccessToken())) {
            throw new UnauthorizedSecurityException("The token is expired");
        }
        return TokenAuthentication.builder(tokenAuthentication).withTokenHolder(nonExpiredAccessTokenHolder).build();
    }
}
