package com.evolveum.midpoint.authentication.impl.provider;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.module.authentication.HttpModuleAuthentication;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/provider/OidcResourceServerProvider.class */
public class OidcResourceServerProvider extends RemoteModuleProvider {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) OidcResourceServerProvider.class);
    private final JwtAuthenticationProvider oidcProvider;

    public OidcResourceServerProvider(JwtDecoder jwtDecoder, JwtAuthenticationConverter jwtAuthenticationConverter) {
        this.oidcProvider = new JwtAuthenticationProvider(jwtDecoder);
        this.oidcProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws AuthenticationException {
        if (!(authentication instanceof BearerTokenAuthenticationToken)) {
            LOGGER.error("Unsupported authentication {}", authentication);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
        BearerTokenAuthenticationToken bearerTokenAuthenticationToken = (BearerTokenAuthenticationToken) authentication;
        try {
            JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) this.oidcProvider.authenticate(bearerTokenAuthenticationToken);
            HttpModuleAuthentication httpModuleAuthentication = (HttpModuleAuthentication) AuthUtil.getProcessingModule();
            try {
                String name = jwtAuthenticationToken.getName();
                if (StringUtils.isEmpty(name)) {
                    LOGGER.error("Username from jwt token don't contains value");
                    throw new AuthenticationServiceException("web.security.provider.invalid");
                }
                PreAuthenticatedAuthenticationToken preAuthenticationToken = getPreAuthenticationToken(name, cls, list, authenticationChannel);
                LOGGER.debug("User '{}' authenticated ({}), authorities: {}", authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) preAuthenticationToken.getPrincipal()).getAuthorities());
                return preAuthenticationToken;
            } catch (AuthenticationException e) {
                httpModuleAuthentication.setAuthentication(bearerTokenAuthenticationToken);
                LOGGER.info("Authentication with oidc module failed: {}", e.getMessage());
                throw e;
            }
        } catch (AuthenticationException e2) {
            getAuditProvider().auditLoginFailure(null, null, createConnectEnvironment(getChannel()), e2.getMessage());
            throw e2;
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class cls) {
        return this.oidcProvider.supports(cls);
    }
}
