package pl.touk.widerest.security.oauth2;

import java.util.Set;
import javax.annotation.Resource;
import org.broadleafcommerce.openadmin.server.security.service.AdminUserDetails;
import org.broadleafcommerce.profile.core.domain.Customer;
import org.broadleafcommerce.profile.core.service.CustomerService;
import org.broadleafcommerce.profile.core.service.CustomerUserDetails;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestValidator;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:pl/touk/widerest/security/oauth2/PrincipalMatchOAuth2RequestValidator.class */
public class PrincipalMatchOAuth2RequestValidator extends DefaultOAuth2RequestValidator {

    @Resource
    private CustomerService customerService;

    public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails clientDetails) throws InvalidScopeException {
        super.validateScope(authorizationRequest, clientDetails);
        forceNewAuthenticationIfPrincipalIsNotValidForScope((User) SecurityContextHolder.getContext().getAuthentication().getPrincipal(), authorizationRequest.getScope());
    }

    protected void forceNewAuthenticationIfPrincipalIsNotValidForScope(User user, Set<String> set) {
        for (String str : set) {
            if (Scope.CUSTOMER.matches(str)) {
                if (!(user instanceof CustomerUserDetails)) {
                    throw new InsufficientAuthenticationException("Not logged in as a customer");
                }
                Customer readCustomerById = this.customerService.readCustomerById(((CustomerUserDetails) user).getId());
                if (Scope.CUSTOMER_REGISTERED.matches(str) && !readCustomerById.isRegistered()) {
                    throw new InsufficientAuthenticationException("Not logged in as a registered customer");
                }
            } else if (Scope.STAFF.matches(str) && !(user instanceof AdminUserDetails)) {
                throw new InsufficientAuthenticationException("Not logged in as an admin user");
            }
        }
    }

    public void validateScope(TokenRequest tokenRequest, ClientDetails clientDetails) throws InvalidScopeException {
        super.validateScope(tokenRequest, clientDetails);
    }
}
