package org.springframework.security.oauth2.server.authorization.web;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeRequestAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationConsentAuthenticationConverter;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.DelegatingAuthenticationConverter;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.util.RedirectUrlBuilder;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.class */
public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilter {
    private static final String DEFAULT_AUTHORIZATION_ENDPOINT_URI = "/oauth2/authorize";
    private final AuthenticationManager authenticationManager;
    private final RequestMatcher authorizationEndpointMatcher;
    private final RedirectStrategy redirectStrategy;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private AuthenticationConverter authenticationConverter;
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    private AuthenticationFailureHandler authenticationFailureHandler;
    private SessionAuthenticationStrategy sessionAuthenticationStrategy;
    private String consentPage;

    public OAuth2AuthorizationEndpointFilter(AuthenticationManager authenticationManager) {
        this(authenticationManager, DEFAULT_AUTHORIZATION_ENDPOINT_URI);
    }

    public OAuth2AuthorizationEndpointFilter(AuthenticationManager authenticationManager, String str) {
        this.redirectStrategy = new DefaultRedirectStrategy();
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.authenticationSuccessHandler = this::sendAuthorizationResponse;
        this.authenticationFailureHandler = this::sendErrorResponse;
        this.sessionAuthenticationStrategy = (authentication, httpServletRequest, httpServletResponse) -> {
        };
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        Assert.hasText(str, "authorizationEndpointUri cannot be empty");
        this.authenticationManager = authenticationManager;
        this.authorizationEndpointMatcher = createDefaultRequestMatcher(str);
        this.authenticationConverter = new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2AuthorizationCodeRequestAuthenticationConverter(), new OAuth2AuthorizationConsentAuthenticationConverter()));
    }

    private static RequestMatcher createDefaultRequestMatcher(String str) {
        RequestMatcher antPathRequestMatcher = new AntPathRequestMatcher(str, HttpMethod.GET.name());
        RequestMatcher antPathRequestMatcher2 = new AntPathRequestMatcher(str, HttpMethod.POST.name());
        RequestMatcher requestMatcher = httpServletRequest -> {
            return httpServletRequest.getParameter("response_type") != null;
        };
        return new OrRequestMatcher(new RequestMatcher[]{new OrRequestMatcher(new RequestMatcher[]{antPathRequestMatcher, new AndRequestMatcher(new RequestMatcher[]{antPathRequestMatcher2, requestMatcher})}), new AndRequestMatcher(new RequestMatcher[]{antPathRequestMatcher2, new NegatedRequestMatcher(requestMatcher)})});
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!this.authorizationEndpointMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            AbstractAuthenticationToken convert = this.authenticationConverter.convert(httpServletRequest);
            if (convert instanceof AbstractAuthenticationToken) {
                convert.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
            }
            Authentication authenticate = this.authenticationManager.authenticate(convert);
            if (!authenticate.isAuthenticated()) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            if (!(authenticate instanceof OAuth2AuthorizationConsentAuthenticationToken)) {
                this.sessionAuthenticationStrategy.onAuthentication(authenticate, httpServletRequest, httpServletResponse);
                this.authenticationSuccessHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate);
            } else {
                OAuth2AuthorizationConsentAuthenticationToken oAuth2AuthorizationConsentAuthenticationToken = (OAuth2AuthorizationConsentAuthenticationToken) authenticate;
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Authorization consent is required");
                }
                sendAuthorizationConsent(httpServletRequest, httpServletResponse, (OAuth2AuthorizationCodeRequestAuthenticationToken) convert, oAuth2AuthorizationConsentAuthenticationToken);
            }
        } catch (OAuth2AuthenticationException e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(LogMessage.format("Authorization request failed: %s", e.getError()), e);
            }
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
        }
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
        Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
        this.authenticationConverter = authenticationConverter;
    }

    public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthenticationStrategy) {
        Assert.notNull(sessionAuthenticationStrategy, "sessionAuthenticationStrategy cannot be null");
        this.sessionAuthenticationStrategy = sessionAuthenticationStrategy;
    }

    public void setConsentPage(String str) {
        this.consentPage = str;
    }

    private void sendAuthorizationConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, OAuth2AuthorizationConsentAuthenticationToken oAuth2AuthorizationConsentAuthenticationToken) throws IOException {
        String clientId = oAuth2AuthorizationConsentAuthenticationToken.getClientId();
        Authentication authentication = (Authentication) oAuth2AuthorizationConsentAuthenticationToken.getPrincipal();
        Set scopes = oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes();
        Set<String> scopes2 = oAuth2AuthorizationConsentAuthenticationToken.getScopes();
        String state = oAuth2AuthorizationConsentAuthenticationToken.getState();
        if (hasConsentUri()) {
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, UriComponentsBuilder.fromUriString(resolveConsentUri(httpServletRequest)).queryParam(OidcClientMetadataClaimNames.SCOPE, new Object[]{String.join(" ", scopes)}).queryParam(OidcClientMetadataClaimNames.CLIENT_ID, new Object[]{clientId}).queryParam("state", new Object[]{state}).toUriString());
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Displaying generated consent screen");
        }
        DefaultConsentPage.displayConsent(httpServletRequest, httpServletResponse, clientId, authentication, scopes, scopes2, state, Collections.emptyMap());
    }

    private boolean hasConsentUri() {
        return StringUtils.hasText(this.consentPage);
    }

    private String resolveConsentUri(HttpServletRequest httpServletRequest) {
        if (UrlUtils.isAbsoluteUrl(this.consentPage)) {
            return this.consentPage;
        }
        RedirectUrlBuilder redirectUrlBuilder = new RedirectUrlBuilder();
        redirectUrlBuilder.setScheme(httpServletRequest.getScheme());
        redirectUrlBuilder.setServerName(httpServletRequest.getServerName());
        redirectUrlBuilder.setPort(httpServletRequest.getServerPort());
        redirectUrlBuilder.setContextPath(httpServletRequest.getContextPath());
        redirectUrlBuilder.setPathInfo(this.consentPage);
        return redirectUrlBuilder.getUrl();
    }

    private void sendAuthorizationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri()).queryParam("code", new Object[]{oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationCode().getTokenValue()});
        if (StringUtils.hasText(oAuth2AuthorizationCodeRequestAuthenticationToken.getState())) {
            queryParam.queryParam("state", new Object[]{UriUtils.encode(oAuth2AuthorizationCodeRequestAuthenticationToken.getState(), StandardCharsets.UTF_8)});
        }
        this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, queryParam.build(true).toUriString());
    }

    private void sendErrorResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        OAuth2AuthorizationCodeRequestAuthenticationException oAuth2AuthorizationCodeRequestAuthenticationException = (OAuth2AuthorizationCodeRequestAuthenticationException) authenticationException;
        OAuth2Error error = oAuth2AuthorizationCodeRequestAuthenticationException.getError();
        OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication = oAuth2AuthorizationCodeRequestAuthenticationException.getAuthorizationCodeRequestAuthentication();
        if (authorizationCodeRequestAuthentication == null || !StringUtils.hasText(authorizationCodeRequestAuthentication.getRedirectUri())) {
            httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), error.toString());
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Redirecting to client with error");
        }
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(authorizationCodeRequestAuthentication.getRedirectUri()).queryParam("error", new Object[]{error.getErrorCode()});
        if (StringUtils.hasText(error.getDescription())) {
            queryParam.queryParam("error_description", new Object[]{UriUtils.encode(error.getDescription(), StandardCharsets.UTF_8)});
        }
        if (StringUtils.hasText(error.getUri())) {
            queryParam.queryParam("error_uri", new Object[]{UriUtils.encode(error.getUri(), StandardCharsets.UTF_8)});
        }
        if (StringUtils.hasText(authorizationCodeRequestAuthentication.getState())) {
            queryParam.queryParam("state", new Object[]{UriUtils.encode(authorizationCodeRequestAuthentication.getState(), StandardCharsets.UTF_8)});
        }
        this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, queryParam.build(true).toUriString());
    }
}
