package org.springframework.security.oauth2.provider.endpoint;

import java.security.Principal;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.stereotype.Controller;
import org.springframework.util.Assert;
import org.springframework.web.HttpSessionRequiredException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.bind.support.SessionStatus;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.view.RedirectView;

@RequestMapping({"/oauth/authorize"})
@SessionAttributes(types = {AuthorizationRequest.class})
@Controller
/* loaded from: input_file:org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.class */
public class AuthorizationEndpoint extends AbstractEndpoint implements InitializingBean {
    public static final String USER_OAUTH_APPROVAL = "user_oauth_approval";
    private ClientDetailsService clientDetailsService;
    private AuthorizationCodeServices authorizationCodeServices = new InMemoryAuthorizationCodeServices();
    private RedirectResolver redirectResolver = new DefaultRedirectResolver();
    private UserApprovalHandler userApprovalHandler = new DefaultUserApprovalHandler();
    private String userApprovalPage = "forward:/oauth/confirm_access";

    @Override // org.springframework.security.oauth2.provider.endpoint.AbstractEndpoint
    public void afterPropertiesSet() throws Exception {
        super.afterPropertiesSet();
        Assert.state(this.clientDetailsService != null, "ClientDetailsService must be provided");
    }

    @RequestMapping(params = {"response_type"})
    public ModelAndView authorize(Map<String, Object> map, @RequestParam("response_type") String str, @RequestParam Map<String, String> map2, SessionStatus sessionStatus, Principal principal) {
        AuthorizationRequest authorizationRequest = new AuthorizationRequest(map2);
        if (authorizationRequest.getClientId() == null) {
            sessionStatus.setComplete();
            throw new InvalidClientException("A client_id must be supplied.");
        }
        if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");
        }
        Set<String> parseParameterList = OAuth2Utils.parseParameterList(str);
        try {
            AuthorizationRequest resolveRedirectUri = resolveRedirectUri(authorizationRequest);
            if (!this.userApprovalHandler.isApproved(resolveRedirectUri, (Authentication) principal)) {
                map.put("authorizationRequest", resolveRedirectUri);
                return getUserApprovalPageResponse(map, resolveRedirectUri);
            }
            if (parseParameterList.contains("token")) {
                return getImplicitGrantResponse(resolveRedirectUri.approved(true));
            }
            if (parseParameterList.contains("code")) {
                return new ModelAndView(getAuthorizationCodeResponse(resolveRedirectUri.approved(true), (Authentication) principal));
            }
            throw new UnsupportedGrantTypeException("Unsupported response type: " + parseParameterList);
        } catch (RuntimeException e) {
            sessionStatus.setComplete();
            throw e;
        }
    }

    @RequestMapping(method = {RequestMethod.POST})
    public View approveOrDeny(@RequestParam("user_oauth_approval") boolean z, @ModelAttribute AuthorizationRequest authorizationRequest, SessionStatus sessionStatus, Principal principal) {
        if (authorizationRequest.getClientId() == null) {
            sessionStatus.setComplete();
            throw new InvalidClientException("A client_id must be supplied.");
        }
        if (!(principal instanceof Authentication)) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorizing an access token.");
        }
        try {
            Set<String> responseTypes = authorizationRequest.getResponseTypes();
            AuthorizationRequest resolveRedirectUri = resolveRedirectUri(authorizationRequest);
            if (responseTypes.contains("token")) {
                View view = getImplicitGrantResponse(resolveRedirectUri.approved(true)).getView();
                sessionStatus.setComplete();
                return view;
            }
            View authorizationCodeResponse = getAuthorizationCodeResponse(resolveRedirectUri.approved(z), (Authentication) principal);
            sessionStatus.setComplete();
            return authorizationCodeResponse;
        } catch (Throwable th) {
            sessionStatus.setComplete();
            throw th;
        }
    }

    private AuthorizationRequest resolveRedirectUri(AuthorizationRequest authorizationRequest) throws OAuth2Exception {
        return authorizationRequest.resolveRedirectUri(this.redirectResolver.resolveRedirect(authorizationRequest.getRedirectUri(), this.clientDetailsService.loadClientByClientId(authorizationRequest.getClientId())));
    }

    private ModelAndView getUserApprovalPageResponse(Map<String, Object> map, AuthorizationRequest authorizationRequest) {
        this.logger.debug("Loading user approval page: " + this.userApprovalPage);
        map.putAll(authorizationRequest.getParameters());
        return new ModelAndView(this.userApprovalPage, map);
    }

    private ModelAndView getImplicitGrantResponse(AuthorizationRequest authorizationRequest) {
        try {
            OAuth2AccessToken grant = getTokenGranter().grant("implicit", authorizationRequest.getParameters(), authorizationRequest.getClientId(), authorizationRequest.getScope());
            if (grant == null) {
                throw new UnsupportedGrantTypeException("Unsupported grant type: implicit");
            }
            return new ModelAndView(new RedirectView(appendAccessToken(authorizationRequest, grant), false));
        } catch (OAuth2Exception e) {
            return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e), false));
        }
    }

    private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequest, Authentication authentication) {
        try {
            return new RedirectView(getSuccessfulRedirect(authorizationRequest, generateCode(authorizationRequest, authentication)), false);
        } catch (OAuth2Exception e) {
            return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e), false);
        }
    }

    private String appendAccessToken(AuthorizationRequest authorizationRequest, OAuth2AccessToken oAuth2AccessToken) {
        String redirectUri = authorizationRequest.getRedirectUri();
        if (oAuth2AccessToken == null) {
            throw new InvalidGrantException("An implicit grant could not be made");
        }
        StringBuilder sb = new StringBuilder(redirectUri);
        if (redirectUri.contains("#")) {
            sb.append("&");
        } else {
            sb.append("#");
        }
        sb.append("access_token=" + oAuth2AccessToken.getValue());
        sb.append("&token_type=" + oAuth2AccessToken.getTokenType());
        Date expiration = oAuth2AccessToken.getExpiration();
        if (expiration != null) {
            sb.append("&expires_in=" + ((expiration.getTime() - System.currentTimeMillis()) / 1000));
        }
        return sb.toString();
    }

    /* JADX WARN: Type inference failed for: r8v0, types: [java.lang.Throwable, org.springframework.security.oauth2.common.exceptions.OAuth2Exception] */
    private String generateCode(AuthorizationRequest authorizationRequest, Authentication authentication) throws AuthenticationException {
        try {
            if (authorizationRequest.isDenied()) {
                throw new UserDeniedAuthorizationException("User denied authorization of the authorization code.");
            }
            if (!this.userApprovalHandler.isApproved(authorizationRequest, authentication)) {
                throw new UnapprovedClientAuthenticationException("The authorization hasn't been approved by the current user.");
            }
            return this.authorizationCodeServices.createAuthorizationCode(new AuthorizationRequestHolder(authorizationRequest, authentication));
        } catch (OAuth2Exception e) {
            if (authorizationRequest.getState() != null) {
                e.addAdditionalInformation("state", authorizationRequest.getState());
            }
            throw e;
        }
    }

    private String getSuccessfulRedirect(AuthorizationRequest authorizationRequest, String str) {
        if (str == null) {
            throw new IllegalStateException("No authorization code found in the current request scope.");
        }
        String redirectUri = authorizationRequest.getRedirectUri();
        String state = authorizationRequest.getState();
        StringBuilder sb = new StringBuilder(redirectUri);
        if (redirectUri.indexOf(63) < 0) {
            sb.append('?');
        } else {
            sb.append('&');
        }
        sb.append("code=").append(str);
        if (state != null) {
            sb.append("&state=").append(state);
        }
        return sb.toString();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private String getUnsuccessfulRedirect(AuthorizationRequest authorizationRequest, OAuth2Exception oAuth2Exception) {
        if (authorizationRequest == null || authorizationRequest.getRedirectUri() == null) {
            throw new UnapprovedClientAuthenticationException("Authorization failure, and no redirect URI.", oAuth2Exception);
        }
        String redirectUri = authorizationRequest.getRedirectUri();
        StringBuilder sb = new StringBuilder(redirectUri);
        if (redirectUri.indexOf(63) < 0) {
            sb.append('?');
        } else {
            sb.append('&');
        }
        sb.append("error=").append(oAuth2Exception.getOAuth2ErrorCode());
        sb.append("&error_description=").append(oAuth2Exception.getMessage());
        if (oAuth2Exception.getAdditionalInformation() != null) {
            for (Map.Entry<String, String> entry : oAuth2Exception.getAdditionalInformation().entrySet()) {
                sb.append('&').append(entry.getKey()).append('=').append(entry.getValue());
            }
        }
        return sb.toString();
    }

    public void setUserApprovalPage(String str) {
        this.userApprovalPage = str;
    }

    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public void setAuthorizationCodeServices(AuthorizationCodeServices authorizationCodeServices) {
        this.authorizationCodeServices = authorizationCodeServices;
    }

    public void setRedirectResolver(RedirectResolver redirectResolver) {
        this.redirectResolver = redirectResolver;
    }

    public void setUserApprovalHandler(UserApprovalHandler userApprovalHandler) {
        this.userApprovalHandler = userApprovalHandler;
    }

    @ExceptionHandler({HttpSessionRequiredException.class})
    public HttpEntity<String> handleException(HttpSessionRequiredException httpSessionRequiredException, ServletWebRequest servletWebRequest) throws Exception {
        return new ResponseEntity("Invalid state", HttpStatus.FORBIDDEN);
    }
}
