package org.springframework.security.oauth2.client.web;

import java.io.IOException;
import java.util.Collection;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationException;
import org.springframework.security.oauth2.client.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.client.authentication.OAuth2UserAuthenticationToken;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationIdentifierStrategy;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.converter.AuthorizationResponseConverter;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.AuthorizationResponse;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.oidc.client.authentication.OidcClientAuthenticationToken;
import org.springframework.security.oauth2.oidc.client.authentication.OidcUserAuthenticationToken;
import org.springframework.security.oauth2.oidc.core.user.OidcUser;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.class */
public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    public static final String DEFAULT_AUTHORIZATION_RESPONSE_BASE_URI = "/oauth2/authorize/code";
    private static final String AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE = "authorization_request_not_found";
    private static final String INVALID_STATE_PARAMETER_ERROR_CODE = "invalid_state_parameter";
    private static final String INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE = "invalid_redirect_uri_parameter";
    private final AuthorizationResponseConverter authorizationResponseConverter;
    private ClientRegistrationRepository clientRegistrationRepository;
    private RequestMatcher authorizationResponseMatcher;
    private AuthorizationRequestRepository authorizationRequestRepository;
    private final ClientRegistrationIdentifierStrategy<String> providerIdentifierStrategy;

    /* loaded from: input_file:org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter$AuthorizationResponseMatcher.class */
    private static class AuthorizationResponseMatcher implements RequestMatcher {
        private AuthorizationResponseMatcher() {
        }

        public boolean matches(HttpServletRequest httpServletRequest) {
            return successResponse(httpServletRequest) || errorResponse(httpServletRequest);
        }

        private boolean successResponse(HttpServletRequest httpServletRequest) {
            return StringUtils.hasText(httpServletRequest.getParameter("code")) && StringUtils.hasText(httpServletRequest.getParameter("state"));
        }

        private boolean errorResponse(HttpServletRequest httpServletRequest) {
            return StringUtils.hasText(httpServletRequest.getParameter("error")) && StringUtils.hasText(httpServletRequest.getParameter("state"));
        }
    }

    /* loaded from: input_file:org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter$ProviderIdentifierStrategy.class */
    private static class ProviderIdentifierStrategy implements ClientRegistrationIdentifierStrategy<String> {
        private ProviderIdentifierStrategy() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.springframework.security.oauth2.client.registration.ClientRegistrationIdentifierStrategy
        public String getIdentifier(ClientRegistration clientRegistration) {
            StringBuilder sb = new StringBuilder();
            sb.append("[").append(clientRegistration.getProviderDetails().getAuthorizationUri()).append("]");
            sb.append("[").append(clientRegistration.getProviderDetails().getTokenUri()).append("]");
            sb.append("[").append(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri()).append("]");
            return sb.toString();
        }
    }

    public AuthorizationCodeAuthenticationFilter() {
        super(new AuthorizationResponseMatcher());
        this.authorizationResponseConverter = new AuthorizationResponseConverter();
        this.authorizationResponseMatcher = new AuthorizationResponseMatcher();
        this.authorizationRequestRepository = new HttpSessionAuthorizationRequestRepository();
        this.providerIdentifierStrategy = new ProviderIdentifierStrategy();
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        AuthorizationResponse apply = this.authorizationResponseConverter.apply(httpServletRequest);
        if (apply.statusError()) {
            getAuthorizationRequestRepository().removeAuthorizationRequest(httpServletRequest);
            throw new OAuth2AuthenticationException(apply.getError(), apply.getError().toString());
        }
        AuthorizationRequest resolveAuthorizationRequest = resolveAuthorizationRequest(httpServletRequest);
        AuthorizationCodeAuthenticationToken authorizationCodeAuthenticationToken = new AuthorizationCodeAuthenticationToken(apply.getCode(), new ClientRegistration.Builder(getClientRegistrationRepository().findByRegistrationId((String) resolveAuthorizationRequest.getAdditionalParameters().get("registration_id"))).redirectUri(resolveAuthorizationRequest.getRedirectUri()).build(), resolveAuthorizationRequest);
        authorizationCodeAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) getAuthenticationManager().authenticate(authorizationCodeAuthenticationToken);
        return (authenticated() && authenticatedSameProviderAs(oAuth2ClientAuthenticationToken)) ? createUserAuthentication((OAuth2UserAuthenticationToken) SecurityContextHolder.getContext().getAuthentication(), oAuth2ClientAuthenticationToken) : getAuthenticationManager().authenticate(createUserAuthentication(oAuth2ClientAuthenticationToken));
    }

    public RequestMatcher getAuthorizationResponseMatcher() {
        return this.authorizationResponseMatcher;
    }

    public final <T extends RequestMatcher> void setAuthorizationResponseMatcher(T t) {
        Assert.notNull(t, "authorizationResponseMatcher cannot be null");
        this.authorizationResponseMatcher = t;
        setRequiresAuthenticationRequestMatcher(t);
    }

    protected ClientRegistrationRepository getClientRegistrationRepository() {
        return this.clientRegistrationRepository;
    }

    public final void setClientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) {
        Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
        this.clientRegistrationRepository = clientRegistrationRepository;
    }

    protected AuthorizationRequestRepository getAuthorizationRequestRepository() {
        return this.authorizationRequestRepository;
    }

    public final void setAuthorizationRequestRepository(AuthorizationRequestRepository authorizationRequestRepository) {
        Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null");
        this.authorizationRequestRepository = authorizationRequestRepository;
    }

    private AuthorizationRequest resolveAuthorizationRequest(HttpServletRequest httpServletRequest) {
        AuthorizationRequest loadAuthorizationRequest = getAuthorizationRequestRepository().loadAuthorizationRequest(httpServletRequest);
        if (loadAuthorizationRequest == null) {
            OAuth2Error oAuth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        getAuthorizationRequestRepository().removeAuthorizationRequest(httpServletRequest);
        assertMatchingAuthorizationRequest(httpServletRequest, loadAuthorizationRequest);
        return loadAuthorizationRequest;
    }

    private void assertMatchingAuthorizationRequest(HttpServletRequest httpServletRequest, AuthorizationRequest authorizationRequest) {
        if (!authorizationRequest.getState().equals(httpServletRequest.getParameter("state"))) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        if (httpServletRequest.getRequestURL().toString().equals(authorizationRequest.getRedirectUri())) {
            return;
        }
        OAuth2Error oAuth2Error2 = new OAuth2Error(INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE);
        throw new OAuth2AuthenticationException(oAuth2Error2, oAuth2Error2.toString());
    }

    private boolean authenticated() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return authentication != null && (authentication instanceof OAuth2UserAuthenticationToken) && authentication.isAuthenticated();
    }

    private boolean authenticatedSameProviderAs(OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken) {
        return this.providerIdentifierStrategy.getIdentifier(SecurityContextHolder.getContext().getAuthentication().getClientAuthentication().getClientRegistration()).equals(this.providerIdentifierStrategy.getIdentifier(oAuth2ClientAuthenticationToken.getClientRegistration()));
    }

    private OAuth2UserAuthenticationToken createUserAuthentication(OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken) {
        return OidcClientAuthenticationToken.class.isAssignableFrom(oAuth2ClientAuthenticationToken.getClass()) ? new OidcUserAuthenticationToken((OidcClientAuthenticationToken) oAuth2ClientAuthenticationToken) : new OAuth2UserAuthenticationToken(oAuth2ClientAuthenticationToken);
    }

    private OAuth2UserAuthenticationToken createUserAuthentication(OAuth2UserAuthenticationToken oAuth2UserAuthenticationToken, OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken) {
        return OidcUserAuthenticationToken.class.isAssignableFrom(oAuth2UserAuthenticationToken.getClass()) ? new OidcUserAuthenticationToken((OidcUser) oAuth2UserAuthenticationToken.getPrincipal(), (Collection<? extends GrantedAuthority>) oAuth2UserAuthenticationToken.getAuthorities(), oAuth2ClientAuthenticationToken) : new OAuth2UserAuthenticationToken((OAuth2User) oAuth2UserAuthenticationToken.getPrincipal(), oAuth2UserAuthenticationToken.getAuthorities(), oAuth2ClientAuthenticationToken);
    }
}
