package org.mitre.openid.connect.assertion;

import com.google.common.base.Strings;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import java.io.IOException;
import java.text.ParseException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
import org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.util.matcher.RequestMatcher;

/* loaded from: input_file:org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter.class */
public class JWTBearerClientAssertionTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
    private AuthenticationEntryPoint authenticationEntryPoint;

    /* loaded from: input_file:org/mitre/openid/connect/assertion/JWTBearerClientAssertionTokenEndpointFilter$ClientAssertionRequestMatcher.class */
    private static class ClientAssertionRequestMatcher implements RequestMatcher {
        private RequestMatcher additionalMatcher;

        public ClientAssertionRequestMatcher(RequestMatcher requestMatcher) {
            this.additionalMatcher = requestMatcher;
        }

        public boolean matches(HttpServletRequest httpServletRequest) {
            String parameter = httpServletRequest.getParameter("client_assertion_type");
            String parameter2 = httpServletRequest.getParameter("client_assertion");
            if (Strings.isNullOrEmpty(parameter) || Strings.isNullOrEmpty(parameter2) || !parameter.equals("urn:ietf:params:oauth:client-assertion-type:jwt-bearer")) {
                return false;
            }
            return this.additionalMatcher.matches(httpServletRequest);
        }
    }

    public JWTBearerClientAssertionTokenEndpointFilter(RequestMatcher requestMatcher) {
        super(new ClientAssertionRequestMatcher(requestMatcher));
        this.authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
        this.authenticationEntryPoint.setTypeName("Form");
    }

    public void afterPropertiesSet() {
        super.afterPropertiesSet();
        setAuthenticationFailureHandler(new AuthenticationFailureHandler() { // from class: org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter.1
            public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
                if (authenticationException instanceof BadCredentialsException) {
                    authenticationException = new BadCredentialsException(authenticationException.getMessage(), new BadClientCredentialsException());
                }
                JWTBearerClientAssertionTokenEndpointFilter.this.authenticationEntryPoint.commence(httpServletRequest, httpServletResponse, authenticationException);
            }
        });
        setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() { // from class: org.mitre.openid.connect.assertion.JWTBearerClientAssertionTokenEndpointFilter.2
            public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
            }
        });
    }

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        httpServletRequest.getParameter("client_assertion_type");
        String parameter = httpServletRequest.getParameter("client_assertion");
        try {
            JWT parse = JWTParser.parse(parameter);
            parse.getJWTClaimsSet().getSubject();
            return getAuthenticationManager().authenticate(new JWTBearerAssertionAuthenticationToken(parse));
        } catch (ParseException e) {
            throw new BadCredentialsException("Invalid JWT credential: " + parameter);
        }
    }

    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, Authentication authentication) throws IOException, ServletException {
        super.successfulAuthentication(httpServletRequest, httpServletResponse, filterChain, authentication);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }
}
