package org.springframework.security.oauth2.server.resource.web.access.server;

import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.stream.Collectors;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/server/resource/web/access/server/BearerTokenServerAccessDeniedHandler.class */
public class BearerTokenServerAccessDeniedHandler implements ServerAccessDeniedHandler {
    private static final Collection<String> WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES = Arrays.asList(OAuth2IntrospectionClaimNames.SCOPE, "scp");
    private String realmName;

    public Mono<Void> handle(ServerWebExchange serverWebExchange, AccessDeniedException accessDeniedException) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (this.realmName != null) {
            linkedHashMap.put("realm", this.realmName);
        }
        Mono principal = serverWebExchange.getPrincipal();
        Class<AbstractOAuth2TokenAuthenticationToken> cls = AbstractOAuth2TokenAuthenticationToken.class;
        AbstractOAuth2TokenAuthenticationToken.class.getClass();
        return principal.filter((v1) -> {
            return r1.isInstance(v1);
        }).cast(AbstractOAuth2TokenAuthenticationToken.class).map(abstractOAuth2TokenAuthenticationToken -> {
            return errorMessageParameters(abstractOAuth2TokenAuthenticationToken, linkedHashMap);
        }).switchIfEmpty(Mono.just(linkedHashMap)).flatMap(map -> {
            return respond(serverWebExchange, map);
        });
    }

    public final void setRealmName(String str) {
        this.realmName = str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<String, String> errorMessageParameters(AbstractOAuth2TokenAuthenticationToken abstractOAuth2TokenAuthenticationToken, Map<String, String> map) {
        String scope = getScope(abstractOAuth2TokenAuthenticationToken);
        map.put("error", BearerTokenErrorCodes.INSUFFICIENT_SCOPE);
        map.put("error_description", String.format("The token provided has insufficient scope [%s] for this request", scope));
        map.put("error_uri", "https://tools.ietf.org/html/rfc6750#section-3.1");
        if (StringUtils.hasText(scope)) {
            map.put(OAuth2IntrospectionClaimNames.SCOPE, scope);
        }
        return map;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Mono<Void> respond(ServerWebExchange serverWebExchange, Map<String, String> map) {
        String computeWWWAuthenticateHeaderValue = computeWWWAuthenticateHeaderValue(map);
        serverWebExchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
        serverWebExchange.getResponse().getHeaders().set("WWW-Authenticate", computeWWWAuthenticateHeaderValue);
        return serverWebExchange.getResponse().setComplete();
    }

    private static String getScope(AbstractOAuth2TokenAuthenticationToken abstractOAuth2TokenAuthenticationToken) {
        Map<String, Object> tokenAttributes = abstractOAuth2TokenAuthenticationToken.getTokenAttributes();
        Iterator<String> it = WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES.iterator();
        while (it.hasNext()) {
            Object obj = tokenAttributes.get(it.next());
            if (obj instanceof String) {
                return (String) obj;
            }
            if (obj instanceof Collection) {
                return (String) ((Collection) obj).stream().map(String::valueOf).collect(Collectors.joining(" "));
            }
        }
        return "";
    }

    private static String computeWWWAuthenticateHeaderValue(Map<String, String> map) {
        String str;
        str = "Bearer";
        return map.isEmpty() ? "Bearer" : str + ((String) map.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + "=\"" + ((String) entry.getValue()) + "\"";
        }).collect(Collectors.joining(", ", " ", "")));
    }
}
