package org.springframework.security.oauth2.server.authorization.authentication;

import java.security.Principal;
import java.util.Base64;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.class */
public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implements AuthenticationProvider {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1";
    private static final String PKCE_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc7636#section-4.4.1";
    private static final StringKeyGenerator DEFAULT_STATE_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder());
    private final RegisteredClientRepository registeredClientRepository;
    private final OAuth2AuthorizationService authorizationService;
    private final OAuth2AuthorizationConsentService authorizationConsentService;
    private final Log logger = LogFactory.getLog(getClass());
    private OAuth2TokenGenerator<OAuth2AuthorizationCode> authorizationCodeGenerator = new OAuth2AuthorizationCodeGenerator();
    private Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator = new OAuth2AuthorizationCodeRequestAuthenticationValidator();

    public OAuth2AuthorizationCodeRequestAuthenticationProvider(RegisteredClientRepository registeredClientRepository, OAuth2AuthorizationService oAuth2AuthorizationService, OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        Assert.notNull(oAuth2AuthorizationConsentService, "authorizationConsentService cannot be null");
        this.registeredClientRepository = registeredClientRepository;
        this.authorizationService = oAuth2AuthorizationService;
        this.authorizationConsentService = oAuth2AuthorizationConsentService;
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
        RegisteredClient findByClientId = this.registeredClientRepository.findByClientId(oAuth2AuthorizationCodeRequestAuthenticationToken.getClientId());
        if (findByClientId == null) {
            throwError("invalid_request", OidcClientMetadataClaimNames.CLIENT_ID, oAuth2AuthorizationCodeRequestAuthenticationToken, null);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Retrieved registered client");
        }
        this.authenticationValidator.accept(OAuth2AuthorizationCodeRequestAuthenticationContext.with(oAuth2AuthorizationCodeRequestAuthenticationToken).registeredClient(findByClientId).build());
        if (!findByClientId.getAuthorizationGrantTypes().contains(AuthorizationGrantType.AUTHORIZATION_CODE)) {
            throwError("unauthorized_client", OidcClientMetadataClaimNames.CLIENT_ID, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId);
        }
        if (StringUtils.hasText((String) oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters().get("code_challenge"))) {
            String str = (String) oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters().get("code_challenge_method");
            if (!StringUtils.hasText(str) || !"S256".equals(str)) {
                throwError("invalid_request", "code_challenge_method", PKCE_ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, null);
            }
        } else if (findByClientId.getClientSettings().isRequireProofKey()) {
            throwError("invalid_request", "code_challenge", PKCE_ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, null);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Validated authorization code request parameters");
        }
        Authentication authentication2 = (Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal();
        if (!isPrincipalAuthenticated(authentication2)) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Did not authenticate authorization code request since principal not authenticated");
            }
            return oAuth2AuthorizationCodeRequestAuthenticationToken;
        }
        OAuth2AuthorizationRequest build = OAuth2AuthorizationRequest.authorizationCode().authorizationUri(oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationUri()).clientId(findByClientId.getClientId()).redirectUri(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri()).scopes(oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes()).state(oAuth2AuthorizationCodeRequestAuthenticationToken.getState()).additionalParameters(oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters()).build();
        OAuth2AuthorizationConsent findById = this.authorizationConsentService.findById(findByClientId.getId(), authentication2.getName());
        if (requireAuthorizationConsent(findByClientId, build, findById)) {
            String generateKey = DEFAULT_STATE_GENERATOR.generateKey();
            OAuth2Authorization build2 = authorizationBuilder(findByClientId, authentication2, build).attribute("state", generateKey).build();
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Generated authorization consent state");
            }
            this.authorizationService.save(build2);
            Set<String> scopes = findById != null ? findById.getScopes() : null;
            if (this.logger.isTraceEnabled()) {
                this.logger.trace("Saved authorization");
            }
            return new OAuth2AuthorizationConsentAuthenticationToken(build.getAuthorizationUri(), findByClientId.getClientId(), authentication2, generateKey, scopes, null);
        }
        OAuth2AuthorizationCode generate = this.authorizationCodeGenerator.generate(createAuthorizationCodeTokenContext(oAuth2AuthorizationCodeRequestAuthenticationToken, findByClientId, null, build.getScopes()));
        if (generate == null) {
            throw new OAuth2AuthorizationCodeRequestAuthenticationException(new OAuth2Error("server_error", "The token generator failed to generate the authorization code.", ERROR_URI), null);
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Generated authorization code");
        }
        this.authorizationService.save(authorizationBuilder(findByClientId, authentication2, build).authorizedScopes(build.getScopes()).token(generate).build());
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Saved authorization");
        }
        String redirectUri = build.getRedirectUri();
        if (!StringUtils.hasText(redirectUri)) {
            redirectUri = findByClientId.getRedirectUris().iterator().next();
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Authenticated authorization code request");
        }
        return new OAuth2AuthorizationCodeRequestAuthenticationToken(build.getAuthorizationUri(), findByClientId.getClientId(), authentication2, generate, redirectUri, build.getState(), (Set<String>) build.getScopes());
    }

    public boolean supports(Class<?> cls) {
        return OAuth2AuthorizationCodeRequestAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setAuthorizationCodeGenerator(OAuth2TokenGenerator<OAuth2AuthorizationCode> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2TokenGenerator, "authorizationCodeGenerator cannot be null");
        this.authorizationCodeGenerator = oAuth2TokenGenerator;
    }

    public void setAuthenticationValidator(Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> consumer) {
        Assert.notNull(consumer, "authenticationValidator cannot be null");
        this.authenticationValidator = consumer;
    }

    private static OAuth2Authorization.Builder authorizationBuilder(RegisteredClient registeredClient, Authentication authentication, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
        return OAuth2Authorization.withRegisteredClient(registeredClient).principalName(authentication.getName()).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).attribute(Principal.class.getName(), authentication).attribute(OAuth2AuthorizationRequest.class.getName(), oAuth2AuthorizationRequest);
    }

    private static OAuth2TokenContext createAuthorizationCodeTokenContext(OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient, OAuth2Authorization oAuth2Authorization, Set<String> set) {
        DefaultOAuth2TokenContext.Builder authorizationGrant = DefaultOAuth2TokenContext.builder().registeredClient(registeredClient).principal((Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal()).authorizationServerContext(AuthorizationServerContextHolder.getContext()).tokenType(new OAuth2TokenType("code")).authorizedScopes(set).authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE).authorizationGrant(oAuth2AuthorizationCodeRequestAuthenticationToken);
        if (oAuth2Authorization != null) {
            authorizationGrant.authorization(oAuth2Authorization);
        }
        return authorizationGrant.build();
    }

    private static boolean requireAuthorizationConsent(RegisteredClient registeredClient, OAuth2AuthorizationRequest oAuth2AuthorizationRequest, OAuth2AuthorizationConsent oAuth2AuthorizationConsent) {
        if (!registeredClient.getClientSettings().isRequireAuthorizationConsent()) {
            return false;
        }
        if (oAuth2AuthorizationRequest.getScopes().contains("openid") && oAuth2AuthorizationRequest.getScopes().size() == 1) {
            return false;
        }
        return oAuth2AuthorizationConsent == null || !oAuth2AuthorizationConsent.getScopes().containsAll(oAuth2AuthorizationRequest.getScopes());
    }

    private static boolean isPrincipalAuthenticated(Authentication authentication) {
        return (authentication == null || AnonymousAuthenticationToken.class.isAssignableFrom(authentication.getClass()) || !authentication.isAuthenticated()) ? false : true;
    }

    private static void throwError(String str, String str2, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient) {
        throwError(str, str2, ERROR_URI, oAuth2AuthorizationCodeRequestAuthenticationToken, registeredClient, null);
    }

    private static void throwError(String str, String str2, String str3, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
        throwError(new OAuth2Error(str, "OAuth 2.0 Parameter: " + str2, str3), str2, oAuth2AuthorizationCodeRequestAuthenticationToken, registeredClient, oAuth2AuthorizationRequest);
    }

    private static void throwError(OAuth2Error oAuth2Error, String str, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, RegisteredClient registeredClient, OAuth2AuthorizationRequest oAuth2AuthorizationRequest) {
        String resolveRedirectUri = resolveRedirectUri(oAuth2AuthorizationCodeRequestAuthenticationToken, oAuth2AuthorizationRequest, registeredClient);
        if (oAuth2Error.getErrorCode().equals("invalid_request") && (str.equals(OidcClientMetadataClaimNames.CLIENT_ID) || str.equals("state"))) {
            resolveRedirectUri = null;
        }
        throw new OAuth2AuthorizationCodeRequestAuthenticationException(oAuth2Error, new OAuth2AuthorizationCodeRequestAuthenticationToken(oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationUri(), oAuth2AuthorizationCodeRequestAuthenticationToken.getClientId(), (Authentication) oAuth2AuthorizationCodeRequestAuthenticationToken.getPrincipal(), resolveRedirectUri, oAuth2AuthorizationCodeRequestAuthenticationToken.getState(), oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes(), oAuth2AuthorizationCodeRequestAuthenticationToken.getAdditionalParameters()));
    }

    private static String resolveRedirectUri(OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, OAuth2AuthorizationRequest oAuth2AuthorizationRequest, RegisteredClient registeredClient) {
        if (oAuth2AuthorizationCodeRequestAuthenticationToken != null && StringUtils.hasText(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri())) {
            return oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri();
        }
        if (oAuth2AuthorizationRequest != null && StringUtils.hasText(oAuth2AuthorizationRequest.getRedirectUri())) {
            return oAuth2AuthorizationRequest.getRedirectUri();
        }
        if (registeredClient != null) {
            return registeredClient.getRedirectUris().iterator().next();
        }
        return null;
    }
}
