package org.springframework.security.oauth2.provider.endpoint;

import com.lowagie.text.html.HtmlTags;
import java.net.URI;
import java.security.Principal;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
import org.springframework.security.oauth2.common.exceptions.ClientAuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
import org.springframework.security.oauth2.common.exceptions.UnsupportedResponseTypeException;
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.OAuth2RequestValidator;
import org.springframework.security.oauth2.provider.TokenRequest;
import org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.security.oauth2.provider.implicit.ImplicitGrantService;
import org.springframework.security.oauth2.provider.implicit.ImplicitTokenRequest;
import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestValidator;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.HttpSessionRequiredException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.bind.support.DefaultSessionAttributeStore;
import org.springframework.web.bind.support.SessionAttributeStore;
import org.springframework.web.bind.support.SessionStatus;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.view.RedirectView;
import org.springframework.web.util.UriComponentsBuilder;

@SessionAttributes({AuthorizationEndpoint.AUTHORIZATION_REQUEST_ATTR_NAME, AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME})
@FrameworkEndpoint
/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-2.3.5.RELEASE.jar:org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.class */
public class AuthorizationEndpoint extends AbstractEndpoint {
    static final String AUTHORIZATION_REQUEST_ATTR_NAME = "authorizationRequest";
    static final String ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME = "org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST";
    private AuthorizationCodeServices authorizationCodeServices = new InMemoryAuthorizationCodeServices();
    private RedirectResolver redirectResolver = new DefaultRedirectResolver();
    private UserApprovalHandler userApprovalHandler = new DefaultUserApprovalHandler();
    private SessionAttributeStore sessionAttributeStore = new DefaultSessionAttributeStore();
    private OAuth2RequestValidator oauth2RequestValidator = new DefaultOAuth2RequestValidator();
    private String userApprovalPage = "forward:/oauth/confirm_access";
    private String errorPage = "forward:/oauth/error";
    private Object implicitLock = new Object();

    public void setSessionAttributeStore(SessionAttributeStore sessionAttributeStore) {
        this.sessionAttributeStore = sessionAttributeStore;
    }

    public void setErrorPage(String str) {
        this.errorPage = str;
    }

    @RequestMapping({"/oauth/authorize"})
    public ModelAndView authorize(Map<String, Object> map, @RequestParam Map<String, String> map2, SessionStatus sessionStatus, Principal principal) {
        AuthorizationRequest createAuthorizationRequest = getOAuth2RequestFactory().createAuthorizationRequest(map2);
        Set<String> responseTypes = createAuthorizationRequest.getResponseTypes();
        if (!responseTypes.contains(SchemaSymbols.ATTVAL_TOKEN) && !responseTypes.contains(HtmlTags.CODE)) {
            throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
        }
        if (createAuthorizationRequest.getClientId() == null) {
            throw new InvalidClientException("A client id must be provided");
        }
        try {
            if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
                throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");
            }
            ClientDetails loadClientByClientId = getClientDetailsService().loadClientByClientId(createAuthorizationRequest.getClientId());
            String resolveRedirect = this.redirectResolver.resolveRedirect((String) createAuthorizationRequest.getRequestParameters().get(OAuth2Utils.REDIRECT_URI), loadClientByClientId);
            if (!StringUtils.hasText(resolveRedirect)) {
                throw new RedirectMismatchException("A redirectUri must be either supplied or preconfigured in the ClientDetails");
            }
            createAuthorizationRequest.setRedirectUri(resolveRedirect);
            this.oauth2RequestValidator.validateScope(createAuthorizationRequest, loadClientByClientId);
            AuthorizationRequest checkForPreApproval = this.userApprovalHandler.checkForPreApproval(createAuthorizationRequest, (Authentication) principal);
            checkForPreApproval.setApproved(this.userApprovalHandler.isApproved(checkForPreApproval, (Authentication) principal));
            if (checkForPreApproval.isApproved()) {
                if (responseTypes.contains(SchemaSymbols.ATTVAL_TOKEN)) {
                    return getImplicitGrantResponse(checkForPreApproval);
                }
                if (responseTypes.contains(HtmlTags.CODE)) {
                    return new ModelAndView(getAuthorizationCodeResponse(checkForPreApproval, (Authentication) principal));
                }
            }
            map.put(AUTHORIZATION_REQUEST_ATTR_NAME, checkForPreApproval);
            map.put(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME, unmodifiableMap(checkForPreApproval));
            return getUserApprovalPageResponse(map, checkForPreApproval, (Authentication) principal);
        } catch (RuntimeException e) {
            sessionStatus.setComplete();
            throw e;
        }
    }

    Map<String, Object> unmodifiableMap(AuthorizationRequest authorizationRequest) {
        HashMap hashMap = new HashMap();
        hashMap.put("client_id", authorizationRequest.getClientId());
        hashMap.put("state", authorizationRequest.getState());
        hashMap.put(OAuth2Utils.REDIRECT_URI, authorizationRequest.getRedirectUri());
        if (authorizationRequest.getResponseTypes() != null) {
            hashMap.put(OAuth2Utils.RESPONSE_TYPE, Collections.unmodifiableSet(new HashSet(authorizationRequest.getResponseTypes())));
        }
        if (authorizationRequest.getScope() != null) {
            hashMap.put("scope", Collections.unmodifiableSet(new HashSet(authorizationRequest.getScope())));
        }
        hashMap.put("approved", Boolean.valueOf(authorizationRequest.isApproved()));
        if (authorizationRequest.getResourceIds() != null) {
            hashMap.put("resourceIds", Collections.unmodifiableSet(new HashSet(authorizationRequest.getResourceIds())));
        }
        if (authorizationRequest.getAuthorities() != null) {
            hashMap.put("authorities", Collections.unmodifiableSet(new HashSet(authorizationRequest.getAuthorities())));
        }
        return Collections.unmodifiableMap(hashMap);
    }

    @RequestMapping(value = {"/oauth/authorize"}, method = {RequestMethod.POST}, params = {OAuth2Utils.USER_OAUTH_APPROVAL})
    public View approveOrDeny(@RequestParam Map<String, String> map, Map<String, ?> map2, SessionStatus sessionStatus, Principal principal) {
        if (!(principal instanceof Authentication)) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorizing an access token.");
        }
        AuthorizationRequest authorizationRequest = (AuthorizationRequest) map2.get(AUTHORIZATION_REQUEST_ATTR_NAME);
        if (authorizationRequest == null) {
            sessionStatus.setComplete();
            throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
        }
        if (isAuthorizationRequestModified(authorizationRequest, (Map) map2.get(ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME))) {
            throw new InvalidRequestException("Changes were detected from the original authorization request.");
        }
        try {
            Set<String> responseTypes = authorizationRequest.getResponseTypes();
            authorizationRequest.setApprovalParameters(map);
            AuthorizationRequest updateAfterApproval = this.userApprovalHandler.updateAfterApproval(authorizationRequest, (Authentication) principal);
            updateAfterApproval.setApproved(this.userApprovalHandler.isApproved(updateAfterApproval, (Authentication) principal));
            if (updateAfterApproval.getRedirectUri() == null) {
                sessionStatus.setComplete();
                throw new InvalidRequestException("Cannot approve request when no redirect URI is provided.");
            }
            if (!updateAfterApproval.isApproved()) {
                RedirectView redirectView = new RedirectView(getUnsuccessfulRedirect(updateAfterApproval, new UserDeniedAuthorizationException("User denied access"), responseTypes.contains(SchemaSymbols.ATTVAL_TOKEN)), false, true, false);
                sessionStatus.setComplete();
                return redirectView;
            }
            if (responseTypes.contains(SchemaSymbols.ATTVAL_TOKEN)) {
                View view = getImplicitGrantResponse(updateAfterApproval).getView();
                sessionStatus.setComplete();
                return view;
            }
            View authorizationCodeResponse = getAuthorizationCodeResponse(updateAfterApproval, (Authentication) principal);
            sessionStatus.setComplete();
            return authorizationCodeResponse;
        } catch (Throwable th) {
            sessionStatus.setComplete();
            throw th;
        }
    }

    private boolean isAuthorizationRequestModified(AuthorizationRequest authorizationRequest, Map<String, Object> map) {
        return (ObjectUtils.nullSafeEquals(authorizationRequest.getClientId(), map.get("client_id")) && ObjectUtils.nullSafeEquals(authorizationRequest.getState(), map.get("state")) && ObjectUtils.nullSafeEquals(authorizationRequest.getRedirectUri(), map.get(OAuth2Utils.REDIRECT_URI)) && ObjectUtils.nullSafeEquals(authorizationRequest.getResponseTypes(), map.get(OAuth2Utils.RESPONSE_TYPE)) && ObjectUtils.nullSafeEquals(authorizationRequest.getScope(), map.get("scope")) && ObjectUtils.nullSafeEquals(Boolean.valueOf(authorizationRequest.isApproved()), map.get("approved")) && ObjectUtils.nullSafeEquals(authorizationRequest.getResourceIds(), map.get("resourceIds")) && ObjectUtils.nullSafeEquals(authorizationRequest.getAuthorities(), map.get("authorities"))) ? false : true;
    }

    private ModelAndView getUserApprovalPageResponse(Map<String, Object> map, AuthorizationRequest authorizationRequest, Authentication authentication) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Loading user approval page: " + this.userApprovalPage);
        }
        map.putAll(this.userApprovalHandler.getUserApprovalRequest(authorizationRequest, authentication));
        return new ModelAndView(this.userApprovalPage, (Map<String, ?>) map);
    }

    private ModelAndView getImplicitGrantResponse(AuthorizationRequest authorizationRequest) {
        try {
            OAuth2AccessToken accessTokenForImplicitGrant = getAccessTokenForImplicitGrant(getOAuth2RequestFactory().createTokenRequest(authorizationRequest, "implicit"), getOAuth2RequestFactory().createOAuth2Request(authorizationRequest));
            if (accessTokenForImplicitGrant == null) {
                throw new UnsupportedResponseTypeException("Unsupported response type: token");
            }
            return new ModelAndView(new RedirectView(appendAccessToken(authorizationRequest, accessTokenForImplicitGrant), false, true, false));
        } catch (OAuth2Exception e) {
            return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false, true, false));
        }
    }

    private OAuth2AccessToken getAccessTokenForImplicitGrant(TokenRequest tokenRequest, OAuth2Request oAuth2Request) {
        OAuth2AccessToken grant;
        synchronized (this.implicitLock) {
            grant = getTokenGranter().grant("implicit", new ImplicitTokenRequest(tokenRequest, oAuth2Request));
        }
        return grant;
    }

    private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequest, Authentication authentication) {
        try {
            return new RedirectView(getSuccessfulRedirect(authorizationRequest, generateCode(authorizationRequest, authentication)), false, true, false);
        } catch (OAuth2Exception e) {
            return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, false), false, true, false);
        }
    }

    private String appendAccessToken(AuthorizationRequest authorizationRequest, OAuth2AccessToken oAuth2AccessToken) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        HashMap hashMap = new HashMap();
        if (oAuth2AccessToken == null) {
            throw new InvalidRequestException("An implicit grant could not be made");
        }
        linkedHashMap.put(OAuth2AccessToken.ACCESS_TOKEN, oAuth2AccessToken.getValue());
        linkedHashMap.put(OAuth2AccessToken.TOKEN_TYPE, oAuth2AccessToken.getTokenType());
        String state = authorizationRequest.getState();
        if (state != null) {
            linkedHashMap.put("state", state);
        }
        Date expiration = oAuth2AccessToken.getExpiration();
        if (expiration != null) {
            linkedHashMap.put(OAuth2AccessToken.EXPIRES_IN, Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000));
        }
        String str = (String) authorizationRequest.getRequestParameters().get("scope");
        if (str == null || !OAuth2Utils.parseParameterList(str).equals(oAuth2AccessToken.getScope())) {
            linkedHashMap.put("scope", OAuth2Utils.formatParameterList(oAuth2AccessToken.getScope()));
        }
        Map<String, Object> additionalInformation = oAuth2AccessToken.getAdditionalInformation();
        for (String str2 : additionalInformation.keySet()) {
            Object obj = additionalInformation.get(str2);
            if (obj != null) {
                hashMap.put("extra_" + str2, str2);
                linkedHashMap.put("extra_" + str2, obj);
            }
        }
        return append(authorizationRequest.getRedirectUri(), linkedHashMap, hashMap, true);
    }

    private String generateCode(AuthorizationRequest authorizationRequest, Authentication authentication) throws AuthenticationException {
        try {
            return this.authorizationCodeServices.createAuthorizationCode(new OAuth2Authentication(getOAuth2RequestFactory().createOAuth2Request(authorizationRequest), authentication));
        } catch (OAuth2Exception e) {
            if (authorizationRequest.getState() != null) {
                e.addAdditionalInformation("state", authorizationRequest.getState());
            }
            throw e;
        }
    }

    private String getSuccessfulRedirect(AuthorizationRequest authorizationRequest, String str) {
        if (str == null) {
            throw new IllegalStateException("No authorization code found in the current request scope.");
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(HtmlTags.CODE, str);
        String state = authorizationRequest.getState();
        if (state != null) {
            linkedHashMap.put("state", state);
        }
        return append(authorizationRequest.getRedirectUri(), linkedHashMap, false);
    }

    private String getUnsuccessfulRedirect(AuthorizationRequest authorizationRequest, OAuth2Exception oAuth2Exception, boolean z) {
        if (authorizationRequest == null || authorizationRequest.getRedirectUri() == null) {
            throw new UnapprovedClientAuthenticationException("Authorization failure, and no redirect URI.", oAuth2Exception);
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put("error", oAuth2Exception.getOAuth2ErrorCode());
        linkedHashMap.put(OAuth2Exception.DESCRIPTION, oAuth2Exception.getMessage());
        if (authorizationRequest.getState() != null) {
            linkedHashMap.put("state", authorizationRequest.getState());
        }
        if (oAuth2Exception.getAdditionalInformation() != null) {
            for (Map.Entry<String, String> entry : oAuth2Exception.getAdditionalInformation().entrySet()) {
                linkedHashMap.put(entry.getKey(), entry.getValue());
            }
        }
        return append(authorizationRequest.getRedirectUri(), linkedHashMap, z);
    }

    private String append(String str, Map<String, ?> map, boolean z) {
        return append(str, map, null, z);
    }

    private String append(String str, Map<String, ?> map, Map<String, String> map2, boolean z) {
        URI uri;
        UriComponentsBuilder newInstance = UriComponentsBuilder.newInstance();
        UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(str);
        try {
            uri = fromUriString.build(true).toUri();
        } catch (Exception e) {
            uri = fromUriString.build().toUri();
            fromUriString = UriComponentsBuilder.fromUri(uri);
        }
        newInstance.scheme(uri.getScheme()).port(uri.getPort()).host(uri.getHost()).userInfo(uri.getUserInfo()).path(uri.getPath());
        if (z) {
            StringBuilder sb = new StringBuilder();
            if (uri.getFragment() != null) {
                sb.append(uri.getFragment());
            }
            for (String str2 : map.keySet()) {
                if (sb.length() > 0) {
                    sb.append(BeanFactory.FACTORY_BEAN_PREFIX);
                }
                String str3 = str2;
                if (map2 != null && map2.containsKey(str2)) {
                    str3 = map2.get(str2);
                }
                sb.append(str3 + "={" + str2 + "}");
            }
            if (sb.length() > 0) {
                newInstance.fragment(sb.toString());
            }
            fromUriString.fragment(newInstance.build().expand(map).encode().getFragment());
        } else {
            for (String str4 : map.keySet()) {
                String str5 = str4;
                if (map2 != null && map2.containsKey(str4)) {
                    str5 = map2.get(str4);
                }
                newInstance.queryParam(str5, "{" + str4 + "}");
            }
            newInstance.fragment(uri.getFragment());
            fromUriString.query(newInstance.build().expand(map).encode().getQuery());
        }
        return fromUriString.build().toUriString();
    }

    public void setUserApprovalPage(String str) {
        this.userApprovalPage = str;
    }

    public void setAuthorizationCodeServices(AuthorizationCodeServices authorizationCodeServices) {
        this.authorizationCodeServices = authorizationCodeServices;
    }

    public void setRedirectResolver(RedirectResolver redirectResolver) {
        this.redirectResolver = redirectResolver;
    }

    public void setUserApprovalHandler(UserApprovalHandler userApprovalHandler) {
        this.userApprovalHandler = userApprovalHandler;
    }

    public void setOAuth2RequestValidator(OAuth2RequestValidator oAuth2RequestValidator) {
        this.oauth2RequestValidator = oAuth2RequestValidator;
    }

    public void setImplicitGrantService(ImplicitGrantService implicitGrantService) {
    }

    @ExceptionHandler({ClientRegistrationException.class})
    public ModelAndView handleClientRegistrationException(Exception exc, ServletWebRequest servletWebRequest) throws Exception {
        this.logger.info("Handling ClientRegistrationException error: " + exc.getMessage());
        return handleException(new BadClientCredentialsException(), servletWebRequest);
    }

    @ExceptionHandler({OAuth2Exception.class})
    public ModelAndView handleOAuth2Exception(OAuth2Exception oAuth2Exception, ServletWebRequest servletWebRequest) throws Exception {
        this.logger.info("Handling OAuth2 error: " + oAuth2Exception.getSummary());
        return handleException(oAuth2Exception, servletWebRequest);
    }

    @ExceptionHandler({HttpSessionRequiredException.class})
    public ModelAndView handleHttpSessionRequiredException(HttpSessionRequiredException httpSessionRequiredException, ServletWebRequest servletWebRequest) throws Exception {
        this.logger.info("Handling Session required error: " + httpSessionRequiredException.getMessage());
        return handleException(new AccessDeniedException("Could not obtain authorization request from session", httpSessionRequiredException), servletWebRequest);
    }

    private ModelAndView handleException(Exception exc, ServletWebRequest servletWebRequest) throws Exception {
        ResponseEntity<OAuth2Exception> translate = getExceptionTranslator().translate(exc);
        servletWebRequest.getResponse().setStatus(translate.getStatusCode().value());
        if ((exc instanceof ClientAuthenticationException) || (exc instanceof RedirectMismatchException)) {
            return new ModelAndView(this.errorPage, (Map<String, ?>) Collections.singletonMap("error", translate.getBody()));
        }
        try {
            AuthorizationRequest authorizationRequestForError = getAuthorizationRequestForError(servletWebRequest);
            authorizationRequestForError.setRedirectUri(this.redirectResolver.resolveRedirect((String) authorizationRequestForError.getRequestParameters().get(OAuth2Utils.REDIRECT_URI), getClientDetailsService().loadClientByClientId(authorizationRequestForError.getClientId())));
            return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequestForError, translate.getBody(), authorizationRequestForError.getResponseTypes().contains(SchemaSymbols.ATTVAL_TOKEN)), false, true, false));
        } catch (OAuth2Exception e) {
            return new ModelAndView(this.errorPage, (Map<String, ?>) Collections.singletonMap("error", translate.getBody()));
        }
    }

    private AuthorizationRequest getAuthorizationRequestForError(ServletWebRequest servletWebRequest) {
        AuthorizationRequest authorizationRequest = (AuthorizationRequest) this.sessionAttributeStore.retrieveAttribute(servletWebRequest, AUTHORIZATION_REQUEST_ATTR_NAME);
        if (authorizationRequest != null) {
            return authorizationRequest;
        }
        HashMap hashMap = new HashMap();
        Map<String, String[]> parameterMap = servletWebRequest.getParameterMap();
        for (String str : parameterMap.keySet()) {
            String[] strArr = parameterMap.get(str);
            if (strArr != null && strArr.length > 0) {
                hashMap.put(str, strArr[0]);
            }
        }
        try {
            return getOAuth2RequestFactory().createAuthorizationRequest(hashMap);
        } catch (Exception e) {
            return getDefaultOAuth2RequestFactory().createAuthorizationRequest(hashMap);
        }
    }
}
