package org.springframework.security.oauth2.server.authorization.oidc.web;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientRegistration;
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.oidc.http.converter.OidcClientRegistrationHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.oidc.web.authentication.OidcClientRegistrationAuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.class */
public final class OidcClientRegistrationEndpointFilter extends OncePerRequestFilter {
    private static final String DEFAULT_OIDC_CLIENT_REGISTRATION_ENDPOINT_URI = "/connect/register";
    private final AuthenticationManager authenticationManager;
    private final RequestMatcher clientRegistrationEndpointMatcher;
    private final HttpMessageConverter<OidcClientRegistration> clientRegistrationHttpMessageConverter;
    private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter;
    private AuthenticationConverter authenticationConverter;
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    private AuthenticationFailureHandler authenticationFailureHandler;

    public OidcClientRegistrationEndpointFilter(AuthenticationManager authenticationManager) {
        this(authenticationManager, DEFAULT_OIDC_CLIENT_REGISTRATION_ENDPOINT_URI);
    }

    public OidcClientRegistrationEndpointFilter(AuthenticationManager authenticationManager, String str) {
        this.clientRegistrationHttpMessageConverter = new OidcClientRegistrationHttpMessageConverter();
        this.errorHttpResponseConverter = new OAuth2ErrorHttpMessageConverter();
        this.authenticationConverter = new OidcClientRegistrationAuthenticationConverter();
        this.authenticationSuccessHandler = this::sendClientRegistrationResponse;
        this.authenticationFailureHandler = this::sendErrorResponse;
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        Assert.hasText(str, "clientRegistrationEndpointUri cannot be empty");
        this.authenticationManager = authenticationManager;
        this.clientRegistrationEndpointMatcher = new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher(str, HttpMethod.POST.name()), createClientConfigurationMatcher(str)});
    }

    private static RequestMatcher createClientConfigurationMatcher(String str) {
        return new AndRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher(str, HttpMethod.GET.name()), httpServletRequest -> {
            return StringUtils.hasText(httpServletRequest.getParameter(OidcClientMetadataClaimNames.CLIENT_ID));
        }});
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            if (!this.clientRegistrationEndpointMatcher.matches(httpServletRequest)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            this.authenticationSuccessHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, this.authenticationManager.authenticate(this.authenticationConverter.convert(httpServletRequest)));
        } catch (Exception e) {
            OAuth2Error oAuth2Error = new OAuth2Error("invalid_request", "OpenID Connect 1.0 Client Registration Error: " + e.getMessage(), "https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError");
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(oAuth2Error.getDescription(), e);
            }
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, new OAuth2AuthenticationException(oAuth2Error));
        } catch (OAuth2AuthenticationException e2) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(LogMessage.format("Client registration request failed: %s", e2.getError()), e2);
            }
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e2);
        } finally {
            SecurityContextHolder.clearContext();
        }
    }

    public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
        Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
        this.authenticationConverter = authenticationConverter;
    }

    public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    private void sendClientRegistrationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        OidcClientRegistration clientRegistration = ((OidcClientRegistrationAuthenticationToken) authentication).getClientRegistration();
        ServletServerHttpResponse servletServerHttpResponse = new ServletServerHttpResponse(httpServletResponse);
        if (HttpMethod.POST.name().equals(httpServletRequest.getMethod())) {
            servletServerHttpResponse.setStatusCode(HttpStatus.CREATED);
        } else {
            servletServerHttpResponse.setStatusCode(HttpStatus.OK);
        }
        this.clientRegistrationHttpMessageConverter.write(clientRegistration, (MediaType) null, servletServerHttpResponse);
    }

    private void sendErrorResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        OAuth2Error error = ((OAuth2AuthenticationException) authenticationException).getError();
        HttpStatus httpStatus = HttpStatus.BAD_REQUEST;
        if ("invalid_token".equals(error.getErrorCode())) {
            httpStatus = HttpStatus.UNAUTHORIZED;
        } else if ("insufficient_scope".equals(error.getErrorCode())) {
            httpStatus = HttpStatus.FORBIDDEN;
        } else if ("invalid_client".equals(error.getErrorCode())) {
            httpStatus = HttpStatus.UNAUTHORIZED;
        }
        ServletServerHttpResponse servletServerHttpResponse = new ServletServerHttpResponse(httpServletResponse);
        servletServerHttpResponse.setStatusCode(httpStatus);
        this.errorHttpResponseConverter.write(error, (MediaType) null, servletServerHttpResponse);
    }
}
