package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers;

import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import java.net.URI;
import java.util.ArrayList;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.Filter;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.class */
public final class OAuth2AuthorizationServerConfigurer extends AbstractHttpConfigurer<OAuth2AuthorizationServerConfigurer, HttpSecurity> {
    private final Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> configurers = createConfigurers();
    private RequestMatcher endpointsMatcher;

    public OAuth2AuthorizationServerConfigurer registeredClientRepository(RegisteredClientRepository registeredClientRepository) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        getBuilder().setSharedObject(RegisteredClientRepository.class, registeredClientRepository);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer authorizationService(OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        getBuilder().setSharedObject(OAuth2AuthorizationService.class, oAuth2AuthorizationService);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer authorizationConsentService(OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService) {
        Assert.notNull(oAuth2AuthorizationConsentService, "authorizationConsentService cannot be null");
        getBuilder().setSharedObject(OAuth2AuthorizationConsentService.class, oAuth2AuthorizationConsentService);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer authorizationServerSettings(AuthorizationServerSettings authorizationServerSettings) {
        Assert.notNull(authorizationServerSettings, "authorizationServerSettings cannot be null");
        getBuilder().setSharedObject(AuthorizationServerSettings.class, authorizationServerSettings);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer tokenGenerator(OAuth2TokenGenerator<? extends OAuth2Token> oAuth2TokenGenerator) {
        Assert.notNull(oAuth2TokenGenerator, "tokenGenerator cannot be null");
        getBuilder().setSharedObject(OAuth2TokenGenerator.class, oAuth2TokenGenerator);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer clientAuthentication(Customizer<OAuth2ClientAuthenticationConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2ClientAuthenticationConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer authorizationServerMetadataEndpoint(Customizer<OAuth2AuthorizationServerMetadataEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2AuthorizationServerMetadataEndpointConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer authorizationEndpoint(Customizer<OAuth2AuthorizationEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2AuthorizationEndpointConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer tokenEndpoint(Customizer<OAuth2TokenEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2TokenEndpointConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer tokenIntrospectionEndpoint(Customizer<OAuth2TokenIntrospectionEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2TokenIntrospectionEndpointConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer tokenRevocationEndpoint(Customizer<OAuth2TokenRevocationEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2TokenRevocationEndpointConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer oidc(Customizer<OidcConfigurer> customizer) {
        OidcConfigurer oidcConfigurer = (OidcConfigurer) getConfigurer(OidcConfigurer.class);
        if (oidcConfigurer == null) {
            addConfigurer(OidcConfigurer.class, new OidcConfigurer(this::postProcess));
            oidcConfigurer = (OidcConfigurer) getConfigurer(OidcConfigurer.class);
        }
        customizer.customize(oidcConfigurer);
        return this;
    }

    public RequestMatcher getEndpointsMatcher() {
        return httpServletRequest -> {
            return this.endpointsMatcher.matches(httpServletRequest);
        };
    }

    public void init(HttpSecurity httpSecurity) {
        AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils.getAuthorizationServerSettings(httpSecurity);
        validateAuthorizationServerSettings(authorizationServerSettings);
        if (((OidcConfigurer) getConfigurer(OidcConfigurer.class)) == null) {
            ((OAuth2AuthorizationEndpointConfigurer) getConfigurer(OAuth2AuthorizationEndpointConfigurer.class)).addAuthorizationCodeRequestAuthenticationValidator(oAuth2AuthorizationCodeRequestAuthenticationContext -> {
                OAuth2AuthorizationCodeRequestAuthenticationToken authentication = oAuth2AuthorizationCodeRequestAuthenticationContext.getAuthentication();
                if (authentication.getScopes().contains("openid")) {
                    throw new OAuth2AuthorizationCodeRequestAuthenticationException(new OAuth2Error("invalid_scope", "OpenID Connect 1.0 authentication requests are restricted.", "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1"), authentication);
                }
            });
        }
        ArrayList arrayList = new ArrayList();
        this.configurers.values().forEach(abstractOAuth2Configurer -> {
            abstractOAuth2Configurer.init(httpSecurity);
            arrayList.add(abstractOAuth2Configurer.getRequestMatcher());
        });
        arrayList.add(new AntPathRequestMatcher(authorizationServerSettings.getJwkSetEndpoint(), HttpMethod.GET.name()));
        this.endpointsMatcher = new OrRequestMatcher(arrayList);
        ExceptionHandlingConfigurer configurer = httpSecurity.getConfigurer(ExceptionHandlingConfigurer.class);
        if (configurer != null) {
            configurer.defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), new OrRequestMatcher(new RequestMatcher[]{getRequestMatcher(OAuth2TokenEndpointConfigurer.class), getRequestMatcher(OAuth2TokenIntrospectionEndpointConfigurer.class), getRequestMatcher(OAuth2TokenRevocationEndpointConfigurer.class)}));
        }
    }

    public void configure(HttpSecurity httpSecurity) {
        this.configurers.values().forEach(abstractOAuth2Configurer -> {
            abstractOAuth2Configurer.configure(httpSecurity);
        });
        AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils.getAuthorizationServerSettings(httpSecurity);
        httpSecurity.addFilterAfter((Filter) postProcess(new AuthorizationServerContextFilter(authorizationServerSettings)), SecurityContextHolderFilter.class);
        JWKSource<SecurityContext> jwkSource = OAuth2ConfigurerUtils.getJwkSource(httpSecurity);
        if (jwkSource != null) {
            httpSecurity.addFilterBefore((Filter) postProcess(new NimbusJwkSetEndpointFilter(jwkSource, authorizationServerSettings.getJwkSetEndpoint())), AbstractPreAuthenticatedProcessingFilter.class);
        }
    }

    private Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> createConfigurers() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(OAuth2ClientAuthenticationConfigurer.class, new OAuth2ClientAuthenticationConfigurer(this::postProcess));
        linkedHashMap.put(OAuth2AuthorizationServerMetadataEndpointConfigurer.class, new OAuth2AuthorizationServerMetadataEndpointConfigurer(this::postProcess));
        linkedHashMap.put(OAuth2AuthorizationEndpointConfigurer.class, new OAuth2AuthorizationEndpointConfigurer(this::postProcess));
        linkedHashMap.put(OAuth2TokenEndpointConfigurer.class, new OAuth2TokenEndpointConfigurer(this::postProcess));
        linkedHashMap.put(OAuth2TokenIntrospectionEndpointConfigurer.class, new OAuth2TokenIntrospectionEndpointConfigurer(this::postProcess));
        linkedHashMap.put(OAuth2TokenRevocationEndpointConfigurer.class, new OAuth2TokenRevocationEndpointConfigurer(this::postProcess));
        return linkedHashMap;
    }

    private <T> T getConfigurer(Class<T> cls) {
        return (T) this.configurers.get(cls);
    }

    private <T extends AbstractOAuth2Configurer> void addConfigurer(Class<T> cls, T t) {
        this.configurers.put(cls, t);
    }

    private <T extends AbstractOAuth2Configurer> RequestMatcher getRequestMatcher(Class<T> cls) {
        AbstractOAuth2Configurer abstractOAuth2Configurer = (AbstractOAuth2Configurer) getConfigurer(cls);
        if (abstractOAuth2Configurer != null) {
            return abstractOAuth2Configurer.getRequestMatcher();
        }
        return null;
    }

    private static void validateAuthorizationServerSettings(AuthorizationServerSettings authorizationServerSettings) {
        if (authorizationServerSettings.getIssuer() != null) {
            try {
                URI uri = new URI(authorizationServerSettings.getIssuer());
                uri.toURL();
                if (uri.getQuery() != null || uri.getFragment() != null) {
                    throw new IllegalArgumentException("issuer cannot contain query or fragment component");
                }
            } catch (Exception e) {
                throw new IllegalArgumentException("issuer must be a valid URL", e);
            }
        }
    }
}
