package org.springframework.security.oauth2.client.web.client;

import com.evolveum.midpoint.security.api.AuthorizationConstants;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration;
import org.jgroups.protocols.INJECT_VIEW;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpRequest;
import org.springframework.http.HttpStatus;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.client.ClientHttpRequestExecution;
import org.springframework.http.client.ClientHttpRequestInterceptor;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.lang.Nullable;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.client.ClientAuthorizationException;
import org.springframework.security.oauth2.client.OAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.RemoveAuthorizedClientOAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestClientResponseException;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.5.0.jar:org/springframework/security/oauth2/client/web/client/OAuth2ClientHttpRequestInterceptor.class */
public final class OAuth2ClientHttpRequestInterceptor implements ClientHttpRequestInterceptor {
    private static final Map<HttpStatusCode, String> OAUTH2_ERROR_CODES = Map.of(HttpStatus.UNAUTHORIZED, "invalid_token", HttpStatus.FORBIDDEN, "insufficient_scope");
    private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous", AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL, AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
    private final OAuth2AuthorizedClientManager authorizedClientManager;
    private ClientRegistrationIdResolver clientRegistrationIdResolver = new RequestAttributeClientRegistrationIdResolver();
    private PrincipalResolver principalResolver = new SecurityContextHolderPrincipalResolver();
    private OAuth2AuthorizationFailureHandler authorizationFailureHandler = (oAuth2AuthorizationException, authentication, map) -> {
    };

    @FunctionalInterface
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.5.0.jar:org/springframework/security/oauth2/client/web/client/OAuth2ClientHttpRequestInterceptor$ClientRegistrationIdResolver.class */
    public interface ClientRegistrationIdResolver {
        @Nullable
        String resolve(HttpRequest httpRequest);
    }

    @FunctionalInterface
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.5.0.jar:org/springframework/security/oauth2/client/web/client/OAuth2ClientHttpRequestInterceptor$PrincipalResolver.class */
    public interface PrincipalResolver {
        @Nullable
        Authentication resolve(HttpRequest httpRequest);
    }

    public OAuth2ClientHttpRequestInterceptor(OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager) {
        Assert.notNull(oAuth2AuthorizedClientManager, "authorizedClientManager cannot be null");
        this.authorizedClientManager = oAuth2AuthorizedClientManager;
    }

    public void setAuthorizationFailureHandler(OAuth2AuthorizationFailureHandler oAuth2AuthorizationFailureHandler) {
        Assert.notNull(oAuth2AuthorizationFailureHandler, "authorizationFailureHandler cannot be null");
        this.authorizationFailureHandler = oAuth2AuthorizationFailureHandler;
    }

    public static OAuth2AuthorizationFailureHandler authorizationFailureHandler(OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository) {
        Assert.notNull(oAuth2AuthorizedClientRepository, "authorizedClientRepository cannot be null");
        return new RemoveAuthorizedClientOAuth2AuthorizationFailureHandler((str, authentication, map) -> {
            oAuth2AuthorizedClientRepository.removeAuthorizedClient(str, authentication, (HttpServletRequest) map.get(HttpServletRequest.class.getName()), (HttpServletResponse) map.get(HttpServletResponse.class.getName()));
        });
    }

    public static OAuth2AuthorizationFailureHandler authorizationFailureHandler(OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
        Assert.notNull(oAuth2AuthorizedClientService, "authorizedClientService cannot be null");
        return new RemoveAuthorizedClientOAuth2AuthorizationFailureHandler((str, authentication, map) -> {
            oAuth2AuthorizedClientService.removeAuthorizedClient(str, authentication.getName());
        });
    }

    public void setClientRegistrationIdResolver(ClientRegistrationIdResolver clientRegistrationIdResolver) {
        Assert.notNull(clientRegistrationIdResolver, "clientRegistrationIdResolver cannot be null");
        this.clientRegistrationIdResolver = clientRegistrationIdResolver;
    }

    public void setPrincipalResolver(PrincipalResolver principalResolver) {
        Assert.notNull(principalResolver, "principalResolver cannot be null");
        this.principalResolver = principalResolver;
    }

    @Override // org.springframework.http.client.ClientHttpRequestInterceptor
    public ClientHttpResponse intercept(HttpRequest httpRequest, byte[] bArr, ClientHttpRequestExecution clientHttpRequestExecution) throws IOException {
        Authentication resolve = this.principalResolver.resolve(httpRequest);
        if (resolve == null) {
            resolve = ANONYMOUS_AUTHENTICATION;
        }
        authorizeClient(httpRequest, resolve);
        try {
            ClientHttpResponse execute = clientHttpRequestExecution.execute(httpRequest, bArr);
            handleAuthorizationFailure(httpRequest, resolve, execute.getHeaders(), execute.getStatusCode());
            return execute;
        } catch (OAuth2AuthorizationException e) {
            handleAuthorizationFailure(e, resolve);
            throw e;
        } catch (RestClientResponseException e2) {
            handleAuthorizationFailure(httpRequest, resolve, e2.getResponseHeaders(), e2.getStatusCode());
            throw e2;
        }
    }

    private void authorizeClient(HttpRequest httpRequest, Authentication authentication) {
        String resolve = this.clientRegistrationIdResolver.resolve(httpRequest);
        if (resolve == null) {
            return;
        }
        OAuth2AuthorizedClient authorize = this.authorizedClientManager.authorize(OAuth2AuthorizeRequest.withClientRegistrationId(resolve).principal(authentication).build());
        if (authorize != null) {
            httpRequest.getHeaders().setBearerAuth(authorize.getAccessToken().getTokenValue());
        }
    }

    private void handleAuthorizationFailure(HttpRequest httpRequest, Authentication authentication, HttpHeaders httpHeaders, HttpStatusCode httpStatusCode) {
        String resolve;
        OAuth2Error resolveOAuth2ErrorIfPossible = resolveOAuth2ErrorIfPossible(httpHeaders, httpStatusCode);
        if (resolveOAuth2ErrorIfPossible == null || (resolve = this.clientRegistrationIdResolver.resolve(httpRequest)) == null) {
            return;
        }
        handleAuthorizationFailure(new ClientAuthorizationException(resolveOAuth2ErrorIfPossible, resolve), authentication);
    }

    private static OAuth2Error resolveOAuth2ErrorIfPossible(HttpHeaders httpHeaders, HttpStatusCode httpStatusCode) {
        String first = httpHeaders.getFirst("WWW-Authenticate");
        if (first != null) {
            Map<String, String> parseWwwAuthenticateHeader = parseWwwAuthenticateHeader(first);
            if (parseWwwAuthenticateHeader.containsKey("error")) {
                return new OAuth2Error(parseWwwAuthenticateHeader.get("error"), parseWwwAuthenticateHeader.get(OAuth2ParameterNames.ERROR_DESCRIPTION), parseWwwAuthenticateHeader.get(OAuth2ParameterNames.ERROR_URI));
            }
        }
        String str = OAUTH2_ERROR_CODES.get(httpStatusCode);
        if (str != null) {
            return new OAuth2Error(str, null, "https://tools.ietf.org/html/rfc6750#section-3.1");
        }
        return null;
    }

    private static Map<String, String> parseWwwAuthenticateHeader(String str) {
        if (!StringUtils.hasLength(str) || !StringUtils.startsWithIgnoreCase(str, "bearer")) {
            return Map.of();
        }
        String stripLeading = str.substring("bearer".length()).stripLeading();
        HashMap hashMap = new HashMap();
        for (String str2 : StringUtils.delimitedListToStringArray(stripLeading, ",")) {
            String[] split = StringUtils.split(str2, INJECT_VIEW.VIEW_SEPARATOR);
            if (split != null && split.length > 1) {
                hashMap.put(split[0].trim(), split[1].trim().replace(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_KEY_SURROUND, ""));
            }
        }
        return hashMap;
    }

    private void handleAuthorizationFailure(OAuth2AuthorizationException oAuth2AuthorizationException, Authentication authentication) {
        ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
        HashMap hashMap = new HashMap();
        if (servletRequestAttributes != null) {
            hashMap.put(HttpServletRequest.class.getName(), servletRequestAttributes.getRequest());
            if (servletRequestAttributes.getResponse() != null) {
                hashMap.put(HttpServletResponse.class.getName(), servletRequestAttributes.getResponse());
            }
        }
        this.authorizationFailureHandler.onAuthorizationFailure(oAuth2AuthorizationException, authentication, hashMap);
    }
}
