package org.springframework.security.oauth2.client.web;

import com.evolveum.midpoint.security.api.AuthorizationConstants;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.LinkedHashSet;
import java.util.Objects;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.3.9.jar:org/springframework/security/oauth2/client/web/OAuth2AuthorizationCodeGrantFilter.class */
public class OAuth2AuthorizationCodeGrantFilter extends OncePerRequestFilter {
    private final ClientRegistrationRepository clientRegistrationRepository;
    private final OAuth2AuthorizedClientRepository authorizedClientRepository;
    private final AuthenticationManager authenticationManager;
    private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository();
    private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    private RequestCache requestCache = new HttpSessionRequestCache();

    public OAuth2AuthorizationCodeGrantFilter(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository oAuth2AuthorizedClientRepository, AuthenticationManager authenticationManager) {
        Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
        Assert.notNull(oAuth2AuthorizedClientRepository, "authorizedClientRepository cannot be null");
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        this.clientRegistrationRepository = clientRegistrationRepository;
        this.authorizedClientRepository = oAuth2AuthorizedClientRepository;
        this.authenticationManager = authenticationManager;
    }

    public final void setAuthorizationRequestRepository(AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository) {
        Assert.notNull(authorizationRequestRepository, "authorizationRequestRepository cannot be null");
        this.authorizationRequestRepository = authorizationRequestRepository;
    }

    public final void setRequestCache(RequestCache requestCache) {
        Assert.notNull(requestCache, "requestCache cannot be null");
        this.requestCache = requestCache;
    }

    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
        Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
        this.securityContextHolderStrategy = securityContextHolderStrategy;
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (matchesAuthorizationResponse(httpServletRequest)) {
            processAuthorizationResponse(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    private boolean matchesAuthorizationResponse(HttpServletRequest httpServletRequest) {
        OAuth2AuthorizationRequest loadAuthorizationRequest;
        if (!OAuth2AuthorizationResponseUtils.isAuthorizationResponse(OAuth2AuthorizationResponseUtils.toMultiMap(httpServletRequest.getParameterMap())) || (loadAuthorizationRequest = this.authorizationRequestRepository.loadAuthorizationRequest(httpServletRequest)) == null) {
            return false;
        }
        UriComponents build = UriComponentsBuilder.fromUriString(UrlUtils.buildFullRequestUrl(httpServletRequest)).build();
        UriComponents build2 = UriComponentsBuilder.fromUriString(loadAuthorizationRequest.getRedirectUri()).build();
        LinkedHashSet linkedHashSet = new LinkedHashSet(build.getQueryParams().entrySet());
        LinkedHashSet linkedHashSet2 = new LinkedHashSet(build2.getQueryParams().entrySet());
        linkedHashSet.retainAll(linkedHashSet2);
        return Objects.equals(build.getScheme(), build2.getScheme()) && Objects.equals(build.getUserInfo(), build2.getUserInfo()) && Objects.equals(build.getHost(), build2.getHost()) && Objects.equals(Integer.valueOf(build.getPort()), Integer.valueOf(build2.getPort())) && Objects.equals(build.getPath(), build2.getPath()) && Objects.equals(linkedHashSet.toString(), linkedHashSet2.toString());
    }

    private void processAuthorizationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        OAuth2AuthorizationRequest removeAuthorizationRequest = this.authorizationRequestRepository.removeAuthorizationRequest(httpServletRequest, httpServletResponse);
        OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = new OAuth2AuthorizationCodeAuthenticationToken(this.clientRegistrationRepository.findByRegistrationId((String) removeAuthorizationRequest.getAttribute(OAuth2ParameterNames.REGISTRATION_ID)), new OAuth2AuthorizationExchange(removeAuthorizationRequest, OAuth2AuthorizationResponseUtils.convert(OAuth2AuthorizationResponseUtils.toMultiMap(httpServletRequest.getParameterMap()), UrlUtils.buildFullRequestUrl(httpServletRequest))));
        oAuth2AuthorizationCodeAuthenticationToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        try {
            OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken2 = (OAuth2AuthorizationCodeAuthenticationToken) this.authenticationManager.authenticate(oAuth2AuthorizationCodeAuthenticationToken);
            Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
            this.authorizedClientRepository.saveAuthorizedClient(new OAuth2AuthorizedClient(oAuth2AuthorizationCodeAuthenticationToken2.getClientRegistration(), authentication != null ? authentication.getName() : AuthorizationConstants.ANONYMOUS_USER_PRINCIPAL, oAuth2AuthorizationCodeAuthenticationToken2.getAccessToken(), oAuth2AuthorizationCodeAuthenticationToken2.getRefreshToken()), authentication, httpServletRequest, httpServletResponse);
            String redirectUri = removeAuthorizationRequest.getRedirectUri();
            SavedRequest request = this.requestCache.getRequest(httpServletRequest, httpServletResponse);
            if (request != null) {
                redirectUri = request.getRedirectUrl();
                this.requestCache.removeRequest(httpServletRequest, httpServletResponse);
            }
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, redirectUri);
        } catch (OAuth2AuthorizationException e) {
            OAuth2Error error = e.getError();
            UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(removeAuthorizationRequest.getRedirectUri()).queryParam("error", error.getErrorCode());
            if (StringUtils.hasLength(error.getDescription())) {
                queryParam.queryParam(OAuth2ParameterNames.ERROR_DESCRIPTION, error.getDescription());
            }
            if (StringUtils.hasLength(error.getUri())) {
                queryParam.queryParam(OAuth2ParameterNames.ERROR_URI, error.getUri());
            }
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, queryParam.build().encode().toString());
        }
    }
}
