package org.springframework.security.oauth2.client.web.server;

import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.HashMap;
import java.util.function.Consumer;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ResponseStatusException;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.util.UriComponents;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.3.7.jar:org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.class */
public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOAuth2AuthorizationRequestResolver {
    public static final String DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";
    public static final String DEFAULT_AUTHORIZATION_REQUEST_PATTERN = "/oauth2/authorization/{registrationId}";
    private static final char PATH_DELIMITER = '/';
    private static final StringKeyGenerator DEFAULT_STATE_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder());
    private static final StringKeyGenerator DEFAULT_SECURE_KEY_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
    private static final Consumer<OAuth2AuthorizationRequest.Builder> DEFAULT_PKCE_APPLIER = OAuth2AuthorizationRequestCustomizers.withPkce();
    private final ServerWebExchangeMatcher authorizationRequestMatcher;
    private final ReactiveClientRegistrationRepository clientRegistrationRepository;
    private Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer;

    public DefaultServerOAuth2AuthorizationRequestResolver(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository) {
        this(reactiveClientRegistrationRepository, new PathPatternParserServerWebExchangeMatcher(DEFAULT_AUTHORIZATION_REQUEST_PATTERN));
    }

    public DefaultServerOAuth2AuthorizationRequestResolver(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerWebExchangeMatcher serverWebExchangeMatcher) {
        this.authorizationRequestCustomizer = builder -> {
        };
        Assert.notNull(reactiveClientRegistrationRepository, "clientRegistrationRepository cannot be null");
        Assert.notNull(serverWebExchangeMatcher, "authorizationRequestMatcher cannot be null");
        this.clientRegistrationRepository = reactiveClientRegistrationRepository;
        this.authorizationRequestMatcher = serverWebExchangeMatcher;
    }

    @Override // org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationRequestResolver
    public Mono<OAuth2AuthorizationRequest> resolve(ServerWebExchange serverWebExchange) {
        return this.authorizationRequestMatcher.matches(serverWebExchange).filter(matchResult -> {
            return matchResult.isMatch();
        }).map((v0) -> {
            return v0.getVariables();
        }).map(map -> {
            return map.get(DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME);
        }).cast(String.class).flatMap(str -> {
            return resolve(serverWebExchange, str);
        });
    }

    @Override // org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationRequestResolver
    public Mono<OAuth2AuthorizationRequest> resolve(ServerWebExchange serverWebExchange, String str) {
        return findByRegistrationId(serverWebExchange, str).map(clientRegistration -> {
            return authorizationRequest(serverWebExchange, clientRegistration);
        });
    }

    public final void setAuthorizationRequestCustomizer(Consumer<OAuth2AuthorizationRequest.Builder> consumer) {
        Assert.notNull(consumer, "authorizationRequestCustomizer cannot be null");
        this.authorizationRequestCustomizer = consumer;
    }

    private Mono<ClientRegistration> findByRegistrationId(ServerWebExchange serverWebExchange, String str) {
        return this.clientRegistrationRepository.findByRegistrationId(str).switchIfEmpty(Mono.error(() -> {
            return new ResponseStatusException(HttpStatus.BAD_REQUEST, "Invalid client registration id");
        }));
    }

    private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange serverWebExchange, ClientRegistration clientRegistration) {
        OAuth2AuthorizationRequest.Builder builder = getBuilder(clientRegistration);
        builder.clientId(clientRegistration.getClientId()).authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri()).redirectUri(expandRedirectUri(serverWebExchange.getRequest(), clientRegistration)).scopes(clientRegistration.getScopes()).state(DEFAULT_STATE_GENERATOR.generateKey());
        this.authorizationRequestCustomizer.accept(builder);
        return builder.build();
    }

    private OAuth2AuthorizationRequest.Builder getBuilder(ClientRegistration clientRegistration) {
        if (!AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
            throw new IllegalArgumentException("Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue() + ") for Client Registration with Id: " + clientRegistration.getRegistrationId());
        }
        OAuth2AuthorizationRequest.Builder attributes = OAuth2AuthorizationRequest.authorizationCode().attributes(map -> {
            map.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
        });
        if (!CollectionUtils.isEmpty(clientRegistration.getScopes()) && clientRegistration.getScopes().contains(OidcScopes.OPENID)) {
            applyNonce(attributes);
        }
        if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
            DEFAULT_PKCE_APPLIER.accept(attributes);
        }
        return attributes;
    }

    private static String expandRedirectUri(ServerHttpRequest serverHttpRequest, ClientRegistration clientRegistration) {
        HashMap hashMap = new HashMap();
        hashMap.put(DEFAULT_REGISTRATION_ID_URI_VARIABLE_NAME, clientRegistration.getRegistrationId());
        UriComponents build = UriComponentsBuilder.fromUri(serverHttpRequest.getURI()).replacePath(serverHttpRequest.getPath().contextPath().value()).replaceQuery((String) null).fragment((String) null).build();
        String scheme = build.getScheme();
        hashMap.put("baseScheme", scheme != null ? scheme : "");
        String host = build.getHost();
        hashMap.put("baseHost", host != null ? host : "");
        int port = build.getPort();
        hashMap.put("basePort", port == -1 ? "" : ":" + port);
        String path = build.getPath();
        if (StringUtils.hasLength(path) && path.charAt(0) != '/') {
            path = "/" + path;
        }
        hashMap.put("basePath", path != null ? path : "");
        hashMap.put("baseUrl", build.toUriString());
        hashMap.put("action", AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType()) ? "login" : "");
        return UriComponentsBuilder.fromUriString(clientRegistration.getRedirectUri()).buildAndExpand(hashMap).toUriString();
    }

    private static void applyNonce(OAuth2AuthorizationRequest.Builder builder) {
        try {
            String generateKey = DEFAULT_SECURE_KEY_GENERATOR.generateKey();
            String createHash = createHash(generateKey);
            builder.attributes(map -> {
                map.put("nonce", generateKey);
            });
            builder.additionalParameters(map2 -> {
                map2.put("nonce", createHash);
            });
        } catch (NoSuchAlgorithmException e) {
        }
    }

    private static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.US_ASCII)));
    }
}
