package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.ArrayList;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.activemq.artemis.api.config.ActiveMQDefaultConfiguration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationEntryPointFailureHandler;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationFilter;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

/* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.5.1.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer.class */
final class DPoPAuthenticationConfigurer<B extends HttpSecurityBuilder<B>> extends AbstractHttpConfigurer<DPoPAuthenticationConfigurer<B>, B> {
    private RequestMatcher requestMatcher;
    private AuthenticationConverter authenticationConverter;
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    private AuthenticationFailureHandler authenticationFailureHandler;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.5.1.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer$DPoPAuthenticationConverter.class */
    public static final class DPoPAuthenticationConverter implements AuthenticationConverter {
        private static final Pattern AUTHORIZATION_PATTERN = Pattern.compile("^DPoP (?<token>[a-zA-Z0-9-._~+/]+=*)$", 2);

        private DPoPAuthenticationConverter() {
        }

        @Override // org.springframework.security.web.authentication.AuthenticationConverter
        public Authentication convert(HttpServletRequest httpServletRequest) {
            ArrayList list = Collections.list(httpServletRequest.getHeaders("Authorization"));
            if (CollectionUtils.isEmpty(list)) {
                return null;
            }
            if (list.size() != 1) {
                throw new OAuth2AuthenticationException(new OAuth2Error("invalid_request", "Found multiple Authorization headers.", null));
            }
            String str = (String) list.get(0);
            if (!StringUtils.startsWithIgnoreCase(str, OAuth2AccessToken.TokenType.DPOP.getValue())) {
                return null;
            }
            Matcher matcher = AUTHORIZATION_PATTERN.matcher(str);
            if (!matcher.matches()) {
                throw new OAuth2AuthenticationException(new OAuth2Error("invalid_token", "DPoP access token is malformed.", null));
            }
            String group = matcher.group("token");
            ArrayList list2 = Collections.list(httpServletRequest.getHeaders(OAuth2AccessToken.TokenType.DPOP.getValue()));
            if (CollectionUtils.isEmpty(list2) || list2.size() != 1) {
                throw new OAuth2AuthenticationException(new OAuth2Error("invalid_request", "DPoP proof is missing or invalid.", null));
            }
            return new DPoPAuthenticationToken(group, (String) list2.get(0), httpServletRequest.getMethod(), httpServletRequest.getRequestURL().toString());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.5.1.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer$DPoPAuthenticationEntryPoint.class */
    public static final class DPoPAuthenticationEntryPoint implements AuthenticationEntryPoint {
        private DPoPAuthenticationEntryPoint() {
        }

        @Override // org.springframework.security.web.AuthenticationEntryPoint
        public void commence(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            if (authenticationException instanceof OAuth2AuthenticationException) {
                OAuth2Error error = ((OAuth2AuthenticationException) authenticationException).getError();
                linkedHashMap.put("error", error.getErrorCode());
                if (StringUtils.hasText(error.getDescription())) {
                    linkedHashMap.put(OAuth2ParameterNames.ERROR_DESCRIPTION, error.getDescription());
                }
                if (StringUtils.hasText(error.getUri())) {
                    linkedHashMap.put(OAuth2ParameterNames.ERROR_URI, error.getUri());
                }
            }
            linkedHashMap.put("algs", "RS256 RS384 RS512 PS256 PS384 PS512 ES256 ES384 ES512");
            httpServletResponse.addHeader("WWW-Authenticate", toWWWAuthenticateHeader(linkedHashMap));
            httpServletResponse.setStatus(HttpStatus.UNAUTHORIZED.value());
        }

        private static String toWWWAuthenticateHeader(Map<String, String> map) {
            StringBuilder sb = new StringBuilder();
            sb.append(OAuth2AccessToken.TokenType.DPOP.getValue());
            if (!map.isEmpty()) {
                sb.append(" ");
                int i = 0;
                for (Map.Entry<String, String> entry : map.entrySet()) {
                    sb.append(entry.getKey()).append("=\"").append(entry.getValue()).append(ActiveMQDefaultConfiguration.BROKER_PROPERTIES_KEY_SURROUND);
                    int i2 = i;
                    i++;
                    if (i2 != map.size() - 1) {
                        sb.append(", ");
                    }
                }
            }
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-config-6.5.1.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/DPoPAuthenticationConfigurer$DPoPRequestMatcher.class */
    public static final class DPoPRequestMatcher implements RequestMatcher {
        private DPoPRequestMatcher() {
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            String header = httpServletRequest.getHeader("Authorization");
            if (StringUtils.hasText(header)) {
                return StringUtils.startsWithIgnoreCase(header, OAuth2AccessToken.TokenType.DPOP.getValue());
            }
            return false;
        }
    }

    @Override // org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(B b) {
        AuthenticationManager authenticationManager = (AuthenticationManager) b.getSharedObject(AuthenticationManager.class);
        b.authenticationProvider(new DPoPAuthenticationProvider(getTokenAuthenticationManager(b)));
        AuthenticationFilter authenticationFilter = new AuthenticationFilter(authenticationManager, getAuthenticationConverter());
        authenticationFilter.setRequestMatcher(getRequestMatcher());
        authenticationFilter.setSuccessHandler(getAuthenticationSuccessHandler());
        authenticationFilter.setFailureHandler(getAuthenticationFailureHandler());
        authenticationFilter.setSecurityContextRepository(new RequestAttributeSecurityContextRepository());
        b.addFilter((AuthenticationFilter) postProcess(authenticationFilter));
    }

    private AuthenticationManager getTokenAuthenticationManager(B b) {
        OAuth2ResourceServerConfigurer oAuth2ResourceServerConfigurer = (OAuth2ResourceServerConfigurer) b.getConfigurer(OAuth2ResourceServerConfigurer.class);
        AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver = oAuth2ResourceServerConfigurer.getAuthenticationManagerResolver();
        return authenticationManagerResolver == null ? oAuth2ResourceServerConfigurer.getAuthenticationManager(b) : authentication -> {
            return authenticationManagerResolver.resolve(((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest()).authenticate(authentication);
        };
    }

    private RequestMatcher getRequestMatcher() {
        if (this.requestMatcher == null) {
            this.requestMatcher = new DPoPRequestMatcher();
        }
        return this.requestMatcher;
    }

    private AuthenticationConverter getAuthenticationConverter() {
        if (this.authenticationConverter == null) {
            this.authenticationConverter = new DPoPAuthenticationConverter();
        }
        return this.authenticationConverter;
    }

    private AuthenticationSuccessHandler getAuthenticationSuccessHandler() {
        if (this.authenticationSuccessHandler == null) {
            this.authenticationSuccessHandler = (httpServletRequest, httpServletResponse, authentication) -> {
            };
        }
        return this.authenticationSuccessHandler;
    }

    private AuthenticationFailureHandler getAuthenticationFailureHandler() {
        if (this.authenticationFailureHandler == null) {
            this.authenticationFailureHandler = new AuthenticationEntryPointFailureHandler(new DPoPAuthenticationEntryPoint());
        }
        return this.authenticationFailureHandler;
    }
}
