package org.springframework.security.oauth2.server.authorization.web;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Set;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2DeviceAuthorizationConsentAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceAuthorizationConsentAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2DeviceVerificationAuthenticationConverter;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.DelegatingAuthenticationConverter;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.util.RedirectUrlBuilder;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.class */
public final class OAuth2DeviceVerificationEndpointFilter extends OncePerRequestFilter {
    static final String DEFAULT_DEVICE_VERIFICATION_ENDPOINT_URI = "/oauth2/device_verification";
    private final AuthenticationManager authenticationManager;
    private final RequestMatcher deviceVerificationEndpointMatcher;
    private final RedirectStrategy redirectStrategy;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private AuthenticationConverter authenticationConverter;
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    private AuthenticationFailureHandler authenticationFailureHandler;
    private String consentPage;

    public OAuth2DeviceVerificationEndpointFilter(AuthenticationManager authenticationManager) {
        this(authenticationManager, DEFAULT_DEVICE_VERIFICATION_ENDPOINT_URI);
    }

    public OAuth2DeviceVerificationEndpointFilter(AuthenticationManager authenticationManager, String str) {
        this.redirectStrategy = new DefaultRedirectStrategy();
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.authenticationSuccessHandler = new SimpleUrlAuthenticationSuccessHandler("/?success");
        this.authenticationFailureHandler = this::sendErrorResponse;
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        Assert.hasText(str, "deviceVerificationEndpointUri cannot be empty");
        this.authenticationManager = authenticationManager;
        this.deviceVerificationEndpointMatcher = createDefaultRequestMatcher(str);
        this.authenticationConverter = new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2DeviceVerificationAuthenticationConverter(), new OAuth2DeviceAuthorizationConsentAuthenticationConverter()));
    }

    private RequestMatcher createDefaultRequestMatcher(String str) {
        return new AndRequestMatcher(new RequestMatcher[]{new OrRequestMatcher(new RequestMatcher[]{new AntPathRequestMatcher(str, HttpMethod.GET.name()), new AntPathRequestMatcher(str, HttpMethod.POST.name())}), httpServletRequest -> {
            return httpServletRequest.getParameter("user_code") != null;
        }});
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!this.deviceVerificationEndpointMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            AbstractAuthenticationToken convert = this.authenticationConverter.convert(httpServletRequest);
            if (convert instanceof AbstractAuthenticationToken) {
                convert.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
            }
            Authentication authenticate = this.authenticationManager.authenticate(convert);
            if (!authenticate.isAuthenticated()) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                if (!(authenticate instanceof OAuth2DeviceAuthorizationConsentAuthenticationToken)) {
                    this.authenticationSuccessHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate);
                    return;
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Device authorization consent is required");
                }
                sendAuthorizationConsent(httpServletRequest, httpServletResponse, authenticate);
            }
        } catch (OAuth2AuthenticationException e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(LogMessage.format("Device verification request failed: %s", e.getError()), e);
            }
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
        }
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
        Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
        this.authenticationConverter = authenticationConverter;
    }

    public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public void setConsentPage(String str) {
        this.consentPage = str;
    }

    private void sendAuthorizationConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        OAuth2DeviceAuthorizationConsentAuthenticationToken oAuth2DeviceAuthorizationConsentAuthenticationToken = (OAuth2DeviceAuthorizationConsentAuthenticationToken) authentication;
        String clientId = oAuth2DeviceAuthorizationConsentAuthenticationToken.getClientId();
        Authentication authentication2 = (Authentication) oAuth2DeviceAuthorizationConsentAuthenticationToken.getPrincipal();
        Set<String> requestedScopes = oAuth2DeviceAuthorizationConsentAuthenticationToken.getRequestedScopes();
        Set<String> scopes = oAuth2DeviceAuthorizationConsentAuthenticationToken.getScopes();
        String state = oAuth2DeviceAuthorizationConsentAuthenticationToken.getState();
        String userCode = oAuth2DeviceAuthorizationConsentAuthenticationToken.getUserCode();
        if (hasConsentUri()) {
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, UriComponentsBuilder.fromUriString(resolveConsentUri(httpServletRequest)).queryParam(OidcClientMetadataClaimNames.SCOPE, new Object[]{String.join(" ", requestedScopes)}).queryParam(OidcClientMetadataClaimNames.CLIENT_ID, new Object[]{clientId}).queryParam("state", new Object[]{state}).queryParam("user_code", new Object[]{userCode}).toUriString());
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Displaying generated consent screen");
        }
        HashMap hashMap = new HashMap();
        hashMap.put("user_code", userCode);
        DefaultConsentPage.displayConsent(httpServletRequest, httpServletResponse, clientId, authentication2, requestedScopes, scopes, state, hashMap);
    }

    private boolean hasConsentUri() {
        return StringUtils.hasText(this.consentPage);
    }

    private String resolveConsentUri(HttpServletRequest httpServletRequest) {
        if (UrlUtils.isAbsoluteUrl(this.consentPage)) {
            return this.consentPage;
        }
        RedirectUrlBuilder redirectUrlBuilder = new RedirectUrlBuilder();
        redirectUrlBuilder.setScheme(httpServletRequest.getScheme());
        redirectUrlBuilder.setServerName(httpServletRequest.getServerName());
        redirectUrlBuilder.setPort(httpServletRequest.getServerPort());
        redirectUrlBuilder.setContextPath(httpServletRequest.getContextPath());
        redirectUrlBuilder.setPathInfo(this.consentPage);
        return redirectUrlBuilder.getUrl();
    }

    private void sendErrorResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), ((OAuth2AuthenticationException) authenticationException).getError().toString());
    }
}
