package org.springframework.security.oauth2.client.web.server;

import java.util.function.Function;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.web.server.WebFilterExchange;
import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.security.web.server.authentication.ServerAuthenticationFailureHandler;
import org.springframework.security.web.server.authentication.ServerAuthenticationSuccessHandler;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-5.2.2.RELEASE.jar:org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationCodeGrantWebFilter.class */
public class OAuth2AuthorizationCodeGrantWebFilter implements WebFilter {
    private final ReactiveAuthenticationManager authenticationManager;
    private final ServerOAuth2AuthorizedClientRepository authorizedClientRepository;
    private ServerAuthenticationSuccessHandler authenticationSuccessHandler;
    private ServerAuthenticationConverter authenticationConverter;
    private boolean defaultAuthenticationConverter;
    private ServerAuthenticationFailureHandler authenticationFailureHandler;
    private ServerWebExchangeMatcher requiresAuthenticationMatcher;
    private ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = new WebSessionOAuth2ServerAuthorizationRequestRepository();
    private AnonymousAuthenticationToken anonymousToken = new AnonymousAuthenticationToken("key", "anonymous", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));

    public OAuth2AuthorizationCodeGrantWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager, ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository) {
        Assert.notNull(reactiveAuthenticationManager, "authenticationManager cannot be null");
        Assert.notNull(reactiveClientRegistrationRepository, "clientRegistrationRepository cannot be null");
        Assert.notNull(serverOAuth2AuthorizedClientRepository, "authorizedClientRepository cannot be null");
        this.authenticationManager = reactiveAuthenticationManager;
        this.authorizedClientRepository = serverOAuth2AuthorizedClientRepository;
        this.requiresAuthenticationMatcher = this::matchesAuthorizationResponse;
        ServerOAuth2AuthorizationCodeAuthenticationTokenConverter serverOAuth2AuthorizationCodeAuthenticationTokenConverter = new ServerOAuth2AuthorizationCodeAuthenticationTokenConverter(reactiveClientRegistrationRepository);
        serverOAuth2AuthorizationCodeAuthenticationTokenConverter.setAuthorizationRequestRepository(this.authorizationRequestRepository);
        this.authenticationConverter = serverOAuth2AuthorizationCodeAuthenticationTokenConverter;
        this.defaultAuthenticationConverter = true;
        this.authenticationSuccessHandler = new RedirectServerAuthenticationSuccessHandler();
        this.authenticationFailureHandler = (webFilterExchange, authenticationException) -> {
            return Mono.error(authenticationException);
        };
    }

    public OAuth2AuthorizationCodeGrantWebFilter(ReactiveAuthenticationManager reactiveAuthenticationManager, ServerAuthenticationConverter serverAuthenticationConverter, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository) {
        Assert.notNull(reactiveAuthenticationManager, "authenticationManager cannot be null");
        Assert.notNull(serverAuthenticationConverter, "authenticationConverter cannot be null");
        Assert.notNull(serverOAuth2AuthorizedClientRepository, "authorizedClientRepository cannot be null");
        this.authenticationManager = reactiveAuthenticationManager;
        this.authorizedClientRepository = serverOAuth2AuthorizedClientRepository;
        this.requiresAuthenticationMatcher = this::matchesAuthorizationResponse;
        this.authenticationConverter = serverAuthenticationConverter;
        this.authenticationSuccessHandler = new RedirectServerAuthenticationSuccessHandler();
        this.authenticationFailureHandler = (webFilterExchange, authenticationException) -> {
            return Mono.error(authenticationException);
        };
    }

    public final void setAuthorizationRequestRepository(ServerAuthorizationRequestRepository<OAuth2AuthorizationRequest> serverAuthorizationRequestRepository) {
        Assert.notNull(serverAuthorizationRequestRepository, "authorizationRequestRepository cannot be null");
        this.authorizationRequestRepository = serverAuthorizationRequestRepository;
        updateDefaultAuthenticationConverter();
    }

    private void updateDefaultAuthenticationConverter() {
        if (this.defaultAuthenticationConverter) {
            ((ServerOAuth2AuthorizationCodeAuthenticationTokenConverter) this.authenticationConverter).setAuthorizationRequestRepository(this.authorizationRequestRepository);
        }
    }

    @Override // org.springframework.web.server.WebFilter
    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        return this.requiresAuthenticationMatcher.matches(serverWebExchange).filter(matchResult -> {
            return matchResult.isMatch();
        }).flatMap(matchResult2 -> {
            return this.authenticationConverter.convert(serverWebExchange);
        }).switchIfEmpty(webFilterChain.filter(serverWebExchange).then(Mono.empty())).flatMap(authentication -> {
            return authenticate(serverWebExchange, webFilterChain, authentication);
        });
    }

    private Mono<Void> authenticate(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain, Authentication authentication) {
        WebFilterExchange webFilterExchange = new WebFilterExchange(serverWebExchange, webFilterChain);
        return this.authenticationManager.authenticate(authentication).switchIfEmpty(Mono.defer(() -> {
            return Mono.error(new IllegalStateException("No provider found for " + authentication.getClass()));
        })).flatMap(authentication2 -> {
            return onAuthenticationSuccess(authentication2, webFilterExchange);
        }).onErrorResume(AuthenticationException.class, (Function<? super E, ? extends Mono<? extends R>>) authenticationException -> {
            return this.authenticationFailureHandler.onAuthenticationFailure(webFilterExchange, authenticationException);
        });
    }

    private Mono<Void> onAuthenticationSuccess(Authentication authentication, WebFilterExchange webFilterExchange) {
        OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
        OAuth2AuthorizedClient oAuth2AuthorizedClient = new OAuth2AuthorizedClient(oAuth2AuthorizationCodeAuthenticationToken.getClientRegistration(), oAuth2AuthorizationCodeAuthenticationToken.getName(), oAuth2AuthorizationCodeAuthenticationToken.getAccessToken(), oAuth2AuthorizationCodeAuthenticationToken.getRefreshToken());
        return this.authenticationSuccessHandler.onAuthenticationSuccess(webFilterExchange, authentication).then(ReactiveSecurityContextHolder.getContext().map((v0) -> {
            return v0.getAuthentication();
        }).defaultIfEmpty(this.anonymousToken).flatMap(authentication2 -> {
            return this.authorizedClientRepository.saveAuthorizedClient(oAuth2AuthorizedClient, authentication2, webFilterExchange.getExchange());
        }));
    }

    private Mono<ServerWebExchangeMatcher.MatchResult> matchesAuthorizationResponse(ServerWebExchange serverWebExchange) {
        return this.authorizationRequestRepository.loadAuthorizationRequest(serverWebExchange).flatMap(oAuth2AuthorizationRequest -> {
            return (UriComponentsBuilder.fromUri(serverWebExchange.getRequest().getURI()).query((String) null).build().toUriString().equals(oAuth2AuthorizationRequest.getRedirectUri()) && OAuth2AuthorizationResponseUtils.isAuthorizationResponse(serverWebExchange.getRequest().getQueryParams())) ? ServerWebExchangeMatcher.MatchResult.match() : ServerWebExchangeMatcher.MatchResult.notMatch();
        }).filter((v0) -> {
            return v0.isMatch();
        }).switchIfEmpty(ServerWebExchangeMatcher.MatchResult.notMatch());
    }
}
