package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;

import java.net.URI;
import java.util.LinkedHashMap;
import java.util.Map;
import javax.servlet.Filter;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenRevocationAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationProvider;
import org.springframework.security.oauth2.server.authorization.oidc.web.OidcClientRegistrationEndpointFilter;
import org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter;
import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationServerConfigurer.class */
public final class OAuth2AuthorizationServerConfigurer<B extends HttpSecurityBuilder<B>> extends AbstractHttpConfigurer<OAuth2AuthorizationServerConfigurer<B>, B> {
    private RequestMatcher tokenIntrospectionEndpointMatcher;
    private RequestMatcher tokenRevocationEndpointMatcher;
    private RequestMatcher jwkSetEndpointMatcher;
    private RequestMatcher oidcProviderConfigurationEndpointMatcher;
    private RequestMatcher authorizationServerMetadataEndpointMatcher;
    private RequestMatcher oidcClientRegistrationEndpointMatcher;
    private final Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> configurers = createConfigurers();
    private final RequestMatcher endpointsMatcher = httpServletRequest -> {
        return getRequestMatcher(OAuth2AuthorizationEndpointConfigurer.class).matches(httpServletRequest) || getRequestMatcher(OAuth2TokenEndpointConfigurer.class).matches(httpServletRequest) || this.tokenIntrospectionEndpointMatcher.matches(httpServletRequest) || this.tokenRevocationEndpointMatcher.matches(httpServletRequest) || this.jwkSetEndpointMatcher.matches(httpServletRequest) || this.oidcProviderConfigurationEndpointMatcher.matches(httpServletRequest) || this.authorizationServerMetadataEndpointMatcher.matches(httpServletRequest) || this.oidcClientRegistrationEndpointMatcher.matches(httpServletRequest);
    };

    public OAuth2AuthorizationServerConfigurer<B> registeredClientRepository(RegisteredClientRepository registeredClientRepository) {
        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
        getBuilder().setSharedObject(RegisteredClientRepository.class, registeredClientRepository);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer<B> authorizationService(OAuth2AuthorizationService oAuth2AuthorizationService) {
        Assert.notNull(oAuth2AuthorizationService, "authorizationService cannot be null");
        getBuilder().setSharedObject(OAuth2AuthorizationService.class, oAuth2AuthorizationService);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer<B> authorizationConsentService(OAuth2AuthorizationConsentService oAuth2AuthorizationConsentService) {
        Assert.notNull(oAuth2AuthorizationConsentService, "authorizationConsentService cannot be null");
        getBuilder().setSharedObject(OAuth2AuthorizationConsentService.class, oAuth2AuthorizationConsentService);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer<B> providerSettings(ProviderSettings providerSettings) {
        Assert.notNull(providerSettings, "providerSettings cannot be null");
        getBuilder().setSharedObject(ProviderSettings.class, providerSettings);
        return this;
    }

    public OAuth2AuthorizationServerConfigurer<B> authorizationEndpoint(Customizer<OAuth2AuthorizationEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2AuthorizationEndpointConfigurer.class));
        return this;
    }

    public OAuth2AuthorizationServerConfigurer<B> tokenEndpoint(Customizer<OAuth2TokenEndpointConfigurer> customizer) {
        customizer.customize(getConfigurer(OAuth2TokenEndpointConfigurer.class));
        return this;
    }

    public RequestMatcher getEndpointsMatcher() {
        return this.endpointsMatcher;
    }

    public void init(B b) {
        ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(b);
        validateProviderSettings(providerSettings);
        initEndpointMatchers(providerSettings);
        this.configurers.values().forEach(abstractOAuth2Configurer -> {
            abstractOAuth2Configurer.init(b);
        });
        OAuth2ClientAuthenticationProvider oAuth2ClientAuthenticationProvider = new OAuth2ClientAuthenticationProvider(OAuth2ConfigurerUtils.getRegisteredClientRepository(b), OAuth2ConfigurerUtils.getAuthorizationService(b));
        PasswordEncoder passwordEncoder = (PasswordEncoder) OAuth2ConfigurerUtils.getOptionalBean(b, PasswordEncoder.class);
        if (passwordEncoder != null) {
            oAuth2ClientAuthenticationProvider.setPasswordEncoder(passwordEncoder);
        }
        b.authenticationProvider((AuthenticationProvider) postProcess(oAuth2ClientAuthenticationProvider));
        b.authenticationProvider((AuthenticationProvider) postProcess(new OAuth2TokenIntrospectionAuthenticationProvider(OAuth2ConfigurerUtils.getRegisteredClientRepository(b), OAuth2ConfigurerUtils.getAuthorizationService(b))));
        b.authenticationProvider((AuthenticationProvider) postProcess(new OAuth2TokenRevocationAuthenticationProvider(OAuth2ConfigurerUtils.getAuthorizationService(b))));
        b.authenticationProvider((AuthenticationProvider) postProcess(new OidcClientRegistrationAuthenticationProvider(OAuth2ConfigurerUtils.getRegisteredClientRepository(b), OAuth2ConfigurerUtils.getAuthorizationService(b))));
        ExceptionHandlingConfigurer configurer = b.getConfigurer(ExceptionHandlingConfigurer.class);
        if (configurer != null) {
            configurer.defaultAuthenticationEntryPointFor(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED), new OrRequestMatcher(new RequestMatcher[]{getRequestMatcher(OAuth2TokenEndpointConfigurer.class), this.tokenIntrospectionEndpointMatcher, this.tokenRevocationEndpointMatcher}));
        }
    }

    public void configure(B b) {
        this.configurers.values().forEach(abstractOAuth2Configurer -> {
            abstractOAuth2Configurer.configure(b);
        });
        ProviderSettings providerSettings = OAuth2ConfigurerUtils.getProviderSettings(b);
        if (providerSettings.issuer() != null) {
            b.addFilterBefore((Filter) postProcess(new OidcProviderConfigurationEndpointFilter(providerSettings)), AbstractPreAuthenticatedProcessingFilter.class);
            b.addFilterBefore((Filter) postProcess(new OAuth2AuthorizationServerMetadataEndpointFilter(providerSettings)), AbstractPreAuthenticatedProcessingFilter.class);
        }
        b.addFilterBefore((Filter) postProcess(new NimbusJwkSetEndpointFilter(OAuth2ConfigurerUtils.getJwkSource(b), providerSettings.jwkSetEndpoint())), AbstractPreAuthenticatedProcessingFilter.class);
        AuthenticationManager authenticationManager = (AuthenticationManager) b.getSharedObject(AuthenticationManager.class);
        b.addFilterAfter((Filter) postProcess(new OAuth2ClientAuthenticationFilter(authenticationManager, new OrRequestMatcher(new RequestMatcher[]{getRequestMatcher(OAuth2TokenEndpointConfigurer.class), this.tokenIntrospectionEndpointMatcher, this.tokenRevocationEndpointMatcher}))), AbstractPreAuthenticatedProcessingFilter.class);
        b.addFilterAfter((Filter) postProcess(new OAuth2TokenIntrospectionEndpointFilter(authenticationManager, providerSettings.tokenIntrospectionEndpoint())), FilterSecurityInterceptor.class);
        b.addFilterAfter((Filter) postProcess(new OAuth2TokenRevocationEndpointFilter(authenticationManager, providerSettings.tokenRevocationEndpoint())), OAuth2TokenIntrospectionEndpointFilter.class);
        b.addFilterAfter((Filter) postProcess(new OidcClientRegistrationEndpointFilter(authenticationManager, providerSettings.oidcClientRegistrationEndpoint())), OAuth2TokenRevocationEndpointFilter.class);
    }

    private Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> createConfigurers() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(OAuth2AuthorizationEndpointConfigurer.class, new OAuth2AuthorizationEndpointConfigurer(this::postProcess));
        linkedHashMap.put(OAuth2TokenEndpointConfigurer.class, new OAuth2TokenEndpointConfigurer(this::postProcess));
        return linkedHashMap;
    }

    private <T> T getConfigurer(Class<T> cls) {
        return (T) this.configurers.get(cls);
    }

    private <T extends AbstractOAuth2Configurer> RequestMatcher getRequestMatcher(Class<T> cls) {
        return ((AbstractOAuth2Configurer) getConfigurer(cls)).getRequestMatcher();
    }

    private void initEndpointMatchers(ProviderSettings providerSettings) {
        this.tokenIntrospectionEndpointMatcher = new AntPathRequestMatcher(providerSettings.tokenIntrospectionEndpoint(), HttpMethod.POST.name());
        this.tokenRevocationEndpointMatcher = new AntPathRequestMatcher(providerSettings.tokenRevocationEndpoint(), HttpMethod.POST.name());
        this.jwkSetEndpointMatcher = new AntPathRequestMatcher(providerSettings.jwkSetEndpoint(), HttpMethod.GET.name());
        this.oidcProviderConfigurationEndpointMatcher = new AntPathRequestMatcher(OidcProviderConfigurationEndpointFilter.DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI, HttpMethod.GET.name());
        this.authorizationServerMetadataEndpointMatcher = new AntPathRequestMatcher(OAuth2AuthorizationServerMetadataEndpointFilter.DEFAULT_OAUTH2_AUTHORIZATION_SERVER_METADATA_ENDPOINT_URI, HttpMethod.GET.name());
        this.oidcClientRegistrationEndpointMatcher = new AntPathRequestMatcher(providerSettings.oidcClientRegistrationEndpoint(), HttpMethod.POST.name());
    }

    private static void validateProviderSettings(ProviderSettings providerSettings) {
        if (providerSettings.issuer() != null) {
            try {
                new URI(providerSettings.issuer()).toURL();
            } catch (Exception e) {
                throw new IllegalArgumentException("issuer must be a valid URL", e);
            }
        }
    }
}
