package org.springframework.security.oauth2.server.authorization.oidc.web;

import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.http.converter.OAuth2ErrorHttpMessageConverter;
import org.springframework.security.oauth2.core.oidc.OidcClientRegistration;
import org.springframework.security.oauth2.core.oidc.http.converter.OidcClientRegistrationHttpMessageConverter;
import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcClientRegistrationAuthenticationToken;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/oidc/web/OidcClientRegistrationEndpointFilter.class */
public class OidcClientRegistrationEndpointFilter extends OncePerRequestFilter {
    public static final String DEFAULT_OIDC_CLIENT_REGISTRATION_ENDPOINT_URI = "/connect/register";
    private final AuthenticationManager authenticationManager;
    private final RequestMatcher clientRegistrationEndpointMatcher;
    private final HttpMessageConverter<OidcClientRegistration> clientRegistrationHttpMessageConverter;
    private final HttpMessageConverter<OAuth2Error> errorHttpResponseConverter;

    public OidcClientRegistrationEndpointFilter(AuthenticationManager authenticationManager) {
        this(authenticationManager, DEFAULT_OIDC_CLIENT_REGISTRATION_ENDPOINT_URI);
    }

    public OidcClientRegistrationEndpointFilter(AuthenticationManager authenticationManager, String str) {
        this.clientRegistrationHttpMessageConverter = new OidcClientRegistrationHttpMessageConverter();
        this.errorHttpResponseConverter = new OAuth2ErrorHttpMessageConverter();
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        Assert.hasText(str, "clientRegistrationEndpointUri cannot be empty");
        this.authenticationManager = authenticationManager;
        this.clientRegistrationEndpointMatcher = new AntPathRequestMatcher(str, HttpMethod.POST.name());
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        try {
            if (!this.clientRegistrationEndpointMatcher.matches(httpServletRequest)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            try {
                sendClientRegistrationResponse(httpServletResponse, this.authenticationManager.authenticate(new OidcClientRegistrationAuthenticationToken(SecurityContextHolder.getContext().getAuthentication(), (OidcClientRegistration) this.clientRegistrationHttpMessageConverter.read(OidcClientRegistration.class, new ServletServerHttpRequest(httpServletRequest)))).getClientRegistration());
                SecurityContextHolder.clearContext();
            } catch (Exception e) {
                sendErrorResponse(httpServletResponse, new OAuth2Error("invalid_request", "OpenID Client Registration Error: " + e.getMessage(), "https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationError"));
                SecurityContextHolder.clearContext();
            } catch (OAuth2AuthenticationException e2) {
                sendErrorResponse(httpServletResponse, e2.getError());
                SecurityContextHolder.clearContext();
            }
        } catch (Throwable th) {
            SecurityContextHolder.clearContext();
            throw th;
        }
    }

    private void sendClientRegistrationResponse(HttpServletResponse httpServletResponse, OidcClientRegistration oidcClientRegistration) throws IOException {
        ServletServerHttpResponse servletServerHttpResponse = new ServletServerHttpResponse(httpServletResponse);
        servletServerHttpResponse.setStatusCode(HttpStatus.CREATED);
        this.clientRegistrationHttpMessageConverter.write(oidcClientRegistration, (MediaType) null, servletServerHttpResponse);
    }

    private void sendErrorResponse(HttpServletResponse httpServletResponse, OAuth2Error oAuth2Error) throws IOException {
        HttpStatus httpStatus = HttpStatus.BAD_REQUEST;
        if (oAuth2Error.getErrorCode().equals("invalid_token")) {
            httpStatus = HttpStatus.UNAUTHORIZED;
        } else if (oAuth2Error.getErrorCode().equals("insufficient_scope")) {
            httpStatus = HttpStatus.FORBIDDEN;
        }
        ServletServerHttpResponse servletServerHttpResponse = new ServletServerHttpResponse(httpServletResponse);
        servletServerHttpResponse.setStatusCode(httpStatus);
        this.errorHttpResponseConverter.write(oAuth2Error, (MediaType) null, servletServerHttpResponse);
    }
}
