package org.springframework.security.oauth2.client.web;

import java.util.Base64;
import java.util.HashMap;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpRequestDecorator;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.client.ClientAuthorizationRequiredException;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.web.server.DefaultServerRedirectStrategy;
import org.springframework.security.web.server.ServerRedirectStrategy;
import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectWebFilter.class */
public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
    public static final String DEFAULT_AUTHORIZATION_REQUEST_BASE_URI = "/oauth2/authorization";
    private static final String REGISTRATION_ID_URI_VARIABLE_NAME = "registrationId";
    private static final String AUTHORIZATION_REQUIRED_EXCEPTION_ATTR_NAME = ClientAuthorizationRequiredException.class.getName() + ".AUTHORIZATION_REQUIRED_EXCEPTION";
    private final ServerWebExchangeMatcher authorizationRequestMatcher;
    private final ReactiveClientRegistrationRepository clientRegistrationRepository;
    private final ServerRedirectStrategy authorizationRedirectStrategy;
    private final StringKeyGenerator stateGenerator;
    private ReactiveAuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository;

    public OAuth2AuthorizationRequestRedirectWebFilter(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository) {
        this(reactiveClientRegistrationRepository, "/oauth2/authorization");
    }

    public OAuth2AuthorizationRequestRedirectWebFilter(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, String str) {
        this.authorizationRedirectStrategy = new DefaultServerRedirectStrategy();
        this.stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
        this.authorizationRequestRepository = new WebSessionOAuth2ReactiveAuthorizationRequestRepository();
        Assert.hasText(str, "authorizationRequestBaseUri cannot be empty");
        Assert.notNull(reactiveClientRegistrationRepository, "clientRegistrationRepository cannot be null");
        this.authorizationRequestMatcher = new PathPatternParserServerWebExchangeMatcher(str + "/{" + REGISTRATION_ID_URI_VARIABLE_NAME + "}");
        this.clientRegistrationRepository = reactiveClientRegistrationRepository;
    }

    public final void setAuthorizationRequestRepository(ReactiveAuthorizationRequestRepository<OAuth2AuthorizationRequest> reactiveAuthorizationRequestRepository) {
        Assert.notNull(reactiveAuthorizationRequestRepository, "authorizationRequestRepository cannot be null");
        this.authorizationRequestRepository = reactiveAuthorizationRequestRepository;
    }

    public Mono<Void> filter(ServerWebExchange serverWebExchange, WebFilterChain webFilterChain) {
        return this.authorizationRequestMatcher.matches(serverWebExchange).filter(matchResult -> {
            return matchResult.isMatch();
        }).switchIfEmpty(webFilterChain.filter(serverWebExchange).then(Mono.empty())).map((v0) -> {
            return v0.getVariables();
        }).map(map -> {
            return map.get(REGISTRATION_ID_URI_VARIABLE_NAME);
        }).cast(String.class).onErrorResume(ClientAuthorizationRequiredException.class, clientAuthorizationRequiredException -> {
            return Mono.just(clientAuthorizationRequiredException.getClientRegistrationId());
        }).flatMap(str -> {
            return findByRegistrationId(serverWebExchange, str);
        }).flatMap(clientRegistration -> {
            return sendRedirectForAuthorization(serverWebExchange, clientRegistration);
        });
    }

    private Mono<ClientRegistration> findByRegistrationId(ServerWebExchange serverWebExchange, String str) {
        return this.clientRegistrationRepository.findByRegistrationId(str).switchIfEmpty(Mono.defer(() -> {
            serverWebExchange.getResponse().setStatusCode(HttpStatus.BAD_REQUEST);
            return serverWebExchange.getResponse().setComplete().then(Mono.empty());
        }));
    }

    private Mono<Void> sendRedirectForAuthorization(ServerWebExchange serverWebExchange, ClientRegistration clientRegistration) {
        return Mono.defer(() -> {
            OAuth2AuthorizationRequest.Builder implicit;
            String expandRedirectUri = expandRedirectUri(serverWebExchange.getRequest(), clientRegistration);
            HashMap hashMap = new HashMap();
            hashMap.put("registration_id", clientRegistration.getRegistrationId());
            if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
                implicit = OAuth2AuthorizationRequest.authorizationCode();
            } else {
                if (!AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
                    throw new IllegalArgumentException("Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue() + ") for Client Registration with Id: " + clientRegistration.getRegistrationId());
                }
                implicit = OAuth2AuthorizationRequest.implicit();
            }
            OAuth2AuthorizationRequest build = implicit.clientId(clientRegistration.getClientId()).authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri()).redirectUri(expandRedirectUri).scopes(clientRegistration.getScopes()).state(this.stateGenerator.generateKey()).additionalParameters(hashMap).build();
            Mono<Void> empty = Mono.empty();
            if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(build.getGrantType())) {
                empty = this.authorizationRequestRepository.saveAuthorizationRequest(build, serverWebExchange);
            }
            return empty.then(this.authorizationRedirectStrategy.sendRedirect(serverWebExchange, UriComponentsBuilder.fromUriString(build.getAuthorizationRequestUri()).build(true).toUri()));
        });
    }

    private String expandRedirectUri(ServerHttpRequest serverHttpRequest, ClientRegistration clientRegistration) {
        HashMap hashMap = new HashMap();
        hashMap.put(REGISTRATION_ID_URI_VARIABLE_NAME, clientRegistration.getRegistrationId());
        hashMap.put("baseUrl", UriComponentsBuilder.fromHttpRequest(new ServerHttpRequestDecorator(serverHttpRequest)).replacePath(serverHttpRequest.getPath().contextPath().value()).replaceQuery((String) null).build().toUriString());
        if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
            hashMap.put("action", "login");
        }
        return UriComponentsBuilder.fromUriString(clientRegistration.getRedirectUriTemplate()).buildAndExpand(hashMap).toUriString();
    }
}
