package org.springframework.security.oauth2.provider.endpoint;

import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.Principal;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.springframework.beans.factory.BeanFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.BadClientCredentialsException;
import org.springframework.security.oauth2.common.exceptions.ClientAuthenticationException;
import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
import org.springframework.security.oauth2.common.exceptions.UnsupportedResponseTypeException;
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.security.oauth2.provider.AuthorizationRequest;
import org.springframework.security.oauth2.provider.ClientRegistrationException;
import org.springframework.security.oauth2.provider.DefaultAuthorizationRequest;
import org.springframework.security.oauth2.provider.approval.DefaultUserApprovalHandler;
import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
import org.springframework.security.oauth2.provider.code.AuthorizationRequestHolder;
import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
import org.springframework.util.StringUtils;
import org.springframework.web.HttpSessionRequiredException;
import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.SessionAttributes;
import org.springframework.web.bind.support.DefaultSessionAttributeStore;
import org.springframework.web.bind.support.SessionAttributeStore;
import org.springframework.web.bind.support.SessionStatus;
import org.springframework.web.context.request.ServletWebRequest;
import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.View;
import org.springframework.web.servlet.view.RedirectView;
import org.springframework.web.util.UriTemplate;

@RequestMapping({"/oauth/authorize"})
@SessionAttributes({"authorizationRequest"})
@FrameworkEndpoint
/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-1.0.5.RELEASE.jar:org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.class */
public class AuthorizationEndpoint extends AbstractEndpoint implements InitializingBean {
    private static final String ORIGINAL_SCOPE = "original_scope";
    private AuthorizationCodeServices authorizationCodeServices = new InMemoryAuthorizationCodeServices();
    private RedirectResolver redirectResolver = new DefaultRedirectResolver();
    private UserApprovalHandler userApprovalHandler = new DefaultUserApprovalHandler();
    private SessionAttributeStore sessionAttributeStore = new DefaultSessionAttributeStore();
    private String userApprovalPage = "forward:/oauth/confirm_access";
    private String errorPage = "forward:/oauth/error";

    @Override // org.springframework.security.oauth2.provider.endpoint.AbstractEndpoint, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        super.afterPropertiesSet();
    }

    public void setSessionAttributeStore(SessionAttributeStore sessionAttributeStore) {
        this.sessionAttributeStore = sessionAttributeStore;
    }

    public void setErrorPage(String str) {
        this.errorPage = str;
    }

    @RequestMapping
    public ModelAndView authorize(Map<String, Object> map, @RequestParam(value = "response_type", required = false, defaultValue = "none") String str, @RequestParam Map<String, String> map2, SessionStatus sessionStatus, Principal principal) {
        Set<String> parseParameterList = OAuth2Utils.parseParameterList(str);
        if (!parseParameterList.contains(SchemaSymbols.ATTVAL_TOKEN) && !parseParameterList.contains("code")) {
            throw new UnsupportedResponseTypeException("Unsupported response types: " + parseParameterList);
        }
        try {
            LinkedHashMap linkedHashMap = new LinkedHashMap(map2);
            String str2 = linkedHashMap.get("scope");
            if (str2 != null) {
                linkedHashMap.put(ORIGINAL_SCOPE, str2);
            }
            DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(getAuthorizationRequestManager().createAuthorizationRequest(linkedHashMap));
            if (!(principal instanceof Authentication) || !((Authentication) principal).isAuthenticated()) {
                throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorization can be completed.");
            }
            AuthorizationRequest resolveRedirectUriAndCheckApproval = resolveRedirectUriAndCheckApproval(defaultAuthorizationRequest, (Authentication) principal);
            getAuthorizationRequestManager().validateParameters(linkedHashMap, getClientDetailsService().loadClientByClientId(resolveRedirectUriAndCheckApproval.getClientId()));
            if (resolveRedirectUriAndCheckApproval.isApproved()) {
                if (parseParameterList.contains(SchemaSymbols.ATTVAL_TOKEN)) {
                    return getImplicitGrantResponse(resolveRedirectUriAndCheckApproval);
                }
                if (parseParameterList.contains("code")) {
                    return new ModelAndView(getAuthorizationCodeResponse(resolveRedirectUriAndCheckApproval, (Authentication) principal));
                }
            }
            map.put("authorizationRequest", resolveRedirectUriAndCheckApproval);
            return getUserApprovalPageResponse(map, resolveRedirectUriAndCheckApproval);
        } catch (RuntimeException e) {
            sessionStatus.setComplete();
            throw e;
        }
    }

    @RequestMapping(method = {RequestMethod.POST}, params = {AuthorizationRequest.USER_OAUTH_APPROVAL})
    public View approveOrDeny(@RequestParam Map<String, String> map, Map<String, ?> map2, SessionStatus sessionStatus, Principal principal) {
        if (!(principal instanceof Authentication)) {
            sessionStatus.setComplete();
            throw new InsufficientAuthenticationException("User must be authenticated with Spring Security before authorizing an access token.");
        }
        AuthorizationRequest authorizationRequest = (AuthorizationRequest) map2.get("authorizationRequest");
        if (authorizationRequest == null) {
            sessionStatus.setComplete();
            throw new InvalidRequestException("Cannot approve uninitialized authorization request.");
        }
        try {
            Set<String> responseTypes = authorizationRequest.getResponseTypes();
            DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(authorizationRequest);
            defaultAuthorizationRequest.setApprovalParameters(map);
            AuthorizationRequest resolveRedirectUriAndCheckApproval = resolveRedirectUriAndCheckApproval(defaultAuthorizationRequest, (Authentication) principal);
            if (!resolveRedirectUriAndCheckApproval.isApproved()) {
                RedirectView redirectView = new RedirectView(getUnsuccessfulRedirect(resolveRedirectUriAndCheckApproval, new UserDeniedAuthorizationException("User denied access"), responseTypes.contains(SchemaSymbols.ATTVAL_TOKEN)), false);
                sessionStatus.setComplete();
                return redirectView;
            }
            if (responseTypes.contains(SchemaSymbols.ATTVAL_TOKEN)) {
                View view = getImplicitGrantResponse(resolveRedirectUriAndCheckApproval).getView();
                sessionStatus.setComplete();
                return view;
            }
            View authorizationCodeResponse = getAuthorizationCodeResponse(resolveRedirectUriAndCheckApproval, (Authentication) principal);
            sessionStatus.setComplete();
            return authorizationCodeResponse;
        } catch (Throwable th) {
            sessionStatus.setComplete();
            throw th;
        }
    }

    private AuthorizationRequest resolveRedirectUriAndCheckApproval(AuthorizationRequest authorizationRequest, Authentication authentication) throws OAuth2Exception {
        String resolveRedirect = this.redirectResolver.resolveRedirect(authorizationRequest.getAuthorizationParameters().get(AuthorizationRequest.REDIRECT_URI), getClientDetailsService().loadClientByClientId(authorizationRequest.getClientId()));
        if (!StringUtils.hasText(resolveRedirect)) {
            throw new RedirectMismatchException("A redirectUri must be either supplied or preconfigured in the ClientDetails");
        }
        DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(authorizationRequest);
        defaultAuthorizationRequest.setRedirectUri(resolveRedirect);
        DefaultAuthorizationRequest defaultAuthorizationRequest2 = new DefaultAuthorizationRequest(this.userApprovalHandler.updateBeforeApproval(defaultAuthorizationRequest, authentication));
        if (!authorizationRequest.isApproved()) {
            defaultAuthorizationRequest2.setApproved(this.userApprovalHandler.isApproved(defaultAuthorizationRequest2, authentication));
        }
        return defaultAuthorizationRequest2;
    }

    private ModelAndView getUserApprovalPageResponse(Map<String, Object> map, AuthorizationRequest authorizationRequest) {
        this.logger.debug("Loading user approval page: " + this.userApprovalPage);
        map.putAll(authorizationRequest.getAuthorizationParameters());
        return new ModelAndView(this.userApprovalPage, (Map<String, ?>) map);
    }

    private ModelAndView getImplicitGrantResponse(AuthorizationRequest authorizationRequest) {
        try {
            OAuth2AccessToken grant = getTokenGranter().grant("implicit", authorizationRequest);
            if (grant == null) {
                throw new UnsupportedResponseTypeException("Unsupported response type: token");
            }
            return new ModelAndView(new RedirectView(appendAccessToken(authorizationRequest, grant), false));
        } catch (OAuth2Exception e) {
            return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, true), false));
        }
    }

    private View getAuthorizationCodeResponse(AuthorizationRequest authorizationRequest, Authentication authentication) {
        try {
            return new RedirectView(getSuccessfulRedirect(authorizationRequest, generateCode(authorizationRequest, authentication)), false);
        } catch (OAuth2Exception e) {
            return new RedirectView(getUnsuccessfulRedirect(authorizationRequest, e, false), false);
        }
    }

    private String appendAccessToken(AuthorizationRequest authorizationRequest, OAuth2AccessToken oAuth2AccessToken) {
        HashMap hashMap = new HashMap();
        String redirectUri = authorizationRequest.getRedirectUri();
        if (oAuth2AccessToken == null) {
            throw new InvalidGrantException("An implicit grant could not be made");
        }
        StringBuilder sb = new StringBuilder(redirectUri);
        if (redirectUri.contains("#")) {
            sb.append(BeanFactory.FACTORY_BEAN_PREFIX);
        } else {
            sb.append("#");
        }
        sb.append("access_token={access_token}");
        sb.append("&token_type={token_type}");
        hashMap.put(OAuth2AccessToken.ACCESS_TOKEN, oAuth2AccessToken.getValue());
        hashMap.put(OAuth2AccessToken.TOKEN_TYPE, oAuth2AccessToken.getTokenType());
        String state = authorizationRequest.getState();
        if (state != null) {
            sb.append("&state={state}");
            hashMap.put(AuthorizationRequest.STATE, state);
        }
        Date expiration = oAuth2AccessToken.getExpiration();
        if (expiration != null) {
            long time = (expiration.getTime() - System.currentTimeMillis()) / 1000;
            sb.append("&expires_in={expires_in}");
            hashMap.put(OAuth2AccessToken.EXPIRES_IN, Long.valueOf(time));
        }
        String str = authorizationRequest.getAuthorizationParameters().get(ORIGINAL_SCOPE);
        if (str == null || !OAuth2Utils.parseParameterList(str).equals(oAuth2AccessToken.getScope())) {
            sb.append("&scope={scope}");
            hashMap.put("scope", OAuth2Utils.formatParameterList(oAuth2AccessToken.getScope()));
        }
        Map<String, Object> additionalInformation = oAuth2AccessToken.getAdditionalInformation();
        for (String str2 : additionalInformation.keySet()) {
            Object obj = additionalInformation.get(str2);
            if (obj != null) {
                sb.append(BeanFactory.FACTORY_BEAN_PREFIX + str2 + "={extra_" + str2 + "}");
                hashMap.put("extra_" + str2, obj);
            }
        }
        return new UriTemplate(sb.toString()).expand(hashMap).toString();
    }

    private String generateCode(AuthorizationRequest authorizationRequest, Authentication authentication) throws AuthenticationException {
        try {
            return this.authorizationCodeServices.createAuthorizationCode(new AuthorizationRequestHolder(authorizationRequest, authentication));
        } catch (OAuth2Exception e) {
            if (authorizationRequest.getState() != null) {
                e.addAdditionalInformation(AuthorizationRequest.STATE, authorizationRequest.getState());
            }
            throw e;
        }
    }

    private String getSuccessfulRedirect(AuthorizationRequest authorizationRequest, String str) {
        if (str == null) {
            throw new IllegalStateException("No authorization code found in the current request scope.");
        }
        String redirectUri = authorizationRequest.getRedirectUri();
        String[] split = redirectUri.split("#");
        String state = authorizationRequest.getState();
        StringBuilder sb = new StringBuilder(split[0]);
        if (redirectUri.indexOf(63) < 0) {
            sb.append('?');
        } else {
            sb.append('&');
        }
        sb.append("code=").append(str);
        if (state != null) {
            sb.append("&state=").append(state);
        }
        if (split.length > 1) {
            sb.append("#" + split[1]);
        }
        return sb.toString();
    }

    private String getUnsuccessfulRedirect(AuthorizationRequest authorizationRequest, OAuth2Exception oAuth2Exception, boolean z) {
        if (authorizationRequest == null || authorizationRequest.getRedirectUri() == null) {
            throw new UnapprovedClientAuthenticationException("Authorization failure, and no redirect URI.", oAuth2Exception);
        }
        String redirectUri = authorizationRequest.getRedirectUri();
        String[] split = redirectUri.split("#");
        StringBuilder sb = new StringBuilder(z ? redirectUri : split[0]);
        char c = z ? '#' : '?';
        if (redirectUri.indexOf(c) < 0) {
            sb.append(c);
        } else {
            sb.append('&');
        }
        sb.append("error=").append(oAuth2Exception.getOAuth2ErrorCode());
        try {
            sb.append("&error_description=").append(URLEncoder.encode(oAuth2Exception.getMessage(), "UTF-8"));
            if (authorizationRequest.getState() != null) {
                sb.append('&').append("state=").append(authorizationRequest.getState());
            }
            if (oAuth2Exception.getAdditionalInformation() != null) {
                for (Map.Entry<String, String> entry : oAuth2Exception.getAdditionalInformation().entrySet()) {
                    sb.append('&').append(entry.getKey()).append('=').append(URLEncoder.encode(entry.getValue(), "UTF-8"));
                }
            }
            if (!z && split.length > 1) {
                sb.append("#" + split[1]);
            }
            return sb.toString();
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException(e);
        }
    }

    public void setUserApprovalPage(String str) {
        this.userApprovalPage = str;
    }

    public void setAuthorizationCodeServices(AuthorizationCodeServices authorizationCodeServices) {
        this.authorizationCodeServices = authorizationCodeServices;
    }

    public void setRedirectResolver(RedirectResolver redirectResolver) {
        this.redirectResolver = redirectResolver;
    }

    public void setUserApprovalHandler(UserApprovalHandler userApprovalHandler) {
        this.userApprovalHandler = userApprovalHandler;
    }

    @ExceptionHandler({ClientRegistrationException.class})
    public ModelAndView handleClientRegistrationException(Exception exc, ServletWebRequest servletWebRequest) throws Exception {
        this.logger.info("Handling ClientRegistrationException error: " + exc.getMessage());
        return handleException(new BadClientCredentialsException(), servletWebRequest);
    }

    @ExceptionHandler({OAuth2Exception.class})
    public ModelAndView handleOAuth2Exception(OAuth2Exception oAuth2Exception, ServletWebRequest servletWebRequest) throws Exception {
        this.logger.info("Handling OAuth2 error: " + oAuth2Exception.getSummary());
        return handleException(oAuth2Exception, servletWebRequest);
    }

    @ExceptionHandler({HttpSessionRequiredException.class})
    public ModelAndView handleHttpSessionRequiredException(HttpSessionRequiredException httpSessionRequiredException, ServletWebRequest servletWebRequest) throws Exception {
        this.logger.info("Handling Session required error: " + httpSessionRequiredException.getMessage());
        return handleException(new AccessDeniedException("Could not obtain authorization request from session", httpSessionRequiredException), servletWebRequest);
    }

    private ModelAndView handleException(Exception exc, ServletWebRequest servletWebRequest) throws Exception {
        ResponseEntity<OAuth2Exception> translate = getExceptionTranslator().translate(exc);
        servletWebRequest.getResponse().setStatus(translate.getStatusCode().value());
        if ((exc instanceof ClientAuthenticationException) || (exc instanceof RedirectMismatchException)) {
            return new ModelAndView(this.errorPage, (Map<String, ?>) Collections.singletonMap("error", translate.getBody()));
        }
        try {
            DefaultAuthorizationRequest defaultAuthorizationRequest = new DefaultAuthorizationRequest(getAuthorizationRequestForError(servletWebRequest));
            defaultAuthorizationRequest.setRedirectUri(this.redirectResolver.resolveRedirect(defaultAuthorizationRequest.getAuthorizationParameters().get(AuthorizationRequest.REDIRECT_URI), getClientDetailsService().loadClientByClientId(defaultAuthorizationRequest.getClientId())));
            return new ModelAndView(new RedirectView(getUnsuccessfulRedirect(defaultAuthorizationRequest, translate.getBody(), defaultAuthorizationRequest.getResponseTypes().contains(SchemaSymbols.ATTVAL_TOKEN)), false));
        } catch (OAuth2Exception e) {
            return new ModelAndView(this.errorPage, (Map<String, ?>) Collections.singletonMap("error", translate.getBody()));
        }
    }

    private AuthorizationRequest getAuthorizationRequestForError(ServletWebRequest servletWebRequest) {
        AuthorizationRequest authorizationRequest = (AuthorizationRequest) this.sessionAttributeStore.retrieveAttribute(servletWebRequest, "authorizationRequest");
        if (authorizationRequest != null) {
            return authorizationRequest;
        }
        HashMap hashMap = new HashMap();
        Map<String, String[]> parameterMap = servletWebRequest.getParameterMap();
        for (String str : parameterMap.keySet()) {
            String[] strArr = parameterMap.get(str);
            if (strArr != null && strArr.length > 0) {
                hashMap.put(str, strArr[0]);
            }
        }
        try {
            return getAuthorizationRequestManager().createAuthorizationRequest(hashMap);
        } catch (Exception e) {
            return getDefaultAuthorizationRequestManager().createAuthorizationRequest(hashMap);
        }
    }
}
