package org.springframework.security.oauth2.client.token.grant.code;

import java.io.IOException;
import java.net.URI;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import org.apache.catalina.realm.Constants;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.oauth2.client.filter.state.DefaultStateKeyGenerator;
import org.springframework.security.oauth2.client.filter.state.StateKeyGenerator;
import org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException;
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
import org.springframework.security.oauth2.client.resource.UserApprovalRequiredException;
import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
import org.springframework.security.oauth2.client.token.AccessTokenProvider;
import org.springframework.security.oauth2.client.token.AccessTokenRequest;
import org.springframework.security.oauth2.client.token.DefaultRequestEnhancer;
import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport;
import org.springframework.security.oauth2.client.token.RequestEnhancer;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
import org.springframework.security.oauth2.common.util.OAuth2Utils;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.ResponseExtractor;

/* loaded from: input_file:lib/spring-security-oauth2-2.0.10.RELEASE.jar:org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.class */
public class AuthorizationCodeAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
    private StateKeyGenerator stateKeyGenerator = new DefaultStateKeyGenerator();
    private String scopePrefix = OAuth2Utils.SCOPE_PREFIX;
    private RequestEnhancer authorizationRequestEnhancer = new DefaultRequestEnhancer();
    private boolean stateMandatory = true;

    public void setStateMandatory(boolean z) {
        this.stateMandatory = z;
    }

    public void setAuthorizationRequestEnhancer(RequestEnhancer requestEnhancer) {
        this.authorizationRequestEnhancer = requestEnhancer;
    }

    public void setScopePrefix(String str) {
        this.scopePrefix = str;
    }

    public void setStateKeyGenerator(StateKeyGenerator stateKeyGenerator) {
        this.stateKeyGenerator = stateKeyGenerator;
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public boolean supportsResource(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails) {
        return (oAuth2ProtectedResourceDetails instanceof AuthorizationCodeResourceDetails) && "authorization_code".equals(oAuth2ProtectedResourceDetails.getGrantType());
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public boolean supportsRefresh(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails) {
        return supportsResource(oAuth2ProtectedResourceDetails);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public String obtainAuthorizationCode(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, final AccessTokenRequest accessTokenRequest) throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException, OAuth2AccessDeniedException {
        AuthorizationCodeResourceDetails authorizationCodeResourceDetails = (AuthorizationCodeResourceDetails) oAuth2ProtectedResourceDetails;
        HttpHeaders headersForAuthorizationRequest = getHeadersForAuthorizationRequest(accessTokenRequest);
        MultiValueMap<String, String> linkedMultiValueMap = new LinkedMultiValueMap<>();
        if (accessTokenRequest.containsKey(OAuth2Utils.USER_OAUTH_APPROVAL)) {
            linkedMultiValueMap.set(OAuth2Utils.USER_OAUTH_APPROVAL, accessTokenRequest.getFirst(OAuth2Utils.USER_OAUTH_APPROVAL));
            Iterator<String> it = oAuth2ProtectedResourceDetails.getScope().iterator();
            while (it.hasNext()) {
                linkedMultiValueMap.set(this.scopePrefix + it.next(), accessTokenRequest.getFirst(OAuth2Utils.USER_OAUTH_APPROVAL));
            }
        } else {
            linkedMultiValueMap.putAll(getParametersForAuthorizeRequest(authorizationCodeResourceDetails, accessTokenRequest));
        }
        this.authorizationRequestEnhancer.enhance(accessTokenRequest, authorizationCodeResourceDetails, linkedMultiValueMap, headersForAuthorizationRequest);
        final ResponseExtractor<ResponseEntity<Void>> authorizationResponseExtractor = getAuthorizationResponseExtractor();
        ResponseEntity responseEntity = (ResponseEntity) getRestTemplate().execute(authorizationCodeResourceDetails.getUserAuthorizationUri(), HttpMethod.POST, getRequestCallback(authorizationCodeResourceDetails, linkedMultiValueMap, headersForAuthorizationRequest), (ResponseExtractor) new ResponseExtractor<ResponseEntity<Void>>() { // from class: org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.springframework.web.client.ResponseExtractor
            public ResponseEntity<Void> extractData(ClientHttpResponse clientHttpResponse) throws IOException {
                if (clientHttpResponse.getHeaders().containsKey(HttpHeaders.SET_COOKIE)) {
                    accessTokenRequest.setCookie(clientHttpResponse.getHeaders().getFirst(HttpHeaders.SET_COOKIE));
                }
                return (ResponseEntity) authorizationResponseExtractor.extractData(clientHttpResponse);
            }
        }, (Map<String, ?>) linkedMultiValueMap.toSingleValueMap());
        if (responseEntity.getStatusCode() == HttpStatus.OK) {
            throw getUserApprovalSignal(authorizationCodeResourceDetails, accessTokenRequest);
        }
        URI location = responseEntity.getHeaders().getLocation();
        Map<String, String> extractMap = OAuth2Utils.extractMap(location.getQuery());
        if (extractMap.containsKey(OAuth2Utils.STATE)) {
            accessTokenRequest.setStateKey(extractMap.get(OAuth2Utils.STATE));
            if (accessTokenRequest.getPreservedState() == null) {
                String redirectUri = authorizationCodeResourceDetails.getRedirectUri(accessTokenRequest);
                if (redirectUri != null) {
                    accessTokenRequest.setPreservedState(redirectUri);
                } else {
                    accessTokenRequest.setPreservedState(new Object());
                }
            }
        }
        String str = extractMap.get("code");
        if (str == null) {
            throw new UserRedirectRequiredException(location.toString(), linkedMultiValueMap.toSingleValueMap());
        }
        accessTokenRequest.set("code", str);
        return str;
    }

    protected ResponseExtractor<ResponseEntity<Void>> getAuthorizationResponseExtractor() {
        return new ResponseExtractor<ResponseEntity<Void>>() { // from class: org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // org.springframework.web.client.ResponseExtractor
            public ResponseEntity<Void> extractData(ClientHttpResponse clientHttpResponse) throws IOException {
                return new ResponseEntity<>((MultiValueMap<String, String>) clientHttpResponse.getHeaders(), clientHttpResponse.getStatusCode());
            }
        };
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, AccessTokenRequest accessTokenRequest) throws UserRedirectRequiredException, UserApprovalRequiredException, AccessDeniedException, OAuth2AccessDeniedException {
        AuthorizationCodeResourceDetails authorizationCodeResourceDetails = (AuthorizationCodeResourceDetails) oAuth2ProtectedResourceDetails;
        if (accessTokenRequest.getAuthorizationCode() == null) {
            if (accessTokenRequest.getStateKey() == null) {
                throw getRedirectForAuthorization(authorizationCodeResourceDetails, accessTokenRequest);
            }
            obtainAuthorizationCode(authorizationCodeResourceDetails, accessTokenRequest);
        }
        return retrieveToken(accessTokenRequest, authorizationCodeResourceDetails, getParametersForTokenRequest(authorizationCodeResourceDetails, accessTokenRequest), getHeadersForTokenRequest(accessTokenRequest));
    }

    @Override // org.springframework.security.oauth2.client.token.AccessTokenProvider
    public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails, OAuth2RefreshToken oAuth2RefreshToken, AccessTokenRequest accessTokenRequest) throws UserRedirectRequiredException, OAuth2AccessDeniedException {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", OAuth2AccessToken.REFRESH_TOKEN);
        linkedMultiValueMap.add(OAuth2AccessToken.REFRESH_TOKEN, oAuth2RefreshToken.getValue());
        try {
            return retrieveToken(accessTokenRequest, oAuth2ProtectedResourceDetails, linkedMultiValueMap, getHeadersForTokenRequest(accessTokenRequest));
        } catch (OAuth2AccessDeniedException e) {
            throw getRedirectForAuthorization((AuthorizationCodeResourceDetails) oAuth2ProtectedResourceDetails, accessTokenRequest);
        }
    }

    private HttpHeaders getHeadersForTokenRequest(AccessTokenRequest accessTokenRequest) {
        return new HttpHeaders();
    }

    private HttpHeaders getHeadersForAuthorizationRequest(AccessTokenRequest accessTokenRequest) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.putAll(accessTokenRequest.getHeaders());
        if (accessTokenRequest.getCookie() != null) {
            httpHeaders.set(HttpHeaders.COOKIE, accessTokenRequest.getCookie());
        }
        return httpHeaders;
    }

    private MultiValueMap<String, String> getParametersForTokenRequest(AuthorizationCodeResourceDetails authorizationCodeResourceDetails, AccessTokenRequest accessTokenRequest) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.set("grant_type", "authorization_code");
        linkedMultiValueMap.set("code", accessTokenRequest.getAuthorizationCode());
        Object preservedState = accessTokenRequest.getPreservedState();
        if ((accessTokenRequest.getStateKey() != null || this.stateMandatory) && preservedState == null) {
            throw new InvalidRequestException("Possible CSRF detected - state parameter was required but no state could be found");
        }
        String valueOf = preservedState instanceof String ? String.valueOf(preservedState) : authorizationCodeResourceDetails.getRedirectUri(accessTokenRequest);
        if (valueOf != null && !Constants.NONE_TRANSPORT.equals(valueOf)) {
            linkedMultiValueMap.set(OAuth2Utils.REDIRECT_URI, valueOf);
        }
        return linkedMultiValueMap;
    }

    private MultiValueMap<String, String> getParametersForAuthorizeRequest(AuthorizationCodeResourceDetails authorizationCodeResourceDetails, AccessTokenRequest accessTokenRequest) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.set(OAuth2Utils.RESPONSE_TYPE, "code");
        linkedMultiValueMap.set("client_id", authorizationCodeResourceDetails.getClientId());
        if (accessTokenRequest.get("scope") != null) {
            linkedMultiValueMap.set("scope", accessTokenRequest.getFirst("scope"));
        } else {
            linkedMultiValueMap.set("scope", OAuth2Utils.formatParameterList(authorizationCodeResourceDetails.getScope()));
        }
        String preEstablishedRedirectUri = authorizationCodeResourceDetails.getPreEstablishedRedirectUri();
        Object preservedState = accessTokenRequest.getPreservedState();
        String currentUri = (preEstablishedRedirectUri != null || preservedState == null) ? accessTokenRequest.getCurrentUri() : String.valueOf(preservedState);
        String stateKey = accessTokenRequest.getStateKey();
        if (stateKey != null) {
            linkedMultiValueMap.set(OAuth2Utils.STATE, stateKey);
            if (preservedState == null) {
                throw new InvalidRequestException("Possible CSRF detected - state parameter was present but no state could be found");
            }
        }
        if (currentUri != null) {
            linkedMultiValueMap.set(OAuth2Utils.REDIRECT_URI, currentUri);
        }
        return linkedMultiValueMap;
    }

    private UserRedirectRequiredException getRedirectForAuthorization(AuthorizationCodeResourceDetails authorizationCodeResourceDetails, AccessTokenRequest accessTokenRequest) {
        TreeMap treeMap = new TreeMap();
        treeMap.put(OAuth2Utils.RESPONSE_TYPE, "code");
        treeMap.put("client_id", authorizationCodeResourceDetails.getClientId());
        String redirectUri = authorizationCodeResourceDetails.getRedirectUri(accessTokenRequest);
        if (redirectUri != null) {
            treeMap.put(OAuth2Utils.REDIRECT_URI, redirectUri);
        }
        if (authorizationCodeResourceDetails.isScoped()) {
            StringBuilder sb = new StringBuilder();
            List<String> scope = authorizationCodeResourceDetails.getScope();
            if (scope != null) {
                Iterator<String> it = scope.iterator();
                while (it.hasNext()) {
                    sb.append(it.next());
                    if (it.hasNext()) {
                        sb.append(' ');
                    }
                }
            }
            treeMap.put("scope", sb.toString());
        }
        UserRedirectRequiredException userRedirectRequiredException = new UserRedirectRequiredException(authorizationCodeResourceDetails.getUserAuthorizationUri(), treeMap);
        String generateKey = this.stateKeyGenerator.generateKey(authorizationCodeResourceDetails);
        userRedirectRequiredException.setStateKey(generateKey);
        accessTokenRequest.setStateKey(generateKey);
        userRedirectRequiredException.setStateToPreserve(redirectUri);
        accessTokenRequest.setPreservedState(redirectUri);
        return userRedirectRequiredException;
    }

    protected UserApprovalRequiredException getUserApprovalSignal(AuthorizationCodeResourceDetails authorizationCodeResourceDetails, AccessTokenRequest accessTokenRequest) {
        return new UserApprovalRequiredException(authorizationCodeResourceDetails.getUserAuthorizationUri(), Collections.singletonMap(OAuth2Utils.USER_OAUTH_APPROVAL, String.format("Do you approve the client '%s' to access your resources with scope=%s", authorizationCodeResourceDetails.getClientId(), authorizationCodeResourceDetails.getScope())), authorizationCodeResourceDetails.getClientId(), authorizationCodeResourceDetails.getScope());
    }
}
