package org.springframework.security.oauth2.provider.verification;

import com.lowagie.text.html.HtmlTags;
import java.io.IOException;
import java.util.Arrays;
import java.util.Map;
import java.util.TreeSet;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.fop.render.java2d.Java2DRendererContextConstants;
import org.apache.xerces.impl.xs.SchemaSymbols;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth.provider.DefaultRedirectStrategy;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
import org.springframework.security.oauth2.common.exceptions.UnapprovedClientAuthenticationException;
import org.springframework.security.oauth2.common.exceptions.UnsupportedResponseTypeException;
import org.springframework.security.oauth2.common.exceptions.UserDeniedVerificationException;
import org.springframework.security.oauth2.provider.ClientDetails;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth-1.0.0.M2.jar:org/springframework/security/oauth2/provider/verification/VerificationCodeFilter.class */
public class VerificationCodeFilter extends AbstractAuthenticationProcessingFilter {
    private static final String VERIFICATION_CODE_ATTRIBUTE = VerificationCodeFilter.class.getName() + "#CODE";
    private static final String VERIFICATION_TOKEN_ATTRIBUTE = VerificationCodeFilter.class.getName() + "#TOKEN";
    public static final String DEFAULT_PROCESSING_URL = "/oauth/user/authorize";
    private ClientDetailsService clientDetailsService;
    private VerificationCodeServices verificationServices;
    private ClientAuthenticationCache authenticationCache;
    private RedirectResolver redirectResolver;
    private RedirectStrategy redirectStrategy;
    private boolean customFailureHandling;
    private UserApprovalHandler userApprovalHandler;
    private AuthenticationFailureHandler unapprovedAuthenticationHandler;

    public VerificationCodeFilter() {
        super(DEFAULT_PROCESSING_URL);
        this.authenticationCache = new DefaultClientAuthenticationCache();
        this.redirectResolver = new DefaultRedirectResolver();
        this.redirectStrategy = new DefaultRedirectStrategy();
        this.customFailureHandling = false;
        setAuthenticationManager(new ProviderManager());
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter, org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() {
        super.afterPropertiesSet();
        Assert.notNull(this.clientDetailsService, "A client details service must be supplied.");
        Assert.notNull(this.verificationServices, "Verification code services must be supplied.");
        Assert.notNull(this.redirectResolver, "A redirect resolver must be supplied.");
        Assert.notNull(this.authenticationCache, "An authentication cache must be supplied.");
        Assert.notNull(this.redirectStrategy, "A redirect strategy must be supplied.");
        Assert.notNull(this.userApprovalHandler, "A user approval handler must be supplied.");
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String parameter = httpServletRequest.getParameter("response_type");
        if (HtmlTags.CODE.equals(parameter)) {
            String parameter2 = httpServletRequest.getParameter("client_id");
            String parameter3 = httpServletRequest.getParameter("redirect_uri");
            TreeSet treeSet = new TreeSet();
            String parameter4 = httpServletRequest.getParameter("scope");
            if (parameter4 != null) {
                treeSet.addAll(Arrays.asList(parameter4.split("[\\s+,]")));
            }
            VerificationCodeAuthenticationToken verificationCodeAuthenticationToken = new VerificationCodeAuthenticationToken(parameter2, treeSet, httpServletRequest.getParameter(Java2DRendererContextConstants.JAVA2D_STATE), parameter3);
            if (parameter2 == null) {
                httpServletRequest.setAttribute(VERIFICATION_TOKEN_ATTRIBUTE, verificationCodeAuthenticationToken);
                unsuccessfulAuthentication(httpServletRequest, httpServletResponse, new InvalidClientException("A client_id parameter must be supplied."));
                return;
            }
            getAuthenticationCache().saveAuthentication(verificationCodeAuthenticationToken, httpServletRequest, httpServletResponse);
        } else {
            if (SchemaSymbols.ATTVAL_TOKEN.equals(parameter)) {
                throw new UnsupportedResponseTypeException("Unsupported response type: token.");
            }
            if ("code_and_token".equals(parameter)) {
                throw new UnsupportedResponseTypeException("Unsupported response type: code_and_token.");
            }
        }
        super.doFilter(httpServletRequest, httpServletResponse, filterChain);
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!authentication.isAuthenticated()) {
            throw new InsufficientAuthenticationException("User must be authenticated before authorizing an access token.");
        }
        VerificationCodeAuthenticationToken authentication2 = getAuthenticationCache().getAuthentication(httpServletRequest, httpServletResponse);
        if (authentication2 == null) {
            throw new InsufficientAuthenticationException("No client authentication request has been issued.");
        }
        httpServletRequest.setAttribute(VERIFICATION_TOKEN_ATTRIBUTE, authentication2);
        try {
            if (authentication2.isDenied()) {
                throw new UserDeniedVerificationException("User denied authentication.");
            }
            if (!getUserApprovalHandler().isApproved(authentication2)) {
                throw new UnapprovedClientAuthenticationException("The client authentication hasn't been approved by the current user.");
            }
            String clientId = authentication2.getClientId();
            if (clientId == null) {
                throw new InvalidClientException("Invalid authentication request (no client id).");
            }
            ClientDetails loadClientByClientId = getClientDetailsService().loadClientByClientId(clientId);
            if (getRedirectResolver().resolveRedirect(authentication2.getRequestedRedirect(), loadClientByClientId) == null) {
                throw new OAuth2Exception("A redirect_uri must be supplied.");
            }
            getAuthenticationCache().removeAuthentication(httpServletRequest, httpServletResponse);
            OAuth2Authentication<? extends VerificationCodeAuthenticationToken, ? extends Authentication> oAuth2Authentication = new OAuth2Authentication<>(authentication2, authentication);
            httpServletRequest.setAttribute(VERIFICATION_CODE_ATTRIBUTE, getVerificationServices().createVerificationCode(oAuth2Authentication));
            return oAuth2Authentication;
        } catch (OAuth2Exception e) {
            if (authentication2.getState() != null) {
                e.addAdditionalInformation(Java2DRendererContextConstants.JAVA2D_STATE, authentication2.getState());
            }
            throw e;
        }
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    protected void successfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
        OAuth2Authentication oAuth2Authentication = (OAuth2Authentication) authentication;
        String str = (String) httpServletRequest.getAttribute(VERIFICATION_CODE_ATTRIBUTE);
        if (str == null) {
            throw new IllegalStateException("No verification code found in the current request scope.");
        }
        VerificationCodeAuthenticationToken verificationCodeAuthenticationToken = (VerificationCodeAuthenticationToken) oAuth2Authentication.getClientAuthentication();
        String requestedRedirect = verificationCodeAuthenticationToken.getRequestedRedirect();
        String state = verificationCodeAuthenticationToken.getState();
        StringBuilder sb = new StringBuilder(requestedRedirect);
        if (requestedRedirect.indexOf(63) < 0) {
            sb.append('?');
        } else {
            sb.append('&');
        }
        sb.append("code=").append(str);
        if (state != null) {
            sb.append("&state=").append(state);
        }
        getRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, sb.toString());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void unsuccessfulAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException, ServletException {
        if (this.customFailureHandling) {
            super.unsuccessfulAuthentication(httpServletRequest, httpServletResponse, authenticationException);
            return;
        }
        if (authenticationException instanceof UnapprovedClientAuthenticationException) {
            if (this.unapprovedAuthenticationHandler == null) {
                throw new AccessDeniedException("User failed to approve client authentication.");
            }
            this.unapprovedAuthenticationHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, authenticationException);
            return;
        }
        if (!(authenticationException instanceof OAuth2Exception)) {
            throw authenticationException;
        }
        OAuth2Exception oAuth2Exception = (OAuth2Exception) authenticationException;
        VerificationCodeAuthenticationToken verificationCodeAuthenticationToken = (VerificationCodeAuthenticationToken) httpServletRequest.getAttribute(VERIFICATION_TOKEN_ATTRIBUTE);
        if (verificationCodeAuthenticationToken == null || verificationCodeAuthenticationToken.getRequestedRedirect() == null) {
            throw new UnapprovedClientAuthenticationException("Verification failure, and no redirect URI.", authenticationException);
        }
        String requestedRedirect = verificationCodeAuthenticationToken.getRequestedRedirect();
        StringBuilder sb = new StringBuilder(requestedRedirect);
        if (requestedRedirect.indexOf(63) < 0) {
            sb.append('?');
        } else {
            sb.append('&');
        }
        sb.append("error=").append(oAuth2Exception.getOAuth2ErrorCode());
        sb.append("&error_description=").append(oAuth2Exception.getMessage());
        if (oAuth2Exception.getAdditionalInformation() != null) {
            for (Map.Entry<String, String> entry : oAuth2Exception.getAdditionalInformation().entrySet()) {
                sb.append('&').append(entry.getKey()).append('=').append(entry.getValue());
            }
        }
        getRedirectStrategy().sendRedirect(httpServletRequest, httpServletResponse, sb.toString());
    }

    public ClientDetailsService getClientDetailsService() {
        return this.clientDetailsService;
    }

    @Autowired
    public void setClientDetailsService(ClientDetailsService clientDetailsService) {
        this.clientDetailsService = clientDetailsService;
    }

    public VerificationCodeServices getVerificationServices() {
        return this.verificationServices;
    }

    @Autowired
    public void setVerificationServices(VerificationCodeServices verificationCodeServices) {
        this.verificationServices = verificationCodeServices;
    }

    public RedirectResolver getRedirectResolver() {
        return this.redirectResolver;
    }

    public void setRedirectResolver(RedirectResolver redirectResolver) {
        this.redirectResolver = redirectResolver;
    }

    public ClientAuthenticationCache getAuthenticationCache() {
        return this.authenticationCache;
    }

    public void setAuthenticationCache(ClientAuthenticationCache clientAuthenticationCache) {
        this.authenticationCache = clientAuthenticationCache;
    }

    public RedirectStrategy getRedirectStrategy() {
        return this.redirectStrategy;
    }

    public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
        this.redirectStrategy = redirectStrategy;
    }

    @Override // org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter
    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        super.setAuthenticationFailureHandler(authenticationFailureHandler);
        this.customFailureHandling = true;
    }

    public UserApprovalHandler getUserApprovalHandler() {
        return this.userApprovalHandler;
    }

    public void setUserApprovalHandler(UserApprovalHandler userApprovalHandler) {
        this.userApprovalHandler = userApprovalHandler;
    }

    public AuthenticationFailureHandler getUnapprovedAuthenticationHandler() {
        return this.unapprovedAuthenticationHandler;
    }

    public void setUnapprovedAuthenticationHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        this.unapprovedAuthenticationHandler = authenticationFailureHandler;
    }
}
