package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource;

import java.util.function.Supplier;
import javax.servlet.http.HttpServletRequest;
import org.springframework.context.ApplicationContext;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;

/* loaded from: input_file:WEB-INF/lib/spring-security-config-5.2.12.RELEASE.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.class */
public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>, H> {
    private final ApplicationContext context;
    private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
    private BearerTokenResolver bearerTokenResolver;
    private OAuth2ResourceServerConfigurer<H>.JwtConfigurer jwtConfigurer;
    private OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer opaqueTokenConfigurer;
    private AccessDeniedHandler accessDeniedHandler = new BearerTokenAccessDeniedHandler();
    private AuthenticationEntryPoint authenticationEntryPoint = new BearerTokenAuthenticationEntryPoint();
    private BearerTokenRequestMatcher requestMatcher = new BearerTokenRequestMatcher();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.2.12.RELEASE.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher.class */
    public static final class BearerTokenRequestMatcher implements RequestMatcher {
        private BearerTokenResolver bearerTokenResolver;

        private BearerTokenRequestMatcher() {
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            try {
                return this.bearerTokenResolver.resolve(httpServletRequest) != null;
            } catch (OAuth2AuthenticationException e) {
                return false;
            }
        }

        public void setBearerTokenResolver(BearerTokenResolver bearerTokenResolver) {
            Assert.notNull(bearerTokenResolver, "resolver cannot be null");
            this.bearerTokenResolver = bearerTokenResolver;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.2.12.RELEASE.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer$JwtConfigurer.class */
    public class JwtConfigurer {
        private final ApplicationContext context;
        private AuthenticationManager authenticationManager;
        private JwtDecoder decoder;
        private Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter = new JwtAuthenticationConverter();

        JwtConfigurer(ApplicationContext applicationContext) {
            this.context = applicationContext;
        }

        public OAuth2ResourceServerConfigurer<H>.JwtConfigurer authenticationManager(AuthenticationManager authenticationManager) {
            Assert.notNull(authenticationManager, "authenticationManager cannot be null");
            this.authenticationManager = authenticationManager;
            return this;
        }

        public OAuth2ResourceServerConfigurer<H>.JwtConfigurer decoder(JwtDecoder jwtDecoder) {
            this.decoder = jwtDecoder;
            return this;
        }

        public OAuth2ResourceServerConfigurer<H>.JwtConfigurer jwkSetUri(String str) {
            this.decoder = NimbusJwtDecoder.withJwkSetUri(str).build();
            return this;
        }

        public OAuth2ResourceServerConfigurer<H>.JwtConfigurer jwtAuthenticationConverter(Converter<Jwt, ? extends AbstractAuthenticationToken> converter) {
            this.jwtAuthenticationConverter = converter;
            return this;
        }

        public OAuth2ResourceServerConfigurer<H> and() {
            return OAuth2ResourceServerConfigurer.this;
        }

        Converter<Jwt, ? extends AbstractAuthenticationToken> getJwtAuthenticationConverter() {
            return this.jwtAuthenticationConverter;
        }

        JwtDecoder getJwtDecoder() {
            return this.decoder == null ? (JwtDecoder) this.context.getBean(JwtDecoder.class) : this.decoder;
        }

        AuthenticationProvider getAuthenticationProvider() {
            if (this.authenticationManager != null) {
                return null;
            }
            JwtDecoder jwtDecoder = getJwtDecoder();
            Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter = getJwtAuthenticationConverter();
            JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
            jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
            return (AuthenticationProvider) OAuth2ResourceServerConfigurer.this.postProcess(jwtAuthenticationProvider);
        }

        AuthenticationManager getAuthenticationManager(H h) {
            return this.authenticationManager != null ? this.authenticationManager : (AuthenticationManager) h.getSharedObject(AuthenticationManager.class);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.2.12.RELEASE.jar:org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer$OpaqueTokenConfigurer.class */
    public class OpaqueTokenConfigurer {
        private final ApplicationContext context;
        private AuthenticationManager authenticationManager;
        private String introspectionUri;
        private String clientId;
        private String clientSecret;
        private Supplier<OpaqueTokenIntrospector> introspector;

        OpaqueTokenConfigurer(ApplicationContext applicationContext) {
            this.context = applicationContext;
        }

        public OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer authenticationManager(AuthenticationManager authenticationManager) {
            Assert.notNull(authenticationManager, "authenticationManager cannot be null");
            this.authenticationManager = authenticationManager;
            return this;
        }

        public OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer introspectionUri(String str) {
            Assert.notNull(str, "introspectionUri cannot be null");
            this.introspectionUri = str;
            this.introspector = () -> {
                return new NimbusOpaqueTokenIntrospector(this.introspectionUri, this.clientId, this.clientSecret);
            };
            return this;
        }

        public OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer introspectionClientCredentials(String str, String str2) {
            Assert.notNull(str, "clientId cannot be null");
            Assert.notNull(str2, "clientSecret cannot be null");
            this.clientId = str;
            this.clientSecret = str2;
            this.introspector = () -> {
                return new NimbusOpaqueTokenIntrospector(this.introspectionUri, this.clientId, this.clientSecret);
            };
            return this;
        }

        public OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer introspector(OpaqueTokenIntrospector opaqueTokenIntrospector) {
            Assert.notNull(opaqueTokenIntrospector, "introspector cannot be null");
            this.introspector = () -> {
                return opaqueTokenIntrospector;
            };
            return this;
        }

        OpaqueTokenIntrospector getIntrospector() {
            return this.introspector != null ? this.introspector.get() : (OpaqueTokenIntrospector) this.context.getBean(OpaqueTokenIntrospector.class);
        }

        AuthenticationProvider getAuthenticationProvider() {
            if (this.authenticationManager != null) {
                return null;
            }
            return new OpaqueTokenAuthenticationProvider(getIntrospector());
        }

        AuthenticationManager getAuthenticationManager(H h) {
            return this.authenticationManager != null ? this.authenticationManager : (AuthenticationManager) h.getSharedObject(AuthenticationManager.class);
        }
    }

    public OAuth2ResourceServerConfigurer(ApplicationContext applicationContext) {
        Assert.notNull(applicationContext, "context cannot be null");
        this.context = applicationContext;
    }

    public OAuth2ResourceServerConfigurer<H> accessDeniedHandler(AccessDeniedHandler accessDeniedHandler) {
        Assert.notNull(accessDeniedHandler, "accessDeniedHandler cannot be null");
        this.accessDeniedHandler = accessDeniedHandler;
        return this;
    }

    public OAuth2ResourceServerConfigurer<H> authenticationEntryPoint(AuthenticationEntryPoint authenticationEntryPoint) {
        Assert.notNull(authenticationEntryPoint, "entryPoint cannot be null");
        this.authenticationEntryPoint = authenticationEntryPoint;
        return this;
    }

    public OAuth2ResourceServerConfigurer<H> authenticationManagerResolver(AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver) {
        Assert.notNull(authenticationManagerResolver, "authenticationManagerResolver cannot be null");
        this.authenticationManagerResolver = authenticationManagerResolver;
        return this;
    }

    public OAuth2ResourceServerConfigurer<H> bearerTokenResolver(BearerTokenResolver bearerTokenResolver) {
        Assert.notNull(bearerTokenResolver, "bearerTokenResolver cannot be null");
        this.bearerTokenResolver = bearerTokenResolver;
        return this;
    }

    public OAuth2ResourceServerConfigurer<H>.JwtConfigurer jwt() {
        if (this.jwtConfigurer == null) {
            this.jwtConfigurer = new JwtConfigurer(this.context);
        }
        return this.jwtConfigurer;
    }

    public OAuth2ResourceServerConfigurer<H> jwt(Customizer<OAuth2ResourceServerConfigurer<H>.JwtConfigurer> customizer) {
        if (this.jwtConfigurer == null) {
            this.jwtConfigurer = new JwtConfigurer(this.context);
        }
        customizer.customize(this.jwtConfigurer);
        return this;
    }

    public OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer opaqueToken() {
        if (this.opaqueTokenConfigurer == null) {
            this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context);
        }
        return this.opaqueTokenConfigurer;
    }

    public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OAuth2ResourceServerConfigurer<H>.OpaqueTokenConfigurer> customizer) {
        if (this.opaqueTokenConfigurer == null) {
            this.opaqueTokenConfigurer = new OpaqueTokenConfigurer(this.context);
        }
        customizer.customize(this.opaqueTokenConfigurer);
        return this;
    }

    @Override // org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void init(H h) {
        validateConfiguration();
        registerDefaultAccessDeniedHandler(h);
        registerDefaultEntryPoint(h);
        registerDefaultCsrfOverride(h);
        AuthenticationProvider authenticationProvider = getAuthenticationProvider();
        if (authenticationProvider != null) {
            h.authenticationProvider(authenticationProvider);
        }
    }

    @Override // org.springframework.security.config.annotation.SecurityConfigurerAdapter, org.springframework.security.config.annotation.SecurityConfigurer
    public void configure(H h) {
        BearerTokenResolver bearerTokenResolver = getBearerTokenResolver();
        this.requestMatcher.setBearerTokenResolver(bearerTokenResolver);
        AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver = this.authenticationManagerResolver;
        if (authenticationManagerResolver == null) {
            AuthenticationManager authenticationManager = getAuthenticationManager(h);
            authenticationManagerResolver = obj -> {
                return authenticationManager;
            };
        }
        BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter = new BearerTokenAuthenticationFilter(authenticationManagerResolver);
        bearerTokenAuthenticationFilter.setBearerTokenResolver(bearerTokenResolver);
        bearerTokenAuthenticationFilter.setAuthenticationEntryPoint(this.authenticationEntryPoint);
        h.addFilter((BearerTokenAuthenticationFilter) postProcess(bearerTokenAuthenticationFilter));
    }

    private void validateConfiguration() {
        if (this.authenticationManagerResolver != null) {
            if (this.jwtConfigurer != null || this.opaqueTokenConfigurer != null) {
                throw new IllegalStateException("If an authenticationManagerResolver() is configured, then it takes precedence over any jwt() or opaqueToken() configuration.");
            }
        } else {
            if (this.jwtConfigurer == null && this.opaqueTokenConfigurer == null) {
                throw new IllegalStateException("Jwt and Opaque Token are the only supported formats for bearer tokens in Spring Security and neither was found. Make sure to configure JWT via http.oauth2ResourceServer().jwt() or Opaque Tokens via http.oauth2ResourceServer().opaqueToken().");
            }
            if (this.jwtConfigurer != null && this.opaqueTokenConfigurer != null) {
                throw new IllegalStateException("Spring Security only supports JWTs or Opaque Tokens, not both at the same time.");
            }
        }
    }

    private void registerDefaultAccessDeniedHandler(H h) {
        ExceptionHandlingConfigurer exceptionHandlingConfigurer = (ExceptionHandlingConfigurer) h.getConfigurer(ExceptionHandlingConfigurer.class);
        if (exceptionHandlingConfigurer == null) {
            return;
        }
        exceptionHandlingConfigurer.defaultAccessDeniedHandlerFor(this.accessDeniedHandler, this.requestMatcher);
    }

    private void registerDefaultEntryPoint(H h) {
        ExceptionHandlingConfigurer exceptionHandlingConfigurer = (ExceptionHandlingConfigurer) h.getConfigurer(ExceptionHandlingConfigurer.class);
        if (exceptionHandlingConfigurer == null) {
            return;
        }
        exceptionHandlingConfigurer.defaultAuthenticationEntryPointFor(this.authenticationEntryPoint, this.requestMatcher);
    }

    private void registerDefaultCsrfOverride(H h) {
        CsrfConfigurer csrfConfigurer = (CsrfConfigurer) h.getConfigurer(CsrfConfigurer.class);
        if (csrfConfigurer == null) {
            return;
        }
        csrfConfigurer.ignoringRequestMatchers(this.requestMatcher);
    }

    AuthenticationProvider getAuthenticationProvider() {
        if (this.jwtConfigurer != null) {
            return this.jwtConfigurer.getAuthenticationProvider();
        }
        if (this.opaqueTokenConfigurer != null) {
            return this.opaqueTokenConfigurer.getAuthenticationProvider();
        }
        return null;
    }

    AuthenticationManager getAuthenticationManager(H h) {
        return this.jwtConfigurer != null ? this.jwtConfigurer.getAuthenticationManager(h) : this.opaqueTokenConfigurer != null ? this.opaqueTokenConfigurer.getAuthenticationManager(h) : (AuthenticationManager) h.getSharedObject(AuthenticationManager.class);
    }

    BearerTokenResolver getBearerTokenResolver() {
        if (this.bearerTokenResolver == null) {
            if (this.context.getBeanNamesForType(BearerTokenResolver.class).length > 0) {
                this.bearerTokenResolver = (BearerTokenResolver) this.context.getBean(BearerTokenResolver.class);
            } else {
                this.bearerTokenResolver = new DefaultBearerTokenResolver();
            }
        }
        return this.bearerTokenResolver;
    }
}
