package org.springframework.security.oauth2.client.web.reactive.function.client;

import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.springframework.beans.propertyeditors.StringArrayPropertyEditor;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.config.Elements;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.oauth2.client.ClientAuthorizationException;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import org.springframework.web.reactive.function.client.ExchangeFunction;
import org.springframework.web.reactive.function.client.WebClientResponseException;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.1.8.jar:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.class */
public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements ExchangeFilterFunction {
    private static final String OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME = OAuth2AuthorizedClient.class.getName();
    private static final String CLIENT_REGISTRATION_ID_ATTR_NAME = OAuth2AuthorizedClient.class.getName().concat(".CLIENT_REGISTRATION_ID");
    private static final String SERVER_WEB_EXCHANGE_ATTR_NAME = ServerWebExchange.class.getName();
    private static final AnonymousAuthenticationToken ANONYMOUS_USER_TOKEN = new AnonymousAuthenticationToken(Elements.ANONYMOUS, "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_USER"));
    private final Mono<Authentication> currentAuthenticationMono = ReactiveSecurityContextHolder.getContext().map((v0) -> {
        return v0.getAuthentication();
    }).defaultIfEmpty(ANONYMOUS_USER_TOKEN);
    private final Mono<String> clientRegistrationIdMono = this.currentAuthenticationMono.filter(authentication -> {
        return this.defaultOAuth2AuthorizedClient && (authentication instanceof OAuth2AuthenticationToken);
    }).cast(OAuth2AuthenticationToken.class).map((v0) -> {
        return v0.getAuthorizedClientRegistrationId();
    });
    private final Mono<ServerWebExchange> currentServerWebExchangeMono = Mono.deferContextual((v0) -> {
        return Mono.just(v0);
    }).filter(contextView -> {
        return contextView.hasKey(ServerWebExchange.class);
    }).map(contextView2 -> {
        return (ServerWebExchange) contextView2.get(ServerWebExchange.class);
    });
    private final ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
    private boolean defaultOAuth2AuthorizedClient;
    private String defaultClientRegistrationId;
    private ClientResponseHandler clientResponseHandler;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.1.8.jar:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction$AuthorizationFailureForwarder.class */
    private final class AuthorizationFailureForwarder implements ClientResponseHandler {
        private final Map<Integer, String> httpStatusToOAuth2ErrorCodeMap;
        private final ReactiveOAuth2AuthorizationFailureHandler authorizationFailureHandler;

        private AuthorizationFailureForwarder(ReactiveOAuth2AuthorizationFailureHandler reactiveOAuth2AuthorizationFailureHandler) {
            Assert.notNull(reactiveOAuth2AuthorizationFailureHandler, "authorizationFailureHandler cannot be null");
            this.authorizationFailureHandler = reactiveOAuth2AuthorizationFailureHandler;
            HashMap hashMap = new HashMap();
            hashMap.put(Integer.valueOf(HttpStatus.UNAUTHORIZED.value()), "invalid_token");
            hashMap.put(Integer.valueOf(HttpStatus.FORBIDDEN.value()), "insufficient_scope");
            this.httpStatusToOAuth2ErrorCodeMap = Collections.unmodifiableMap(hashMap);
        }

        @Override // org.springframework.security.oauth2.client.web.reactive.function.client.ServerOAuth2AuthorizedClientExchangeFilterFunction.ClientResponseHandler
        public Mono<ClientResponse> handleResponse(ClientRequest clientRequest, Mono<ClientResponse> mono) {
            return mono.flatMap(clientResponse -> {
                return handleResponse(clientRequest, clientResponse).thenReturn(clientResponse);
            }).onErrorResume(WebClientResponseException.class, (Function<? super E, ? extends Mono<? extends R>>) webClientResponseException -> {
                return handleWebClientResponseException(clientRequest, webClientResponseException).then(Mono.error(webClientResponseException));
            }).onErrorResume(OAuth2AuthorizationException.class, oAuth2AuthorizationException -> {
                return handleAuthorizationException(clientRequest, oAuth2AuthorizationException).then(Mono.error(oAuth2AuthorizationException));
            });
        }

        private Mono<Void> handleResponse(ClientRequest clientRequest, ClientResponse clientResponse) {
            return Mono.justOrEmpty(resolveErrorIfPossible(clientResponse)).flatMap(oAuth2Error -> {
                return Mono.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono, ServerOAuth2AuthorizedClientExchangeFilterFunction.this.effectiveServerWebExchange(clientRequest), ServerOAuth2AuthorizedClientExchangeFilterFunction.this.effectiveClientRegistrationId(clientRequest)).flatMap(tuple3 -> {
                    return handleAuthorizationFailure((Authentication) tuple3.getT1(), (Optional) tuple3.getT2(), new ClientAuthorizationException(oAuth2Error, (String) tuple3.getT3()));
                });
            });
        }

        private OAuth2Error resolveErrorIfPossible(ClientResponse clientResponse) {
            if (!clientResponse.headers().header("WWW-Authenticate").isEmpty()) {
                Map<String, String> parseAuthParameters = parseAuthParameters(clientResponse.headers().header("WWW-Authenticate").get(0));
                if (parseAuthParameters.containsKey("error")) {
                    return new OAuth2Error(parseAuthParameters.get("error"), parseAuthParameters.get(OAuth2ParameterNames.ERROR_DESCRIPTION), parseAuthParameters.get(OAuth2ParameterNames.ERROR_URI));
                }
            }
            return resolveErrorIfPossible(clientResponse.rawStatusCode());
        }

        private OAuth2Error resolveErrorIfPossible(int i) {
            if (this.httpStatusToOAuth2ErrorCodeMap.containsKey(Integer.valueOf(i))) {
                return new OAuth2Error(this.httpStatusToOAuth2ErrorCodeMap.get(Integer.valueOf(i)), null, "https://tools.ietf.org/html/rfc6750#section-3.1");
            }
            return null;
        }

        private Map<String, String> parseAuthParameters(String str) {
            return (Map) Stream.of(str).filter(str2 -> {
                return !StringUtils.isEmpty(str2);
            }).filter(str3 -> {
                return str3.toLowerCase().startsWith("bearer");
            }).map(str4 -> {
                return str4.substring("bearer".length());
            }).map(str5 -> {
                return str5.split(StringArrayPropertyEditor.DEFAULT_SEPARATOR);
            }).flatMap((v0) -> {
                return Stream.of(v0);
            }).map(str6 -> {
                return str6.split("=");
            }).filter(strArr -> {
                return strArr.length > 1;
            }).collect(Collectors.toMap(strArr2 -> {
                return strArr2[0].trim();
            }, strArr3 -> {
                return strArr3[1].trim().replace("\"", "");
            }));
        }

        private Mono<Void> handleWebClientResponseException(ClientRequest clientRequest, WebClientResponseException webClientResponseException) {
            return Mono.justOrEmpty(resolveErrorIfPossible(webClientResponseException.getRawStatusCode())).flatMap(oAuth2Error -> {
                return Mono.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono, ServerOAuth2AuthorizedClientExchangeFilterFunction.this.effectiveServerWebExchange(clientRequest), ServerOAuth2AuthorizedClientExchangeFilterFunction.this.effectiveClientRegistrationId(clientRequest)).flatMap(tuple3 -> {
                    return handleAuthorizationFailure((Authentication) tuple3.getT1(), (Optional) tuple3.getT2(), new ClientAuthorizationException(oAuth2Error, (String) tuple3.getT3(), webClientResponseException));
                });
            });
        }

        private Mono<Void> handleAuthorizationException(ClientRequest clientRequest, OAuth2AuthorizationException oAuth2AuthorizationException) {
            return Mono.zip(ServerOAuth2AuthorizedClientExchangeFilterFunction.this.currentAuthenticationMono, ServerOAuth2AuthorizedClientExchangeFilterFunction.this.effectiveServerWebExchange(clientRequest)).flatMap(tuple2 -> {
                return handleAuthorizationFailure((Authentication) tuple2.getT1(), (Optional) tuple2.getT2(), oAuth2AuthorizationException);
            });
        }

        private Mono<Void> handleAuthorizationFailure(Authentication authentication, Optional<ServerWebExchange> optional, OAuth2AuthorizationException oAuth2AuthorizationException) {
            return this.authorizationFailureHandler.onAuthorizationFailure(oAuth2AuthorizationException, authentication, createAttributes(optional.orElse(null)));
        }

        private Map<String, Object> createAttributes(ServerWebExchange serverWebExchange) {
            return serverWebExchange == null ? Collections.emptyMap() : Collections.singletonMap(ServerWebExchange.class.getName(), serverWebExchange);
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.1.8.jar:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction$ClientResponseHandler.class */
    private interface ClientResponseHandler {
        Mono<ClientResponse> handleResponse(ClientRequest clientRequest, Mono<ClientResponse> mono);
    }

    public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager) {
        Assert.notNull(reactiveOAuth2AuthorizedClientManager, "authorizedClientManager cannot be null");
        this.authorizedClientManager = reactiveOAuth2AuthorizedClientManager;
        this.clientResponseHandler = (clientRequest, mono) -> {
            return mono;
        };
    }

    public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository) {
        RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler removeAuthorizedClientReactiveOAuth2AuthorizationFailureHandler = new RemoveAuthorizedClientReactiveOAuth2AuthorizationFailureHandler((str, authentication, map) -> {
            return serverOAuth2AuthorizedClientRepository.removeAuthorizedClient(str, authentication, (ServerWebExchange) map.get(ServerWebExchange.class.getName()));
        });
        this.authorizedClientManager = createDefaultAuthorizedClientManager(reactiveClientRegistrationRepository, serverOAuth2AuthorizedClientRepository, removeAuthorizedClientReactiveOAuth2AuthorizationFailureHandler);
        this.clientResponseHandler = new AuthorizationFailureForwarder(removeAuthorizedClientReactiveOAuth2AuthorizationFailureHandler);
    }

    private static ReactiveOAuth2AuthorizedClientManager createDefaultAuthorizedClientManager(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository, ReactiveOAuth2AuthorizationFailureHandler reactiveOAuth2AuthorizationFailureHandler) {
        DefaultReactiveOAuth2AuthorizedClientManager defaultReactiveOAuth2AuthorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(reactiveClientRegistrationRepository, serverOAuth2AuthorizedClientRepository);
        defaultReactiveOAuth2AuthorizedClientManager.setAuthorizationFailureHandler(reactiveOAuth2AuthorizationFailureHandler);
        return defaultReactiveOAuth2AuthorizedClientManager;
    }

    public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return map -> {
            map.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, oAuth2AuthorizedClient);
        };
    }

    private static OAuth2AuthorizedClient oauth2AuthorizedClient(ClientRequest clientRequest) {
        return (OAuth2AuthorizedClient) clientRequest.attributes().get(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME);
    }

    public static Consumer<Map<String, Object>> serverWebExchange(ServerWebExchange serverWebExchange) {
        return map -> {
            map.put(SERVER_WEB_EXCHANGE_ATTR_NAME, serverWebExchange);
        };
    }

    private static ServerWebExchange serverWebExchange(ClientRequest clientRequest) {
        return (ServerWebExchange) clientRequest.attributes().get(SERVER_WEB_EXCHANGE_ATTR_NAME);
    }

    public static Consumer<Map<String, Object>> clientRegistrationId(String str) {
        return map -> {
            map.put(CLIENT_REGISTRATION_ID_ATTR_NAME, str);
        };
    }

    private static String clientRegistrationId(ClientRequest clientRequest) {
        OAuth2AuthorizedClient oauth2AuthorizedClient = oauth2AuthorizedClient(clientRequest);
        return oauth2AuthorizedClient != null ? oauth2AuthorizedClient.getClientRegistration().getRegistrationId() : (String) clientRequest.attributes().get(CLIENT_REGISTRATION_ID_ATTR_NAME);
    }

    public void setDefaultOAuth2AuthorizedClient(boolean z) {
        this.defaultOAuth2AuthorizedClient = z;
    }

    public void setDefaultClientRegistrationId(String str) {
        this.defaultClientRegistrationId = str;
    }

    @Override // org.springframework.web.reactive.function.client.ExchangeFilterFunction
    public Mono<ClientResponse> filter(ClientRequest clientRequest, ExchangeFunction exchangeFunction) {
        return authorizedClient(clientRequest).map(oAuth2AuthorizedClient -> {
            return bearer(clientRequest, oAuth2AuthorizedClient);
        }).flatMap(clientRequest2 -> {
            return exchangeAndHandleResponse(clientRequest2, exchangeFunction);
        }).switchIfEmpty(Mono.defer(() -> {
            return exchangeAndHandleResponse(clientRequest, exchangeFunction);
        }));
    }

    private Mono<ClientResponse> exchangeAndHandleResponse(ClientRequest clientRequest, ExchangeFunction exchangeFunction) {
        return exchangeFunction.exchange(clientRequest).transform(mono -> {
            return this.clientResponseHandler.handleResponse(clientRequest, mono);
        });
    }

    private Mono<OAuth2AuthorizedClient> authorizedClient(ClientRequest clientRequest) {
        return Mono.justOrEmpty(oauth2AuthorizedClient(clientRequest)).switchIfEmpty(Mono.defer(() -> {
            Mono<OAuth2AuthorizeRequest> authorizeRequest = authorizeRequest(clientRequest);
            ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager = this.authorizedClientManager;
            Objects.requireNonNull(reactiveOAuth2AuthorizedClientManager);
            return authorizeRequest.flatMap(reactiveOAuth2AuthorizedClientManager::authorize);
        })).flatMap(oAuth2AuthorizedClient -> {
            Mono<OAuth2AuthorizeRequest> reauthorizeRequest = reauthorizeRequest(clientRequest, oAuth2AuthorizedClient);
            ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager = this.authorizedClientManager;
            Objects.requireNonNull(reactiveOAuth2AuthorizedClientManager);
            return reauthorizeRequest.flatMap(reactiveOAuth2AuthorizedClientManager::authorize);
        });
    }

    private Mono<OAuth2AuthorizeRequest> authorizeRequest(ClientRequest clientRequest) {
        return Mono.zip(effectiveClientRegistrationId(clientRequest), this.currentAuthenticationMono, effectiveServerWebExchange(clientRequest)).map(tuple3 -> {
            OAuth2AuthorizeRequest.Builder principal = OAuth2AuthorizeRequest.withClientRegistrationId((String) tuple3.getT1()).principal((Authentication) tuple3.getT2());
            ((Optional) tuple3.getT3()).ifPresent(serverWebExchange -> {
                principal.attribute(ServerWebExchange.class.getName(), serverWebExchange);
            });
            return principal.build();
        });
    }

    private Mono<String> effectiveClientRegistrationId(ClientRequest clientRequest) {
        return Mono.justOrEmpty(clientRegistrationId(clientRequest)).switchIfEmpty(Mono.justOrEmpty(this.defaultClientRegistrationId)).switchIfEmpty(this.clientRegistrationIdMono);
    }

    private Mono<Optional<ServerWebExchange>> effectiveServerWebExchange(ClientRequest clientRequest) {
        return Mono.justOrEmpty(serverWebExchange(clientRequest)).switchIfEmpty(this.currentServerWebExchangeMono).map((v0) -> {
            return Optional.of(v0);
        }).defaultIfEmpty(Optional.empty());
    }

    private Mono<OAuth2AuthorizeRequest> reauthorizeRequest(ClientRequest clientRequest, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return Mono.zip(this.currentAuthenticationMono, effectiveServerWebExchange(clientRequest)).map(tuple2 -> {
            OAuth2AuthorizeRequest.Builder principal = OAuth2AuthorizeRequest.withAuthorizedClient(oAuth2AuthorizedClient).principal((Authentication) tuple2.getT1());
            ((Optional) tuple2.getT2()).ifPresent(serverWebExchange -> {
                principal.attribute(ServerWebExchange.class.getName(), serverWebExchange);
            });
            return principal.build();
        });
    }

    private ClientRequest bearer(ClientRequest clientRequest, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return ClientRequest.from(clientRequest).headers(httpHeaders -> {
            httpHeaders.setBearerAuth(oAuth2AuthorizedClient.getAccessToken().getTokenValue());
        }).build();
    }

    public void setAuthorizationFailureHandler(ReactiveOAuth2AuthorizationFailureHandler reactiveOAuth2AuthorizationFailureHandler) {
        Assert.notNull(reactiveOAuth2AuthorizationFailureHandler, "authorizationFailureHandler cannot be null");
        this.clientResponseHandler = new AuthorizationFailureForwarder(reactiveOAuth2AuthorizationFailureHandler);
    }
}
