package org.springframework.security.oauth2.server.authorization.web.authentication;

import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import org.springframework.lang.Nullable;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.util.CollectionUtils;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenExchangeAuthenticationConverter.class */
public final class OAuth2TokenExchangeAuthenticationConverter implements AuthenticationConverter {
    private static final String TOKEN_TYPE_IDENTIFIERS_URI = "https://datatracker.ietf.org/doc/html/rfc8693#section-3";
    private static final String ACCESS_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:access_token";
    private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt";
    private static final Set<String> SUPPORTED_TOKEN_TYPES = Set.of(ACCESS_TOKEN_TYPE_VALUE, JWT_TOKEN_TYPE_VALUE);

    @Override // org.springframework.security.web.authentication.AuthenticationConverter
    @Nullable
    public Authentication convert(HttpServletRequest httpServletRequest) {
        MultiValueMap<String, String> formParameters = OAuth2EndpointUtils.getFormParameters(httpServletRequest);
        if (!AuthorizationGrantType.TOKEN_EXCHANGE.getValue().equals(formParameters.getFirst(OAuth2ParameterNames.GRANT_TYPE))) {
            return null;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        List list = (List) formParameters.getOrDefault("resource", Collections.emptyList());
        if (!CollectionUtils.isEmpty(list)) {
            Iterator it = list.iterator();
            while (it.hasNext()) {
                if (!isValidUri((String) it.next())) {
                    OAuth2EndpointUtils.throwError("invalid_request", "resource", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
                }
            }
        }
        List list2 = (List) formParameters.getOrDefault(OAuth2ParameterNames.AUDIENCE, Collections.emptyList());
        String first = formParameters.getFirst("scope");
        if (StringUtils.hasText(first) && ((List) formParameters.get("scope")).size() != 1) {
            OAuth2EndpointUtils.throwError("invalid_request", "scope", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        HashSet hashSet = null;
        if (StringUtils.hasText(first)) {
            hashSet = new HashSet(Arrays.asList(StringUtils.delimitedListToStringArray(first, " ")));
        }
        String first2 = formParameters.getFirst(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE);
        if (StringUtils.hasText(first2)) {
            if (((List) formParameters.get(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE)).size() != 1) {
                OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.REQUESTED_TOKEN_TYPE, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
            }
            validateTokenType(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE, first2);
        } else {
            first2 = ACCESS_TOKEN_TYPE_VALUE;
        }
        String first3 = formParameters.getFirst(OAuth2ParameterNames.SUBJECT_TOKEN);
        if (!StringUtils.hasText(first3) || ((List) formParameters.get(OAuth2ParameterNames.SUBJECT_TOKEN)).size() != 1) {
            OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.SUBJECT_TOKEN, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        String first4 = formParameters.getFirst(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE);
        if (StringUtils.hasText(first4) && ((List) formParameters.get(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE)).size() == 1) {
            validateTokenType(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE, first4);
        } else {
            OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.SUBJECT_TOKEN_TYPE, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        String first5 = formParameters.getFirst(OAuth2ParameterNames.ACTOR_TOKEN);
        if (StringUtils.hasText(first5) && ((List) formParameters.get(OAuth2ParameterNames.ACTOR_TOKEN)).size() != 1) {
            OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.ACTOR_TOKEN, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        String first6 = formParameters.getFirst(OAuth2ParameterNames.ACTOR_TOKEN_TYPE);
        if (StringUtils.hasText(first6)) {
            if (((List) formParameters.get(OAuth2ParameterNames.ACTOR_TOKEN_TYPE)).size() != 1) {
                OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.ACTOR_TOKEN_TYPE, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
            }
            validateTokenType(OAuth2ParameterNames.ACTOR_TOKEN_TYPE, first6);
        }
        if (!StringUtils.hasText(first5) && StringUtils.hasText(first6)) {
            OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.ACTOR_TOKEN, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        } else if (StringUtils.hasText(first5) && !StringUtils.hasText(first6)) {
            OAuth2EndpointUtils.throwError("invalid_request", OAuth2ParameterNames.ACTOR_TOKEN_TYPE, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        HashMap hashMap = new HashMap();
        formParameters.forEach((str, list3) -> {
            if (str.equals(OAuth2ParameterNames.GRANT_TYPE) || str.equals("resource") || str.equals(OAuth2ParameterNames.AUDIENCE) || str.equals(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE) || str.equals(OAuth2ParameterNames.SUBJECT_TOKEN) || str.equals(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE) || str.equals(OAuth2ParameterNames.ACTOR_TOKEN) || str.equals(OAuth2ParameterNames.ACTOR_TOKEN_TYPE) || str.equals("scope")) {
                return;
            }
            hashMap.put(str, list3.size() == 1 ? list3.get(0) : list3.toArray(new String[0]));
        });
        return new OAuth2TokenExchangeAuthenticationToken(first2, first3, first4, authentication, first5, first6, new LinkedHashSet(list), new LinkedHashSet(list2), hashSet, hashMap);
    }

    private static void validateTokenType(String str, String str2) {
        if (!SUPPORTED_TOKEN_TYPES.contains(str2)) {
            throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.UNSUPPORTED_TOKEN_TYPE, String.format("OAuth 2.0 Token Exchange parameter: %s", str), TOKEN_TYPE_IDENTIFIERS_URI), String.format("OAuth 2.0 Token Exchange parameter: %s - The provided value is not supported by this authorization server. Supported values are %s and %s.", str, ACCESS_TOKEN_TYPE_VALUE, JWT_TOKEN_TYPE_VALUE));
        }
    }

    private static boolean isValidUri(String str) {
        try {
            URI uri = new URI(str);
            if (uri.isAbsolute()) {
                if (uri.getFragment() == null) {
                    return true;
                }
            }
            return false;
        } catch (URISyntaxException e) {
            return false;
        }
    }
}
