package org.springframework.security.config.http;

import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import org.springframework.beans.BeanMetadataElement;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.BeanReference;
import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.support.AbstractBeanDefinition;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
import org.springframework.beans.factory.support.RootBeanDefinition;
import org.springframework.beans.factory.xml.BeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.config.Elements;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.util.xml.DomUtils;
import org.w3c.dom.Element;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/spring-security-config-5.7.5.jar:org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser.class */
public final class OAuth2ResourceServerBeanDefinitionParser implements BeanDefinitionParser {
    static final String AUTHENTICATION_MANAGER_RESOLVER_REF = "authentication-manager-resolver-ref";
    static final String BEARER_TOKEN_RESOLVER_REF = "bearer-token-resolver-ref";
    static final String ENTRY_POINT_REF = "entry-point-ref";
    static final String BEARER_TOKEN_RESOLVER = "bearerTokenResolver";
    static final String AUTHENTICATION_ENTRY_POINT = "authenticationEntryPoint";
    private final BeanReference authenticationManager;
    private final List<BeanReference> authenticationProviders;
    private final Map<BeanDefinition, BeanMetadataElement> entryPoints;
    private final Map<BeanDefinition, BeanMetadataElement> deniedHandlers;
    private final List<BeanDefinition> ignoreCsrfRequestMatchers;
    private final BeanDefinition authenticationEntryPoint = new RootBeanDefinition((Class<?>) BearerTokenAuthenticationEntryPoint.class);
    private final BeanDefinition accessDeniedHandler = new RootBeanDefinition((Class<?>) BearerTokenAccessDeniedHandler.class);

    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.7.5.jar:org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser$BearerTokenRequestMatcher.class */
    static final class BearerTokenRequestMatcher implements RequestMatcher {
        private final BearerTokenResolver bearerTokenResolver;

        BearerTokenRequestMatcher(BearerTokenResolver bearerTokenResolver) {
            Assert.notNull(bearerTokenResolver, "bearerTokenResolver cannot be null");
            this.bearerTokenResolver = bearerTokenResolver;
        }

        @Override // org.springframework.security.web.util.matcher.RequestMatcher
        public boolean matches(HttpServletRequest httpServletRequest) {
            try {
                return this.bearerTokenResolver.resolve(httpServletRequest) != null;
            } catch (OAuth2AuthenticationException e) {
                return false;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.7.5.jar:org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser$JwtBeanDefinitionParser.class */
    public static final class JwtBeanDefinitionParser implements BeanDefinitionParser {
        static final String DECODER_REF = "decoder-ref";
        static final String JWK_SET_URI = "jwk-set-uri";
        static final String JWT_AUTHENTICATION_CONVERTER_REF = "jwt-authentication-converter-ref";
        static final String JWT_AUTHENTICATION_CONVERTER = "jwtAuthenticationConverter";

        JwtBeanDefinitionParser() {
        }

        @Override // org.springframework.beans.factory.xml.BeanDefinitionParser
        public BeanDefinition parse(Element element, ParserContext parserContext) {
            validateConfiguration(element, parserContext);
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) JwtAuthenticationProvider.class);
            rootBeanDefinition.addConstructorArgValue(getDecoder(element));
            rootBeanDefinition.addPropertyValue(JWT_AUTHENTICATION_CONVERTER, getJwtAuthenticationConverter(element));
            return rootBeanDefinition.getBeanDefinition();
        }

        void validateConfiguration(Element element, ParserContext parserContext) {
            if (element.hasAttribute(DECODER_REF) == element.hasAttribute(JWK_SET_URI)) {
                parserContext.getReaderContext().error("Please specify either decoder-ref or jwk-set-uri.", element);
            }
        }

        Object getDecoder(Element element) {
            String attribute = element.getAttribute(DECODER_REF);
            if (!StringUtils.isEmpty(attribute)) {
                return new RuntimeBeanReference(attribute);
            }
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) NimbusJwtDecoderJwkSetUriFactoryBean.class);
            rootBeanDefinition.addConstructorArgValue(element.getAttribute(JWK_SET_URI));
            return rootBeanDefinition.getBeanDefinition();
        }

        Object getJwtAuthenticationConverter(Element element) {
            String attribute = element.getAttribute(JWT_AUTHENTICATION_CONVERTER_REF);
            return !StringUtils.isEmpty(attribute) ? new RuntimeBeanReference(attribute) : new JwtAuthenticationConverter();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.7.5.jar:org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser$NimbusJwtDecoderJwkSetUriFactoryBean.class */
    static final class NimbusJwtDecoderJwkSetUriFactoryBean implements FactoryBean<JwtDecoder> {
        private final String jwkSetUri;

        NimbusJwtDecoderJwkSetUriFactoryBean(String str) {
            this.jwkSetUri = str;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.springframework.beans.factory.FactoryBean
        public JwtDecoder getObject() {
            return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
        }

        @Override // org.springframework.beans.factory.FactoryBean
        public Class<?> getObjectType() {
            return JwtDecoder.class;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.7.5.jar:org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser$OpaqueTokenBeanDefinitionParser.class */
    public static final class OpaqueTokenBeanDefinitionParser implements BeanDefinitionParser {
        static final String INTROSPECTOR_REF = "introspector-ref";
        static final String INTROSPECTION_URI = "introspection-uri";
        static final String CLIENT_ID = "client-id";
        static final String CLIENT_SECRET = "client-secret";

        OpaqueTokenBeanDefinitionParser() {
        }

        @Override // org.springframework.beans.factory.xml.BeanDefinitionParser
        public BeanDefinition parse(Element element, ParserContext parserContext) {
            validateConfiguration(element, parserContext);
            BeanMetadataElement introspector = getIntrospector(element);
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) OpaqueTokenAuthenticationProvider.class);
            rootBeanDefinition.addConstructorArgValue(introspector);
            return rootBeanDefinition.getBeanDefinition();
        }

        void validateConfiguration(Element element, ParserContext parserContext) {
            boolean hasAttribute = element.hasAttribute(INTROSPECTOR_REF);
            boolean z = element.hasAttribute(INTROSPECTION_URI) || element.hasAttribute(CLIENT_ID) || element.hasAttribute(CLIENT_SECRET);
            if (hasAttribute == z) {
                parserContext.getReaderContext().error("Please specify either introspector-ref or all of introspection-uri, client-id, and client-secret.", element);
                return;
            }
            if (z) {
                if (element.hasAttribute(INTROSPECTION_URI) && element.hasAttribute(CLIENT_ID) && element.hasAttribute(CLIENT_SECRET)) {
                    return;
                }
                parserContext.getReaderContext().error("Please specify introspection-uri, client-id, and client-secret together", element);
            }
        }

        BeanMetadataElement getIntrospector(Element element) {
            String attribute = element.getAttribute(INTROSPECTOR_REF);
            if (!StringUtils.isEmpty(attribute)) {
                return new RuntimeBeanReference(attribute);
            }
            String attribute2 = element.getAttribute(INTROSPECTION_URI);
            String attribute3 = element.getAttribute(CLIENT_ID);
            String attribute4 = element.getAttribute(CLIENT_SECRET);
            BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) NimbusOpaqueTokenIntrospector.class);
            rootBeanDefinition.addConstructorArgValue(attribute2);
            rootBeanDefinition.addConstructorArgValue(attribute3);
            rootBeanDefinition.addConstructorArgValue(attribute4);
            return rootBeanDefinition.getBeanDefinition();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-config-5.7.5.jar:org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser$StaticAuthenticationManagerResolver.class */
    static final class StaticAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {
        private final AuthenticationManager authenticationManager;

        StaticAuthenticationManagerResolver(AuthenticationManager authenticationManager) {
            this.authenticationManager = authenticationManager;
        }

        @Override // org.springframework.security.authentication.AuthenticationManagerResolver
        public AuthenticationManager resolve(HttpServletRequest httpServletRequest) {
            return this.authenticationManager;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuth2ResourceServerBeanDefinitionParser(BeanReference beanReference, List<BeanReference> list, Map<BeanDefinition, BeanMetadataElement> map, Map<BeanDefinition, BeanMetadataElement> map2, List<BeanDefinition> list2) {
        this.authenticationManager = beanReference;
        this.authenticationProviders = list;
        this.entryPoints = map;
        this.deniedHandlers = map2;
        this.ignoreCsrfRequestMatchers = list2;
    }

    @Override // org.springframework.beans.factory.xml.BeanDefinitionParser
    public BeanDefinition parse(Element element, ParserContext parserContext) {
        Element childElementByTagName = DomUtils.getChildElementByTagName(element, Elements.JWT);
        Element childElementByTagName2 = DomUtils.getChildElementByTagName(element, Elements.OPAQUE_TOKEN);
        validateConfiguration(element, childElementByTagName, childElementByTagName2, parserContext);
        if (childElementByTagName != null) {
            this.authenticationProviders.add(new RuntimeBeanReference(parserContext.getReaderContext().registerWithGeneratedName(new JwtBeanDefinitionParser().parse(childElementByTagName, parserContext))));
        }
        if (childElementByTagName2 != null) {
            this.authenticationProviders.add(new RuntimeBeanReference(parserContext.getReaderContext().registerWithGeneratedName(new OpaqueTokenBeanDefinitionParser().parse(childElementByTagName2, parserContext))));
        }
        BeanMetadataElement bearerTokenResolver = getBearerTokenResolver(element);
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) BearerTokenRequestMatcher.class);
        rootBeanDefinition.addConstructorArgValue(bearerTokenResolver);
        AbstractBeanDefinition beanDefinition = rootBeanDefinition.getBeanDefinition();
        BeanMetadataElement entryPoint = getEntryPoint(element);
        this.entryPoints.put(beanDefinition, entryPoint);
        this.deniedHandlers.put(beanDefinition, this.accessDeniedHandler);
        this.ignoreCsrfRequestMatchers.add(beanDefinition);
        BeanDefinitionBuilder rootBeanDefinition2 = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) BearerTokenAuthenticationFilter.class);
        rootBeanDefinition2.addConstructorArgValue(getAuthenticationManagerResolver(element));
        rootBeanDefinition2.addPropertyValue(BEARER_TOKEN_RESOLVER, bearerTokenResolver);
        rootBeanDefinition2.addPropertyValue(AUTHENTICATION_ENTRY_POINT, entryPoint);
        return rootBeanDefinition2.getBeanDefinition();
    }

    void validateConfiguration(Element element, Element element2, Element element3, ParserContext parserContext) {
        if (!element.hasAttribute(AUTHENTICATION_MANAGER_RESOLVER_REF)) {
            if (element2 == null && element3 == null) {
                parserContext.getReaderContext().error("Didn't find authentication-manager-resolver-ref, <jwt>, or <opaque-token>. Please select one.", element);
                return;
            }
            return;
        }
        if (element2 != null) {
            parserContext.getReaderContext().error("Found <jwt> as well as authentication-manager-resolver-ref. Please select just one.", element);
        }
        if (element3 != null) {
            parserContext.getReaderContext().error("Found <opaque-token> as well as authentication-manager-resolver-ref. Please select just one.", element);
        }
    }

    BeanMetadataElement getAuthenticationManagerResolver(Element element) {
        String attribute = element.getAttribute(AUTHENTICATION_MANAGER_RESOLVER_REF);
        if (!StringUtils.isEmpty(attribute)) {
            return new RuntimeBeanReference(attribute);
        }
        BeanDefinitionBuilder rootBeanDefinition = BeanDefinitionBuilder.rootBeanDefinition((Class<?>) StaticAuthenticationManagerResolver.class);
        rootBeanDefinition.addConstructorArgValue(this.authenticationManager);
        return rootBeanDefinition.getBeanDefinition();
    }

    BeanMetadataElement getBearerTokenResolver(Element element) {
        String attribute = element.getAttribute(BEARER_TOKEN_RESOLVER_REF);
        return StringUtils.isEmpty(attribute) ? new RootBeanDefinition((Class<?>) DefaultBearerTokenResolver.class) : new RuntimeBeanReference(attribute);
    }

    BeanMetadataElement getEntryPoint(Element element) {
        String attribute = element.getAttribute(ENTRY_POINT_REF);
        return StringUtils.isEmpty(attribute) ? this.authenticationEntryPoint : new RuntimeBeanReference(attribute);
    }
}
