package org.springframework.security.oauth2.server.authorization.web.authentication;

import jakarta.servlet.http.HttpServletRequest;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import org.springframework.lang.Nullable;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientMetadataClaimNames;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.util.CollectionUtils;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenExchangeAuthenticationConverter.class */
public final class OAuth2TokenExchangeAuthenticationConverter implements AuthenticationConverter {
    private static final String TOKEN_TYPE_IDENTIFIERS_URI = "https://datatracker.ietf.org/doc/html/rfc8693#section-3";
    private static final String ACCESS_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:access_token";
    private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt";
    private static final Set<String> SUPPORTED_TOKEN_TYPES = Set.of(ACCESS_TOKEN_TYPE_VALUE, JWT_TOKEN_TYPE_VALUE);

    @Nullable
    public Authentication convert(HttpServletRequest httpServletRequest) {
        MultiValueMap<String, String> formParameters = OAuth2EndpointUtils.getFormParameters(httpServletRequest);
        if (!AuthorizationGrantType.TOKEN_EXCHANGE.getValue().equals((String) formParameters.getFirst("grant_type"))) {
            return null;
        }
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        List list = (List) formParameters.getOrDefault("resource", Collections.emptyList());
        if (!CollectionUtils.isEmpty(list)) {
            Iterator it = list.iterator();
            while (it.hasNext()) {
                if (!isValidUri((String) it.next())) {
                    OAuth2EndpointUtils.throwError("invalid_request", "resource", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
                }
            }
        }
        List list2 = (List) formParameters.getOrDefault("audience", Collections.emptyList());
        String str = (String) formParameters.getFirst(OidcClientMetadataClaimNames.SCOPE);
        if (StringUtils.hasText(str) && ((List) formParameters.get(OidcClientMetadataClaimNames.SCOPE)).size() != 1) {
            OAuth2EndpointUtils.throwError("invalid_request", OidcClientMetadataClaimNames.SCOPE, "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        HashSet hashSet = null;
        if (StringUtils.hasText(str)) {
            hashSet = new HashSet(Arrays.asList(StringUtils.delimitedListToStringArray(str, " ")));
        }
        String str2 = (String) formParameters.getFirst("requested_token_type");
        if (StringUtils.hasText(str2)) {
            if (((List) formParameters.get("requested_token_type")).size() != 1) {
                OAuth2EndpointUtils.throwError("invalid_request", "requested_token_type", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
            }
            validateTokenType("requested_token_type", str2);
        } else {
            str2 = ACCESS_TOKEN_TYPE_VALUE;
        }
        String str3 = (String) formParameters.getFirst("subject_token");
        if (!StringUtils.hasText(str3) || ((List) formParameters.get("subject_token")).size() != 1) {
            OAuth2EndpointUtils.throwError("invalid_request", "subject_token", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        String str4 = (String) formParameters.getFirst("subject_token_type");
        if (StringUtils.hasText(str4) && ((List) formParameters.get("subject_token_type")).size() == 1) {
            validateTokenType("subject_token_type", str4);
        } else {
            OAuth2EndpointUtils.throwError("invalid_request", "subject_token_type", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        String str5 = (String) formParameters.getFirst("actor_token");
        if (StringUtils.hasText(str5) && ((List) formParameters.get("actor_token")).size() != 1) {
            OAuth2EndpointUtils.throwError("invalid_request", "actor_token", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        String str6 = (String) formParameters.getFirst("actor_token_type");
        if (StringUtils.hasText(str6)) {
            if (((List) formParameters.get("actor_token_type")).size() != 1) {
                OAuth2EndpointUtils.throwError("invalid_request", "actor_token_type", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
            }
            validateTokenType("actor_token_type", str6);
        }
        if (!StringUtils.hasText(str5) && StringUtils.hasText(str6)) {
            OAuth2EndpointUtils.throwError("invalid_request", "actor_token", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        } else if (StringUtils.hasText(str5) && !StringUtils.hasText(str6)) {
            OAuth2EndpointUtils.throwError("invalid_request", "actor_token_type", "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2");
        }
        HashMap hashMap = new HashMap();
        formParameters.forEach((str7, list3) -> {
            if (str7.equals("grant_type") || str7.equals("resource") || str7.equals("audience") || str7.equals("requested_token_type") || str7.equals("subject_token") || str7.equals("subject_token_type") || str7.equals("actor_token") || str7.equals("actor_token_type") || str7.equals(OidcClientMetadataClaimNames.SCOPE)) {
                return;
            }
            hashMap.put(str7, list3.size() == 1 ? list3.get(0) : list3.toArray(new String[0]));
        });
        OAuth2EndpointUtils.validateAndAddDPoPParametersIfAvailable(httpServletRequest, hashMap);
        return new OAuth2TokenExchangeAuthenticationToken(str2, str3, str4, authentication, str5, str6, new LinkedHashSet(list), new LinkedHashSet(list2), hashSet, hashMap);
    }

    private static void validateTokenType(String str, String str2) {
        if (!SUPPORTED_TOKEN_TYPES.contains(str2)) {
            throw new OAuth2AuthenticationException(new OAuth2Error("unsupported_token_type", String.format("OAuth 2.0 Token Exchange parameter: %s", str), TOKEN_TYPE_IDENTIFIERS_URI), String.format("OAuth 2.0 Token Exchange parameter: %s - The provided value is not supported by this authorization server. Supported values are %s and %s.", str, ACCESS_TOKEN_TYPE_VALUE, JWT_TOKEN_TYPE_VALUE));
        }
    }

    private static boolean isValidUri(String str) {
        try {
            URI uri = new URI(str);
            if (uri.isAbsolute()) {
                if (uri.getFragment() == null) {
                    return true;
                }
            }
            return false;
        } catch (URISyntaxException e) {
            return false;
        }
    }
}
