package org.springframework.security.oauth2.server.resource.web.access;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.stream.Collectors;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/server/resource/web/access/BearerTokenAccessDeniedHandler.class */
public final class BearerTokenAccessDeniedHandler implements AccessDeniedHandler {
    private static final Collection<String> WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES = Arrays.asList("scope", "scp");
    private String realmName;

    @Override // org.springframework.security.web.access.AccessDeniedHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        if (this.realmName != null) {
            linkedHashMap.put("realm", this.realmName);
        }
        if (httpServletRequest.getUserPrincipal() instanceof AbstractOAuth2TokenAuthenticationToken) {
            String scope = getScope((AbstractOAuth2TokenAuthenticationToken) httpServletRequest.getUserPrincipal());
            linkedHashMap.put("error", BearerTokenErrorCodes.INSUFFICIENT_SCOPE);
            linkedHashMap.put(OAuth2ParameterNames.ERROR_DESCRIPTION, String.format("The token provided has insufficient scope [%s] for this request", scope));
            linkedHashMap.put(OAuth2ParameterNames.ERROR_URI, "https://tools.ietf.org/html/rfc6750#section-3.1");
            if (StringUtils.hasText(scope)) {
                linkedHashMap.put("scope", scope);
            }
        }
        httpServletResponse.addHeader("WWW-Authenticate", computeWWWAuthenticateHeaderValue(linkedHashMap));
        httpServletResponse.setStatus(HttpStatus.FORBIDDEN.value());
    }

    public final void setRealmName(String str) {
        this.realmName = str;
    }

    private static String getScope(AbstractOAuth2TokenAuthenticationToken abstractOAuth2TokenAuthenticationToken) {
        Map<String, Object> tokenAttributes = abstractOAuth2TokenAuthenticationToken.getTokenAttributes();
        Iterator<String> it = WELL_KNOWN_SCOPE_ATTRIBUTE_NAMES.iterator();
        while (it.hasNext()) {
            Object obj = tokenAttributes.get(it.next());
            if (obj instanceof String) {
                return (String) obj;
            }
            if (obj instanceof Collection) {
                return (String) ((Collection) obj).stream().map(String::valueOf).collect(Collectors.joining(" "));
            }
        }
        return "";
    }

    private static String computeWWWAuthenticateHeaderValue(Map<String, String> map) {
        String str;
        str = "Bearer";
        return map.isEmpty() ? "Bearer" : str + ((String) map.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + "=\"" + ((String) entry.getValue()) + "\"";
        }).collect(Collectors.joining(", ", " ", "")));
    }
}
