package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.source.JWKSecurityContextJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWKSecurityContext;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.proc.SingleKeyJWSKeySelector;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiFunction;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.crypto.SecretKey;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;
import reactor.util.function.Tuples;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-jose-6.3.4.jar:org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.class */
public final class NimbusReactiveJwtDecoder implements ReactiveJwtDecoder {
    private final Converter<JWT, Mono<JWTClaimsSet>> jwtProcessor;
    private OAuth2TokenValidator<Jwt> jwtValidator;
    private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter;

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-jose-6.3.4.jar:org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder$JwkSetUriReactiveJwtDecoderBuilder.class */
    public static final class JwkSetUriReactiveJwtDecoderBuilder {
        private static final Duration FOREVER = Duration.ofMillis(Long.MAX_VALUE);
        private Function<WebClient, Mono<String>> jwkSetUri;
        private Function<ReactiveRemoteJWKSource, Mono<Set<JWSAlgorithm>>> defaultAlgorithms;
        private Set<SignatureAlgorithm> signatureAlgorithms;
        private WebClient webClient;
        private BiFunction<ReactiveRemoteJWKSource, ConfigurableJWTProcessor<JWKSecurityContext>, Mono<ConfigurableJWTProcessor<JWKSecurityContext>>> jwtProcessorCustomizer;

        private JwkSetUriReactiveJwtDecoderBuilder(String str) {
            this.defaultAlgorithms = reactiveRemoteJWKSource -> {
                return Mono.just(Set.of(JWSAlgorithm.RS256));
            };
            this.signatureAlgorithms = new HashSet();
            this.webClient = WebClient.create();
            Assert.hasText(str, "jwkSetUri cannot be empty");
            this.jwkSetUri = webClient -> {
                return Mono.just(str);
            };
            this.jwtProcessorCustomizer = (reactiveRemoteJWKSource2, configurableJWTProcessor) -> {
                return Mono.just(configurableJWTProcessor);
            };
        }

        private JwkSetUriReactiveJwtDecoderBuilder(Function<WebClient, Mono<String>> function, Function<ReactiveRemoteJWKSource, Mono<Set<JWSAlgorithm>>> function2) {
            this.defaultAlgorithms = reactiveRemoteJWKSource -> {
                return Mono.just(Set.of(JWSAlgorithm.RS256));
            };
            this.signatureAlgorithms = new HashSet();
            this.webClient = WebClient.create();
            Assert.notNull(function, "jwkSetUri cannot be null");
            Assert.notNull(function2, "defaultAlgorithms cannot be null");
            this.jwkSetUri = function;
            this.defaultAlgorithms = function2;
            this.jwtProcessorCustomizer = (reactiveRemoteJWKSource2, configurableJWTProcessor) -> {
                return Mono.just(configurableJWTProcessor);
            };
        }

        public JwkSetUriReactiveJwtDecoderBuilder jwsAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "sig cannot be null");
            this.signatureAlgorithms.add(signatureAlgorithm);
            return this;
        }

        public JwkSetUriReactiveJwtDecoderBuilder jwsAlgorithms(Consumer<Set<SignatureAlgorithm>> consumer) {
            Assert.notNull(consumer, "signatureAlgorithmsConsumer cannot be null");
            consumer.accept(this.signatureAlgorithms);
            return this;
        }

        public JwkSetUriReactiveJwtDecoderBuilder webClient(WebClient webClient) {
            Assert.notNull(webClient, "webClient cannot be null");
            this.webClient = webClient;
            return this;
        }

        public JwkSetUriReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<JWKSecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = (reactiveRemoteJWKSource, configurableJWTProcessor) -> {
                consumer.accept(configurableJWTProcessor);
                return Mono.just(configurableJWTProcessor);
            };
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public JwkSetUriReactiveJwtDecoderBuilder jwtProcessorCustomizer(BiFunction<ReactiveRemoteJWKSource, ConfigurableJWTProcessor<JWKSecurityContext>, Mono<ConfigurableJWTProcessor<JWKSecurityContext>>> biFunction) {
            Assert.notNull(biFunction, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = biFunction;
            return this;
        }

        public NimbusReactiveJwtDecoder build() {
            return new NimbusReactiveJwtDecoder(processor());
        }

        Mono<JWSKeySelector<JWKSecurityContext>> jwsKeySelector(ReactiveRemoteJWKSource reactiveRemoteJWKSource) {
            JWKSecurityContextJWKSet jWKSecurityContextJWKSet = new JWKSecurityContextJWKSet();
            if (this.signatureAlgorithms.isEmpty()) {
                return this.defaultAlgorithms.apply(reactiveRemoteJWKSource).map(set -> {
                    return new JWSVerificationKeySelector((Set<JWSAlgorithm>) set, jWKSecurityContextJWKSet);
                });
            }
            HashSet hashSet = new HashSet();
            Iterator<SignatureAlgorithm> it = this.signatureAlgorithms.iterator();
            while (it.hasNext()) {
                hashSet.add(JWSAlgorithm.parse(it.next().getName()));
            }
            return Mono.just(new JWSVerificationKeySelector(hashSet, jWKSecurityContextJWKSet));
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, jWKSecurityContext) -> {
            });
            ReactiveRemoteJWKSource reactiveRemoteJWKSource = new ReactiveRemoteJWKSource(this.jwkSetUri.apply(this.webClient));
            reactiveRemoteJWKSource.setWebClient(this.webClient);
            Mono cache = jwsKeySelector(reactiveRemoteJWKSource).flatMap(jWSKeySelector -> {
                defaultJWTProcessor.setJWSKeySelector(jWSKeySelector);
                return this.jwtProcessorCustomizer.apply(reactiveRemoteJWKSource, defaultJWTProcessor);
            }).map(configurableJWTProcessor -> {
                return Tuples.of(configurableJWTProcessor, getExpectedJwsAlgorithms(configurableJWTProcessor.getJWSKeySelector()));
            }).cache(tuple2 -> {
                return FOREVER;
            }, th -> {
                return Duration.ZERO;
            }, () -> {
                return Duration.ZERO;
            });
            return jwt -> {
                return cache.flatMap(tuple22 -> {
                    JWTProcessor jWTProcessor = (JWTProcessor) tuple22.getT1();
                    return reactiveRemoteJWKSource.get(createSelector((Function) tuple22.getT2(), jwt.getHeader())).onErrorMap(th2 -> {
                        return new IllegalStateException("Could not obtain the keys", th2);
                    }).map(list -> {
                        return NimbusReactiveJwtDecoder.createClaimsSet(jWTProcessor, jwt, new JWKSecurityContext(list));
                    });
                });
            };
        }

        private Function<JWSAlgorithm, Boolean> getExpectedJwsAlgorithms(JWSKeySelector<?> jWSKeySelector) {
            if (!(jWSKeySelector instanceof JWSVerificationKeySelector)) {
                throw new IllegalArgumentException("Unsupported key selector type " + jWSKeySelector.getClass());
            }
            JWSVerificationKeySelector jWSVerificationKeySelector = (JWSVerificationKeySelector) jWSKeySelector;
            Objects.requireNonNull(jWSVerificationKeySelector);
            return jWSVerificationKeySelector::isAllowed;
        }

        private JWKSelector createSelector(Function<JWSAlgorithm, Boolean> function, Header header) {
            JWSHeader jWSHeader = (JWSHeader) header;
            if (function.apply(jWSHeader.getAlgorithm()).booleanValue()) {
                return new JWKSelector(JWKMatcher.forJWSHeader(jWSHeader));
            }
            throw new BadJwtException("Unsupported algorithm of " + header.getAlgorithm());
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-jose-6.3.4.jar:org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder$JwkSourceReactiveJwtDecoderBuilder.class */
    public static final class JwkSourceReactiveJwtDecoderBuilder {
        private final Function<SignedJWT, Flux<JWK>> jwkSource;
        private JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
        private Consumer<ConfigurableJWTProcessor<JWKSecurityContext>> jwtProcessorCustomizer;

        private JwkSourceReactiveJwtDecoderBuilder(Function<SignedJWT, Flux<JWK>> function) {
            Assert.notNull(function, "jwkSource cannot be null");
            this.jwkSource = function;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public JwkSourceReactiveJwtDecoderBuilder jwsAlgorithm(JwsAlgorithm jwsAlgorithm) {
            Assert.notNull(jwsAlgorithm, "jwsAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(jwsAlgorithm.getName());
            return this;
        }

        public JwkSourceReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<JWKSecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public NimbusReactiveJwtDecoder build() {
            return new NimbusReactiveJwtDecoder(processor());
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(this.jwsAlgorithm, new JWKSecurityContextJWKSet());
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, jWKSecurityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return jwt -> {
                if (jwt instanceof SignedJWT) {
                    return this.jwkSource.apply((SignedJWT) jwt).onErrorMap(th -> {
                        return new IllegalStateException("Could not obtain the keys", th);
                    }).collectList().map(list -> {
                        return NimbusReactiveJwtDecoder.createClaimsSet(defaultJWTProcessor, jwt, new JWKSecurityContext(list));
                    });
                }
                throw new BadJwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
            };
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-jose-6.3.4.jar:org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder$PublicKeyReactiveJwtDecoderBuilder.class */
    public static final class PublicKeyReactiveJwtDecoderBuilder {
        private final RSAPublicKey key;
        private JWSAlgorithm jwsAlgorithm;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        private PublicKeyReactiveJwtDecoderBuilder(RSAPublicKey rSAPublicKey) {
            Assert.notNull(rSAPublicKey, "key cannot be null");
            this.key = rSAPublicKey;
            this.jwsAlgorithm = JWSAlgorithm.RS256;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public PublicKeyReactiveJwtDecoderBuilder signatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "signatureAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(signatureAlgorithm.getName());
            return this;
        }

        public PublicKeyReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public NimbusReactiveJwtDecoder build() {
            return new NimbusReactiveJwtDecoder(processor());
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            Assert.state(JWSAlgorithm.Family.RSA.contains(this.jwsAlgorithm), (Supplier<String>) () -> {
                return "The provided key is of type RSA; however the signature algorithm is of some other type: " + this.jwsAlgorithm + ". Please indicate one of RS256, RS384, or RS512.";
            });
            SingleKeyJWSKeySelector singleKeyJWSKeySelector = new SingleKeyJWSKeySelector(this.jwsAlgorithm, this.key);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(singleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return jwt -> {
                return Mono.fromCallable(() -> {
                    return NimbusReactiveJwtDecoder.createClaimsSet(defaultJWTProcessor, jwt, null);
                });
            };
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-jose-6.3.4.jar:org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder$SecretKeyReactiveJwtDecoderBuilder.class */
    public static final class SecretKeyReactiveJwtDecoderBuilder {
        private final SecretKey secretKey;
        private JWSAlgorithm jwsAlgorithm = JWSAlgorithm.HS256;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        private SecretKeyReactiveJwtDecoderBuilder(SecretKey secretKey) {
            Assert.notNull(secretKey, "secretKey cannot be null");
            this.secretKey = secretKey;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public SecretKeyReactiveJwtDecoderBuilder macAlgorithm(MacAlgorithm macAlgorithm) {
            Assert.notNull(macAlgorithm, "macAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(macAlgorithm.getName());
            return this;
        }

        public SecretKeyReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public NimbusReactiveJwtDecoder build() {
            return new NimbusReactiveJwtDecoder(processor());
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            SingleKeyJWSKeySelector singleKeyJWSKeySelector = new SingleKeyJWSKeySelector(this.jwsAlgorithm, this.secretKey);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(singleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return jwt -> {
                return Mono.fromCallable(() -> {
                    return NimbusReactiveJwtDecoder.createClaimsSet(defaultJWTProcessor, jwt, null);
                });
            };
        }
    }

    public NimbusReactiveJwtDecoder(String str) {
        this(withJwkSetUri(str).processor());
    }

    public NimbusReactiveJwtDecoder(RSAPublicKey rSAPublicKey) {
        this(withPublicKey(rSAPublicKey).processor());
    }

    public NimbusReactiveJwtDecoder(Converter<JWT, Mono<JWTClaimsSet>> converter) {
        this.jwtValidator = JwtValidators.createDefault();
        this.claimSetConverter = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
        this.jwtProcessor = converter;
    }

    public void setJwtValidator(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        Assert.notNull(oAuth2TokenValidator, "jwtValidator cannot be null");
        this.jwtValidator = oAuth2TokenValidator;
    }

    public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> converter) {
        Assert.notNull(converter, "claimSetConverter cannot be null");
        this.claimSetConverter = converter;
    }

    @Override // org.springframework.security.oauth2.jwt.ReactiveJwtDecoder
    public Mono<Jwt> decode(String str) {
        try {
            JWT parse = JWTParser.parse(str);
            return parse instanceof PlainJWT ? Mono.error(new BadJwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm())) : decode(parse);
        } catch (Exception e) {
            return Mono.error(new BadJwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e));
        }
    }

    private Mono<Jwt> decode(JWT jwt) {
        try {
            return this.jwtProcessor.convert(jwt).map(jWTClaimsSet -> {
                return createJwt(jwt, jWTClaimsSet);
            }).map(this::validateJwt).onErrorMap(th -> {
                return ((th instanceof IllegalStateException) || (th instanceof JwtException)) ? false : true;
            }, th2 -> {
                return new JwtException("An error occurred while attempting to decode the Jwt: ", th2);
            });
        } catch (JwtException e) {
            throw e;
        } catch (RuntimeException e2) {
            throw new JwtException("An error occurred while attempting to decode the Jwt: " + e2.getMessage(), e2);
        }
    }

    private Jwt createJwt(JWT jwt, JWTClaimsSet jWTClaimsSet) {
        try {
            LinkedHashMap linkedHashMap = new LinkedHashMap(jwt.getHeader().toJSONObject());
            Map<String, Object> convert = this.claimSetConverter.convert(jWTClaimsSet.getClaims());
            return Jwt.withTokenValue(jwt.getParsedString()).headers(map -> {
                map.putAll(linkedHashMap);
            }).claims(map2 -> {
                map2.putAll(convert);
            }).build();
        } catch (Exception e) {
            throw new BadJwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
        }
    }

    private Jwt validateJwt(Jwt jwt) {
        OAuth2TokenValidatorResult validate = this.jwtValidator.validate(jwt);
        if (!validate.hasErrors()) {
            return jwt;
        }
        Collection<OAuth2Error> errors = validate.getErrors();
        throw new JwtValidationException(getJwtValidationExceptionMessage(errors), errors);
    }

    private String getJwtValidationExceptionMessage(Collection<OAuth2Error> collection) {
        for (OAuth2Error oAuth2Error : collection) {
            if (StringUtils.hasLength(oAuth2Error.getDescription())) {
                return oAuth2Error.getDescription();
            }
        }
        return "Unable to validate Jwt";
    }

    public static JwkSetUriReactiveJwtDecoderBuilder withIssuerLocation(String str) {
        return new JwkSetUriReactiveJwtDecoderBuilder(webClient -> {
            return ReactiveJwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(str, webClient).flatMap(map -> {
                try {
                    JwtDecoderProviderConfigurationUtils.validateIssuer(map, str);
                    return Mono.just(map.get("jwks_uri").toString());
                } catch (IllegalStateException e) {
                    return Mono.error(e);
                }
            });
        }, ReactiveJwtDecoderProviderConfigurationUtils::getJWSAlgorithms);
    }

    public static JwkSetUriReactiveJwtDecoderBuilder withJwkSetUri(String str) {
        return new JwkSetUriReactiveJwtDecoderBuilder(str);
    }

    public static PublicKeyReactiveJwtDecoderBuilder withPublicKey(RSAPublicKey rSAPublicKey) {
        return new PublicKeyReactiveJwtDecoderBuilder(rSAPublicKey);
    }

    public static SecretKeyReactiveJwtDecoderBuilder withSecretKey(SecretKey secretKey) {
        return new SecretKeyReactiveJwtDecoderBuilder(secretKey);
    }

    public static JwkSourceReactiveJwtDecoderBuilder withJwkSource(Function<SignedJWT, Flux<JWK>> function) {
        return new JwkSourceReactiveJwtDecoderBuilder(function);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <C extends SecurityContext> JWTClaimsSet createClaimsSet(JWTProcessor<C> jWTProcessor, JWT jwt, C c) {
        try {
            return jWTProcessor.process(jwt, (JWT) c);
        } catch (JOSEException e) {
            throw new JwtException("Failed to validate the token", e);
        } catch (BadJOSEException e2) {
            throw new BadJwtException("Failed to validate the token", e2);
        }
    }
}
