package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import java.net.URI;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.client.WebClientResponseException;
import org.springframework.web.util.UriComponentsBuilder;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-jose-6.3.4.jar:org/springframework/security/oauth2/jwt/ReactiveJwtDecoderProviderConfigurationUtils.class */
public final class ReactiveJwtDecoderProviderConfigurationUtils {
    private static final String OIDC_METADATA_PATH = "/.well-known/openid-configuration";
    private static final String OAUTH_METADATA_PATH = "/.well-known/oauth-authorization-server";
    private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP = new ParameterizedTypeReference<Map<String, Object>>() { // from class: org.springframework.security.oauth2.jwt.ReactiveJwtDecoderProviderConfigurationUtils.1
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    public static <C extends SecurityContext> Mono<ConfigurableJWTProcessor<C>> addJWSAlgorithms(ReactiveRemoteJWKSource reactiveRemoteJWKSource, ConfigurableJWTProcessor<C> configurableJWTProcessor) {
        JWSKeySelector<C> jWSKeySelector = configurableJWTProcessor.getJWSKeySelector();
        if (!(jWSKeySelector instanceof JWSVerificationKeySelector)) {
            return Mono.just(configurableJWTProcessor);
        }
        JWKSource jWKSource = ((JWSVerificationKeySelector) jWSKeySelector).getJWKSource();
        return getJWSAlgorithms(reactiveRemoteJWKSource).map(set -> {
            return new JWSVerificationKeySelector((Set<JWSAlgorithm>) set, jWKSource);
        }).map(jWSVerificationKeySelector -> {
            configurableJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            return configurableJWTProcessor;
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Mono<Set<JWSAlgorithm>> getJWSAlgorithms(ReactiveRemoteJWKSource reactiveRemoteJWKSource) {
        return reactiveRemoteJWKSource.get(new JWKSelector(new JWKMatcher.Builder().publicOnly(true).keyUses(KeyUse.SIGNATURE, null).keyTypes(KeyType.RSA, KeyType.EC).build())).map(list -> {
            HashSet hashSet = new HashSet();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                JWK jwk = (JWK) it.next();
                if (jwk.getAlgorithm() != null) {
                    hashSet.add(JWSAlgorithm.parse(jwk.getAlgorithm().getName()));
                } else if (jwk.getKeyType() == KeyType.RSA) {
                    hashSet.addAll(JWSAlgorithm.Family.RSA);
                } else if (jwk.getKeyType() == KeyType.EC) {
                    hashSet.addAll(JWSAlgorithm.Family.EC);
                }
            }
            Assert.notEmpty(hashSet, "Failed to find any algorithms from the JWK set");
            return hashSet;
        }).onErrorMap(KeySourceException.class, (v1) -> {
            return new IllegalStateException(v1);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Mono<Map<String, Object>> getConfigurationForIssuerLocation(String str, WebClient webClient) {
        URI create = URI.create(str);
        return getConfiguration(str, webClient, oidc(create), oidcRfc8414(create), oauth(create));
    }

    private static URI oidc(URI uri) {
        return UriComponentsBuilder.fromUri(uri).replacePath(uri.getPath() + "/.well-known/openid-configuration").build(Collections.emptyMap());
    }

    private static URI oidcRfc8414(URI uri) {
        return UriComponentsBuilder.fromUri(uri).replacePath("/.well-known/openid-configuration" + uri.getPath()).build(Collections.emptyMap());
    }

    private static URI oauth(URI uri) {
        return UriComponentsBuilder.fromUri(uri).replacePath("/.well-known/oauth-authorization-server" + uri.getPath()).build(Collections.emptyMap());
    }

    private static Mono<Map<String, Object>> getConfiguration(String str, WebClient webClient, URI... uriArr) {
        String str2 = "Unable to resolve the Configuration with the provided Issuer of \"" + str + "\"";
        return Flux.just((Object[]) uriArr).concatMap(uri -> {
            return webClient.get().uri(uri).retrieve().bodyToMono(STRING_OBJECT_MAP);
        }).flatMap(map -> {
            return map.get("jwks_uri") == null ? Mono.error((Supplier<? extends Throwable>) () -> {
                return new IllegalArgumentException("The public JWK set URI must not be null");
            }) : Mono.just(map);
        }).onErrorContinue(th -> {
            return (th instanceof WebClientResponseException) && ((WebClientResponseException) th).getStatusCode().is4xxClientError();
        }, (th2, obj) -> {
        }).onErrorMap(RuntimeException.class, runtimeException -> {
            return runtimeException instanceof IllegalArgumentException ? runtimeException : new IllegalArgumentException(str2, runtimeException);
        }).next().switchIfEmpty(Mono.error((Supplier<? extends Throwable>) () -> {
            return new IllegalArgumentException(str2);
        }));
    }

    private ReactiveJwtDecoderProviderConfigurationUtils() {
    }
}
