package org.springframework.boot.autoconfigure.security.oauth2.resource.reactive;

import com.itextpdf.text.pdf.security.SecurityConstants;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.security.oauth2.resource.IssuerUriCondition;
import org.springframework.boot.autoconfigure.security.oauth2.resource.KeyValueCondition;
import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration(proxyBeanMethods = false)
/* loaded from: input_file:WEB-INF/lib/spring-boot-autoconfigure-2.2.1.RELEASE.jar:org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.class */
class ReactiveOAuth2ResourceServerJwkConfiguration {

    @ConditionalOnMissingBean({ReactiveJwtDecoder.class})
    @Configuration(proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/spring-boot-autoconfigure-2.2.1.RELEASE.jar:org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration$JwtConfiguration.class */
    static class JwtConfiguration {
        private final OAuth2ResourceServerProperties.Jwt properties;

        JwtConfiguration(OAuth2ResourceServerProperties oAuth2ResourceServerProperties) {
            this.properties = oAuth2ResourceServerProperties.getJwt();
        }

        @ConditionalOnProperty(name = {"spring.security.oauth2.resourceserver.jwt.jwk-set-uri"})
        @Bean
        ReactiveJwtDecoder jwtDecoder() {
            NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = new NimbusReactiveJwtDecoder(this.properties.getJwkSetUri());
            String issuerUri = this.properties.getIssuerUri();
            if (issuerUri != null) {
                nimbusReactiveJwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri));
            }
            return nimbusReactiveJwtDecoder;
        }

        @Conditional({KeyValueCondition.class})
        @Bean
        NimbusReactiveJwtDecoder jwtDecoderByPublicKeyValue() throws Exception {
            return NimbusReactiveJwtDecoder.withPublicKey((RSAPublicKey) KeyFactory.getInstance(SecurityConstants.RSA).generatePublic(new X509EncodedKeySpec(getKeySpec(this.properties.readPublicKey())))).build();
        }

        private byte[] getKeySpec(String str) {
            return Base64.getMimeDecoder().decode(str.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", ""));
        }

        @Conditional({IssuerUriCondition.class})
        @Bean
        ReactiveJwtDecoder jwtDecoderByIssuerUri() {
            return ReactiveJwtDecoders.fromIssuerLocation(this.properties.getIssuerUri());
        }
    }

    @ConditionalOnMissingBean({SecurityWebFilterChain.class})
    @Configuration(proxyBeanMethods = false)
    /* loaded from: input_file:WEB-INF/lib/spring-boot-autoconfigure-2.2.1.RELEASE.jar:org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration$WebSecurityConfiguration.class */
    static class WebSecurityConfiguration {
        WebSecurityConfiguration() {
        }

        @ConditionalOnBean({ReactiveJwtDecoder.class})
        @Bean
        SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity, ReactiveJwtDecoder reactiveJwtDecoder) {
            serverHttpSecurity.authorizeExchange(authorizeExchangeSpec -> {
                authorizeExchangeSpec.anyExchange().authenticated();
            });
            serverHttpSecurity.oauth2ResourceServer(oAuth2ResourceServerSpec -> {
                customDecoder(oAuth2ResourceServerSpec, reactiveJwtDecoder);
            });
            return serverHttpSecurity.build();
        }

        private void customDecoder(ServerHttpSecurity.OAuth2ResourceServerSpec oAuth2ResourceServerSpec, ReactiveJwtDecoder reactiveJwtDecoder) {
            oAuth2ResourceServerSpec.jwt(jwtSpec -> {
                jwtSpec.jwtDecoder(reactiveJwtDecoder);
            });
        }
    }

    ReactiveOAuth2ResourceServerJwkConfiguration() {
    }
}
