package com.tongweb.springboot.autoconfigure.security.oauth2.resource.reactive;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import javax.crypto.SecretKey;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtValidationException;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/tongweb/springboot/autoconfigure/security/oauth2/resource/reactive/TongWebNimbusReactiveJwtDecoder.class */
public final class TongWebNimbusReactiveJwtDecoder implements ReactiveJwtDecoder {
    private final Converter<JWT, Mono<JWTClaimsSet>> jwtProcessor;
    private OAuth2TokenValidator<Jwt> jwtValidator;
    private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter;

    /* loaded from: input_file:com/tongweb/springboot/autoconfigure/security/oauth2/resource/reactive/TongWebNimbusReactiveJwtDecoder$JwkSourceReactiveJwtDecoderBuilder.class */
    public static final class JwkSourceReactiveJwtDecoderBuilder {
        private final Function<SignedJWT, Flux<JWK>> jwkSource;
        private JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
        private Consumer<ConfigurableJWTProcessor<TongWebJWKSecurityContext>> jwtProcessorCustomizer;

        private JwkSourceReactiveJwtDecoderBuilder(Function<SignedJWT, Flux<JWK>> function) {
            Assert.notNull(function, "jwkSource cannot be null");
            this.jwkSource = function;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public JwkSourceReactiveJwtDecoderBuilder jwsAlgorithm(JwsAlgorithm jwsAlgorithm) {
            Assert.notNull(jwsAlgorithm, "jwsAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(jwsAlgorithm.getName());
            return this;
        }

        public JwkSourceReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<TongWebJWKSecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public TongWebNimbusReactiveJwtDecoder build() {
            return new TongWebNimbusReactiveJwtDecoder(processor());
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(this.jwsAlgorithm, new TongWebJWKSecurityContextJWKSet());
            ConfigurableJWTProcessor<TongWebJWKSecurityContext> defaultJWTProcessor = new DefaultJWTProcessor<>();
            defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, tongWebJWKSecurityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return jwt -> {
                if (jwt instanceof SignedJWT) {
                    return this.jwkSource.apply((SignedJWT) jwt).onErrorMap(th -> {
                        return new IllegalStateException("Could not obtain the keys", th);
                    }).collectList().map(list -> {
                        return TongWebNimbusReactiveJwtDecoder.createClaimsSet(defaultJWTProcessor, jwt, new TongWebJWKSecurityContext(list));
                    });
                }
                throw new JwtException("Unsupported algorithm of " + jwt.getHeader().getAlgorithm());
            };
        }
    }

    /* loaded from: input_file:com/tongweb/springboot/autoconfigure/security/oauth2/resource/reactive/TongWebNimbusReactiveJwtDecoder$PublicKeyReactiveJwtDecoderBuilder.class */
    public static final class PublicKeyReactiveJwtDecoderBuilder {
        private final RSAPublicKey key;
        private JWSAlgorithm jwsAlgorithm;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        private PublicKeyReactiveJwtDecoderBuilder(RSAPublicKey rSAPublicKey) {
            Assert.notNull(rSAPublicKey, "key cannot be null");
            this.key = rSAPublicKey;
            this.jwsAlgorithm = JWSAlgorithm.RS256;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public PublicKeyReactiveJwtDecoderBuilder signatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "signatureAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(signatureAlgorithm.getName());
            return this;
        }

        public PublicKeyReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public TongWebNimbusReactiveJwtDecoder build() {
            return new TongWebNimbusReactiveJwtDecoder(processor());
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            Assert.state(JWSAlgorithm.Family.RSA.contains(this.jwsAlgorithm), () -> {
                return "The provided key is of type RSA; however the signature algorithm is of some other type: " + this.jwsAlgorithm + ". Please indicate one of RS256, RS384, or RS512.";
            });
            TongWebSingleKeyJWSKeySelector tongWebSingleKeyJWSKeySelector = new TongWebSingleKeyJWSKeySelector(this.jwsAlgorithm, this.key);
            ConfigurableJWTProcessor<SecurityContext> defaultJWTProcessor = new DefaultJWTProcessor<>();
            defaultJWTProcessor.setJWSKeySelector(tongWebSingleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return jwt -> {
                return Mono.just(TongWebNimbusReactiveJwtDecoder.createClaimsSet(defaultJWTProcessor, jwt, null));
            };
        }
    }

    /* loaded from: input_file:com/tongweb/springboot/autoconfigure/security/oauth2/resource/reactive/TongWebNimbusReactiveJwtDecoder$SecretKeyReactiveJwtDecoderBuilder.class */
    public static final class SecretKeyReactiveJwtDecoderBuilder {
        private final SecretKey secretKey;
        private JWSAlgorithm jwsAlgorithm = JWSAlgorithm.HS256;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        private SecretKeyReactiveJwtDecoderBuilder(SecretKey secretKey) {
            Assert.notNull(secretKey, "secretKey cannot be null");
            this.secretKey = secretKey;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public SecretKeyReactiveJwtDecoderBuilder macAlgorithm(MacAlgorithm macAlgorithm) {
            Assert.notNull(macAlgorithm, "macAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(macAlgorithm.getName());
            return this;
        }

        public SecretKeyReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public TongWebNimbusReactiveJwtDecoder build() {
            return new TongWebNimbusReactiveJwtDecoder(processor());
        }

        Converter<JWT, Mono<JWTClaimsSet>> processor() {
            TongWebSingleKeyJWSKeySelector tongWebSingleKeyJWSKeySelector = new TongWebSingleKeyJWSKeySelector(this.jwsAlgorithm, this.secretKey);
            ConfigurableJWTProcessor<SecurityContext> defaultJWTProcessor = new DefaultJWTProcessor<>();
            defaultJWTProcessor.setJWSKeySelector(tongWebSingleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return jwt -> {
                return Mono.just(TongWebNimbusReactiveJwtDecoder.createClaimsSet(defaultJWTProcessor, jwt, null));
            };
        }
    }

    public TongWebNimbusReactiveJwtDecoder(RSAPublicKey rSAPublicKey) {
        this(withPublicKey(rSAPublicKey).processor());
    }

    public TongWebNimbusReactiveJwtDecoder(Converter<JWT, Mono<JWTClaimsSet>> converter) {
        this.jwtValidator = JwtValidators.createDefault();
        this.claimSetConverter = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
        this.jwtProcessor = converter;
    }

    public void setJwtValidator(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        Assert.notNull(oAuth2TokenValidator, "jwtValidator cannot be null");
        this.jwtValidator = oAuth2TokenValidator;
    }

    public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> converter) {
        Assert.notNull(converter, "claimSetConverter cannot be null");
        this.claimSetConverter = converter;
    }

    public Mono<Jwt> decode(String str) throws JwtException {
        JWT parse = parse(str);
        if (parse instanceof PlainJWT) {
            throw new JwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm());
        }
        return decode(parse);
    }

    private JWT parse(String str) {
        try {
            return JWTParser.parse(str);
        } catch (Exception e) {
            throw new JwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
        }
    }

    private Mono<Jwt> decode(JWT jwt) {
        try {
            return ((Mono) this.jwtProcessor.convert(jwt)).map(jWTClaimsSet -> {
                return createJwt(jwt, jWTClaimsSet);
            }).map(this::validateJwt).onErrorMap(th -> {
                return ((th instanceof IllegalStateException) || (th instanceof JwtException)) ? false : true;
            }, th2 -> {
                return new JwtException("An error occurred while attempting to decode the Jwt: ", th2);
            });
        } catch (RuntimeException e) {
            throw new JwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
        } catch (JwtException e2) {
            throw e2;
        }
    }

    private Jwt createJwt(JWT jwt, JWTClaimsSet jWTClaimsSet) {
        try {
            LinkedHashMap linkedHashMap = new LinkedHashMap(toJSONObject(jwt.getHeader()));
            Map map = (Map) this.claimSetConverter.convert(jWTClaimsSet.getClaims());
            return withTokenValue(jwt.getParsedString()).headers(map2 -> {
                map2.putAll(linkedHashMap);
            }).claims(map3 -> {
                map3.putAll(map);
            }).build();
        } catch (Exception e) {
            throw new JwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
        }
    }

    public static TongWebJWTBuilder withTokenValue(String str) {
        return new TongWebJWTBuilder(str);
    }

    public Map<String, Object> toJSONObject(Header header) {
        HashMap hashMap = new HashMap();
        hashMap.putAll(header.getCustomParams());
        hashMap.put("alg", header.getAlgorithm().toString());
        if (header.getType() != null) {
            hashMap.put("typ", header.getType().toString());
        }
        if (header.getContentType() != null) {
            hashMap.put("cty", header.getContentType());
        }
        if (header.getCriticalParams() != null && !header.getCriticalParams().isEmpty()) {
            hashMap.put("crit", new ArrayList(header.getCriticalParams()));
        }
        return hashMap;
    }

    private Jwt validateJwt(Jwt jwt) {
        OAuth2TokenValidatorResult validate = this.jwtValidator.validate(jwt);
        if (!validate.hasErrors()) {
            return jwt;
        }
        Collection<OAuth2Error> errors = validate.getErrors();
        throw new JwtValidationException(getJwtValidationExceptionMessage(errors), errors);
    }

    private String getJwtValidationExceptionMessage(Collection<OAuth2Error> collection) {
        for (OAuth2Error oAuth2Error : collection) {
            if (!StringUtils.isEmpty(oAuth2Error.getDescription())) {
                return oAuth2Error.getDescription();
            }
        }
        return "Unable to validate Jwt";
    }

    public static PublicKeyReactiveJwtDecoderBuilder withPublicKey(RSAPublicKey rSAPublicKey) {
        return new PublicKeyReactiveJwtDecoderBuilder(rSAPublicKey);
    }

    public static SecretKeyReactiveJwtDecoderBuilder withSecretKey(SecretKey secretKey) {
        return new SecretKeyReactiveJwtDecoderBuilder(secretKey);
    }

    public static JwkSourceReactiveJwtDecoderBuilder withJwkSource(Function<SignedJWT, Flux<JWK>> function) {
        return new JwkSourceReactiveJwtDecoderBuilder(function);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <C extends SecurityContext> JWTClaimsSet createClaimsSet(JWTProcessor<C> jWTProcessor, JWT jwt, C c) {
        try {
            return jWTProcessor.process(jwt, c);
        } catch (BadJOSEException e) {
            throw new JwtException("Failed to validate the token", e);
        } catch (JOSEException e2) {
            throw new JwtException("Failed to validate the token", e2);
        }
    }
}
