package com.tongweb.springboot.autoconfigure.security.oauth2.resource.reactive;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.function.Consumer;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/tongweb/springboot/autoconfigure/security/oauth2/resource/reactive/TongWebJwkSetUriReactiveJwtDecoderBuilder.class */
public class TongWebJwkSetUriReactiveJwtDecoderBuilder {
    private final String jwkSetUri;
    private Set<SignatureAlgorithm> signatureAlgorithms = new HashSet();
    private WebClient webClient;
    private Consumer<ConfigurableJWTProcessor<TongWebJWKSecurityContext>> jwtProcessorCustomizer;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TongWebJwkSetUriReactiveJwtDecoderBuilder(String str) {
        Assert.hasText(str, "jwkSetUri cannot be empty");
        this.jwkSetUri = str;
        this.jwtProcessorCustomizer = configurableJWTProcessor -> {
        };
    }

    public TongWebJwkSetUriReactiveJwtDecoderBuilder jwsAlgorithm(SignatureAlgorithm signatureAlgorithm) {
        Assert.notNull(signatureAlgorithm, "sig cannot be null");
        this.signatureAlgorithms.add(signatureAlgorithm);
        return this;
    }

    public TongWebJwkSetUriReactiveJwtDecoderBuilder jwsAlgorithms(Consumer<Set<SignatureAlgorithm>> consumer) {
        Assert.notNull(consumer, "signatureAlgorithmsConsumer cannot be null");
        consumer.accept(this.signatureAlgorithms);
        return this;
    }

    public TongWebJwkSetUriReactiveJwtDecoderBuilder webClient(WebClient webClient) {
        Assert.notNull(webClient, "webClient cannot be null");
        this.webClient = webClient;
        return this;
    }

    public TongWebJwkSetUriReactiveJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<TongWebJWKSecurityContext>> consumer) {
        Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
        this.jwtProcessorCustomizer = consumer;
        return this;
    }

    public TongWebNimbusReactiveJwtDecoder build() {
        return new TongWebNimbusReactiveJwtDecoder(processor());
    }

    JWSKeySelector<TongWebJWKSecurityContext> jwsKeySelector(JWKSource<TongWebJWKSecurityContext> jWKSource) {
        if (this.signatureAlgorithms.isEmpty()) {
            return new JWSVerificationKeySelector(JWSAlgorithm.RS256, jWKSource);
        }
        HashSet hashSet = new HashSet();
        Iterator<SignatureAlgorithm> it = this.signatureAlgorithms.iterator();
        while (it.hasNext()) {
            hashSet.add(JWSAlgorithm.parse(it.next().getName()));
        }
        return new JWSVerificationKeySelector((JWSAlgorithm) hashSet.stream().findFirst().get(), jWKSource);
    }

    Converter<JWT, Mono<JWTClaimsSet>> processor() {
        TongWebJWKSecurityContextJWKSet tongWebJWKSecurityContextJWKSet = new TongWebJWKSecurityContextJWKSet();
        ConfigurableJWTProcessor<TongWebJWKSecurityContext> defaultJWTProcessor = new DefaultJWTProcessor<>();
        JWSKeySelector<TongWebJWKSecurityContext> jwsKeySelector = jwsKeySelector(tongWebJWKSecurityContextJWKSet);
        defaultJWTProcessor.setJWSKeySelector(jwsKeySelector);
        defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, tongWebJWKSecurityContext) -> {
        });
        this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
        TongWebReactiveRemoteJWKSource tongWebReactiveRemoteJWKSource = new TongWebReactiveRemoteJWKSource(this.jwkSetUri);
        tongWebReactiveRemoteJWKSource.setWebClient(this.webClient);
        Set<JWSAlgorithm> expectedJwsAlgorithms = getExpectedJwsAlgorithms(jwsKeySelector);
        return jwt -> {
            return tongWebReactiveRemoteJWKSource.get(createSelector(expectedJwsAlgorithms, jwt.getHeader())).onErrorMap(th -> {
                return new IllegalStateException("Could not obtain the keys", th);
            }).map(list -> {
                return createClaimsSet(defaultJWTProcessor, jwt, new TongWebJWKSecurityContext(list));
            });
        };
    }

    private <C extends SecurityContext> JWTClaimsSet createClaimsSet(JWTProcessor<C> jWTProcessor, JWT jwt, C c) {
        try {
            return jWTProcessor.process(jwt, c);
        } catch (BadJOSEException e) {
            throw new JwtException("Failed to validate the token", e);
        } catch (JOSEException e2) {
            throw new JwtException("Failed to validate the token", e2);
        }
    }

    private Set<JWSAlgorithm> getExpectedJwsAlgorithms(JWSKeySelector<?> jWSKeySelector) {
        if (jWSKeySelector instanceof JWSVerificationKeySelector) {
            return Collections.singleton(((JWSVerificationKeySelector) jWSKeySelector).getExpectedJWSAlgorithm());
        }
        throw new IllegalArgumentException("Unsupported key selector type " + jWSKeySelector.getClass());
    }

    private JWKSelector createSelector(Set<JWSAlgorithm> set, Header header) {
        if (set.contains(header.getAlgorithm())) {
            return new JWKSelector(forJWSHeader((JWSHeader) header));
        }
        throw new JwtException("Unsupported algorithm of " + header.getAlgorithm());
    }

    private JWKMatcher forJWSHeader(JWSHeader jWSHeader) {
        Algorithm algorithm = jWSHeader.getAlgorithm();
        if (JWSAlgorithm.Family.RSA.contains(algorithm) || JWSAlgorithm.Family.EC.contains(algorithm)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(algorithm)).keyID(jWSHeader.getKeyID()).keyUses(new KeyUse[]{KeyUse.SIGNATURE, null}).algorithms(new Algorithm[]{algorithm, null}).x509CertSHA256Thumbprint(jWSHeader.getX509CertSHA256Thumbprint()).build();
        }
        if (JWSAlgorithm.Family.HMAC_SHA.contains(algorithm)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(algorithm)).keyID(jWSHeader.getKeyID()).privateOnly(true).algorithms(new Algorithm[]{algorithm, null}).build();
        }
        if (JWSAlgorithm.Family.ED.contains(algorithm)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(algorithm)).keyID(jWSHeader.getKeyID()).keyUses(new KeyUse[]{KeyUse.SIGNATURE, null}).algorithms(new Algorithm[]{algorithm, null}).curves(Curve.forJWSAlgorithm(algorithm)).build();
        }
        return null;
    }
}
