package com.azure.spring.cloud.autoconfigure.aad.implementation.jwt;

import com.azure.spring.cloud.autoconfigure.aad.implementation.constants.AadJwtClaimNames;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/aad/implementation/jwt/AadJwtClientAuthenticationParametersConverter.class */
public final class AadJwtClientAuthenticationParametersConverter<T extends AbstractOAuth2AuthorizationGrantRequest> implements Converter<T, MultiValueMap<String, String>> {
    private static final String INVALID_KEY_ERROR_CODE = "invalid_key";
    private static final String INVALID_ALGORITHM_ERROR_CODE = "invalid_algorithm";
    public static final String CLIENT_ASSERTION_TYPE_VALUE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
    private final Function<ClientRegistration, JWK> jwkResolver;
    private final Map<String, JwsEncoderHolder> jwsEncoders = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/azure/spring/cloud/autoconfigure/aad/implementation/jwt/AadJwtClientAuthenticationParametersConverter$JwsEncoderHolder.class */
    public static final class JwsEncoderHolder {
        private final AadJwtEncoder jwtEncoder;
        private final JWK jwk;

        private JwsEncoderHolder(AadJwtEncoder aadJwtEncoder, JWK jwk) {
            this.jwtEncoder = aadJwtEncoder;
            this.jwk = jwk;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AadJwtEncoder getJwtEncoder() {
            return this.jwtEncoder;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public JWK getJwk() {
            return this.jwk;
        }
    }

    public AadJwtClientAuthenticationParametersConverter(Function<ClientRegistration, JWK> function) {
        Assert.notNull(function, "jwkResolver cannot be null");
        this.jwkResolver = function;
    }

    public MultiValueMap<String, String> convert(T t) {
        Assert.notNull(t, "authorizationGrantRequest cannot be null");
        ClientRegistration clientRegistration = t.getClientRegistration();
        if (!ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientRegistration.getClientAuthenticationMethod())) {
            return null;
        }
        JWK apply = this.jwkResolver.apply(clientRegistration);
        if (apply == null) {
            throw new OAuth2AuthorizationException(new OAuth2Error(INVALID_KEY_ERROR_CODE, "Failed to resolve JWK signing key for client registration '" + clientRegistration.getRegistrationId() + "'.", (String) null));
        }
        if (resolveAlgorithm(apply) == null) {
            throw new OAuth2AuthorizationException(new OAuth2Error(INVALID_ALGORITHM_ERROR_CODE, "Unable to resolve JWS (signing) algorithm from JWK associated to client registration '" + clientRegistration.getRegistrationId() + "'.", (String) null));
        }
        HashMap hashMap = new HashMap();
        hashMap.put("typ", "JWT");
        hashMap.put("alg", SignatureAlgorithm.RS256.getName());
        hashMap.put("x5t", apply.getX509CertThumbprint().toString());
        HashMap hashMap2 = new HashMap();
        Instant now = Instant.now();
        Instant plus = now.plus((TemporalAmount) Duration.ofSeconds(60L));
        hashMap2.put(AadJwtClaimNames.ISS, clientRegistration.getClientId());
        hashMap2.put(AadJwtClaimNames.SUB, clientRegistration.getClientId());
        hashMap2.put(AadJwtClaimNames.AUD, Collections.singletonList(clientRegistration.getProviderDetails().getTokenUri()));
        hashMap2.put("jti", UUID.randomUUID().toString());
        hashMap2.put("iat", now);
        hashMap2.put("exp", plus);
        Jwt encode = this.jwsEncoders.compute(clientRegistration.getRegistrationId(), (str, jwsEncoderHolder) -> {
            return (jwsEncoderHolder == null || !jwsEncoderHolder.getJwk().equals(apply)) ? new JwsEncoderHolder(new AadJwtEncoder(new ImmutableJWKSet(new JWKSet(apply))), apply) : jwsEncoderHolder;
        }).getJwtEncoder().encode(hashMap, hashMap2);
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.set("client_assertion_type", CLIENT_ASSERTION_TYPE_VALUE);
        linkedMultiValueMap.set("client_assertion", encode.getTokenValue());
        return linkedMultiValueMap;
    }

    private static JwsAlgorithm resolveAlgorithm(JWK jwk) {
        MacAlgorithm macAlgorithm = null;
        if (jwk.getAlgorithm() != null) {
            macAlgorithm = SignatureAlgorithm.from(jwk.getAlgorithm().getName());
            if (macAlgorithm == null) {
                macAlgorithm = MacAlgorithm.from(jwk.getAlgorithm().getName());
            }
        }
        if (macAlgorithm == null && KeyType.RSA.equals(jwk.getKeyType())) {
            macAlgorithm = SignatureAlgorithm.RS256;
        }
        return macAlgorithm;
    }
}
