package com.c4_soft.springaddons.security.oidc.starter.reactive.resourceserver;

import com.c4_soft.springaddons.security.oidc.starter.OpenidProviderPropertiesResolver;
import com.c4_soft.springaddons.security.oidc.starter.properties.NotAConfiguredOpenidProviderException;
import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import java.net.URI;
import java.text.ParseException;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import lombok.Generated;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtReactiveAuthenticationManager;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/c4_soft/springaddons/security/oidc/starter/reactive/resourceserver/ReactiveJWTClaimsSetAuthenticationManager.class */
public class ReactiveJWTClaimsSetAuthenticationManager implements ReactiveAuthenticationManager {
    private final ReactiveJWTClaimsSetAuthenticationManagerResolver jwtAuthenticationManagerResolver;

    /* loaded from: input_file:com/c4_soft/springaddons/security/oidc/starter/reactive/resourceserver/ReactiveJWTClaimsSetAuthenticationManager$ReactiveJWTClaimsSetAuthenticationManagerResolver.class */
    public static class ReactiveJWTClaimsSetAuthenticationManagerResolver implements ReactiveAuthenticationManagerResolver<JWTClaimsSet> {
        private final OpenidProviderPropertiesResolver opPropertiesResolver;
        private final SpringAddonsReactiveJwtDecoderFactory jwtDecoderFactory;
        private final Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> jwtAuthenticationConverter;
        private final Map<String, ReactiveAuthenticationManager> jwtManagers = new ConcurrentHashMap();

        public Mono<ReactiveAuthenticationManager> resolve(JWTClaimsSet jWTClaimsSet) {
            String issuer = jWTClaimsSet.getIssuer();
            if (!this.jwtManagers.containsKey(issuer)) {
                SpringAddonsOidcProperties.OpenidProviderProperties orElseThrow = this.opPropertiesResolver.resolve(jWTClaimsSet.getClaims()).orElseThrow(() -> {
                    return new NotAConfiguredOpenidProviderException(jWTClaimsSet.getClaims());
                });
                JwtReactiveAuthenticationManager jwtReactiveAuthenticationManager = new JwtReactiveAuthenticationManager(this.jwtDecoderFactory.create(Optional.ofNullable(orElseThrow.getJwkSetUri()), Optional.ofNullable(URI.create(jWTClaimsSet.getIssuer().toString())), Optional.ofNullable(orElseThrow.getAud())));
                jwtReactiveAuthenticationManager.setJwtAuthenticationConverter(this.jwtAuthenticationConverter);
                Map<String, ReactiveAuthenticationManager> map = this.jwtManagers;
                Objects.requireNonNull(jwtReactiveAuthenticationManager);
                map.put(issuer, jwtReactiveAuthenticationManager::authenticate);
            }
            return Mono.just(this.jwtManagers.get(issuer));
        }

        @Generated
        public ReactiveJWTClaimsSetAuthenticationManagerResolver(OpenidProviderPropertiesResolver openidProviderPropertiesResolver, SpringAddonsReactiveJwtDecoderFactory springAddonsReactiveJwtDecoderFactory, Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> converter) {
            this.opPropertiesResolver = openidProviderPropertiesResolver;
            this.jwtDecoderFactory = springAddonsReactiveJwtDecoderFactory;
            this.jwtAuthenticationConverter = converter;
        }
    }

    public ReactiveJWTClaimsSetAuthenticationManager(OpenidProviderPropertiesResolver openidProviderPropertiesResolver, SpringAddonsReactiveJwtDecoderFactory springAddonsReactiveJwtDecoderFactory, Converter<Jwt, ? extends Mono<? extends AbstractAuthenticationToken>> converter) {
        this.jwtAuthenticationManagerResolver = new ReactiveJWTClaimsSetAuthenticationManagerResolver(openidProviderPropertiesResolver, springAddonsReactiveJwtDecoderFactory, converter);
    }

    public Mono<Authentication> authenticate(Authentication authentication) throws AuthenticationException {
        Assert.isTrue(authentication instanceof BearerTokenAuthenticationToken, "Authentication must be of type BearerTokenAuthenticationToken");
        try {
            return this.jwtAuthenticationManagerResolver.resolve(JWTParser.parse(((BearerTokenAuthenticationToken) authentication).getToken()).getJWTClaimsSet()).flatMap(reactiveAuthenticationManager -> {
                if (reactiveAuthenticationManager == null) {
                    throw new InvalidBearerTokenException("Could not resolve the Authentication manager for the provided JWT");
                }
                return reactiveAuthenticationManager.authenticate(authentication);
            });
        } catch (ParseException e) {
            throw new InvalidBearerTokenException("Could not retrieve JWT claim-set");
        }
    }
}
