package org.springframework.security.oauth2.client.web.reactive.function.client;

import java.net.URI;
import java.time.Clock;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.Map;
import java.util.Optional;
import java.util.function.Consumer;
import org.springframework.http.HttpMethod;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.web.reactive.function.OAuth2BodyExtractors;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import org.springframework.web.reactive.function.client.ExchangeFunction;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.class */
public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements ExchangeFilterFunction {
    private static final String OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME = OAuth2AuthorizedClient.class.getName();
    private Clock clock = Clock.systemUTC();
    private Duration accessTokenExpiresSkew = Duration.ofMinutes(1);
    private ReactiveOAuth2AuthorizedClientService authorizedClientService;

    /* loaded from: input_file:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction$PrincipalNameAuthentication.class */
    private static class PrincipalNameAuthentication implements Authentication {
        private final String username;

        private PrincipalNameAuthentication(String str) {
            this.username = str;
        }

        public Collection<? extends GrantedAuthority> getAuthorities() {
            throw unsupported();
        }

        public Object getCredentials() {
            throw unsupported();
        }

        public Object getDetails() {
            throw unsupported();
        }

        public Object getPrincipal() {
            throw unsupported();
        }

        public boolean isAuthenticated() {
            throw unsupported();
        }

        public void setAuthenticated(boolean z) throws IllegalArgumentException {
            throw unsupported();
        }

        public String getName() {
            return this.username;
        }

        private UnsupportedOperationException unsupported() {
            return new UnsupportedOperationException("Not Supported");
        }
    }

    public ServerOAuth2AuthorizedClientExchangeFilterFunction() {
    }

    public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientService reactiveOAuth2AuthorizedClientService) {
        this.authorizedClientService = reactiveOAuth2AuthorizedClientService;
    }

    public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return map -> {
            map.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, oAuth2AuthorizedClient);
        };
    }

    public void setAccessTokenExpiresSkew(Duration duration) {
        Assert.notNull(duration, "accessTokenExpiresSkew cannot be null");
        this.accessTokenExpiresSkew = duration;
    }

    public Mono<ClientResponse> filter(ClientRequest clientRequest, ExchangeFunction exchangeFunction) {
        Optional attribute = clientRequest.attribute(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME);
        Class<OAuth2AuthorizedClient> cls = OAuth2AuthorizedClient.class;
        OAuth2AuthorizedClient.class.getClass();
        Mono map = Mono.justOrEmpty(attribute.map(cls::cast)).flatMap(oAuth2AuthorizedClient -> {
            return authorizedClient(exchangeFunction, oAuth2AuthorizedClient);
        }).map(oAuth2AuthorizedClient2 -> {
            return bearer(clientRequest, oAuth2AuthorizedClient2);
        });
        exchangeFunction.getClass();
        return map.flatMap(exchangeFunction::exchange).switchIfEmpty(exchangeFunction.exchange(clientRequest));
    }

    private Mono<OAuth2AuthorizedClient> authorizedClient(ExchangeFunction exchangeFunction, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return shouldRefresh(oAuth2AuthorizedClient) ? refreshAuthorizedClient(exchangeFunction, oAuth2AuthorizedClient) : Mono.just(oAuth2AuthorizedClient);
    }

    private Mono<OAuth2AuthorizedClient> refreshAuthorizedClient(ExchangeFunction exchangeFunction, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        ClientRegistration clientRegistration = oAuth2AuthorizedClient.getClientRegistration();
        return exchangeFunction.exchange(ClientRequest.create(HttpMethod.POST, URI.create(clientRegistration.getProviderDetails().getTokenUri())).header("Accept", new String[]{"application/json"}).headers(httpHeaders -> {
            httpHeaders.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
        }).body(refreshTokenBody(oAuth2AuthorizedClient.getRefreshToken().getTokenValue())).build()).flatMap(clientResponse -> {
            return (Mono) clientResponse.body(OAuth2BodyExtractors.oauth2AccessTokenResponse());
        }).map(oAuth2AccessTokenResponse -> {
            return new OAuth2AuthorizedClient(oAuth2AuthorizedClient.getClientRegistration(), oAuth2AuthorizedClient.getPrincipalName(), oAuth2AccessTokenResponse.getAccessToken(), oAuth2AccessTokenResponse.getRefreshToken());
        }).flatMap(oAuth2AuthorizedClient2 -> {
            return ReactiveSecurityContextHolder.getContext().map((v0) -> {
                return v0.getAuthentication();
            }).defaultIfEmpty(new PrincipalNameAuthentication(oAuth2AuthorizedClient.getPrincipalName())).flatMap(authentication -> {
                return this.authorizedClientService.saveAuthorizedClient(oAuth2AuthorizedClient2, authentication);
            }).thenReturn(oAuth2AuthorizedClient2);
        });
    }

    private boolean shouldRefresh(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return (this.authorizedClientService == null || oAuth2AuthorizedClient.getRefreshToken() == null || !this.clock.instant().isAfter(oAuth2AuthorizedClient.getAccessToken().getExpiresAt().minus((TemporalAmount) this.accessTokenExpiresSkew))) ? false : true;
    }

    private ClientRequest bearer(ClientRequest clientRequest, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return ClientRequest.from(clientRequest).headers(httpHeaders -> {
            httpHeaders.setBearerAuth(oAuth2AuthorizedClient.getAccessToken().getTokenValue());
        }).build();
    }

    private static BodyInserters.FormInserter<String> refreshTokenBody(String str) {
        return BodyInserters.fromFormData("grant_type", AuthorizationGrantType.REFRESH_TOKEN.getValue()).with("refresh_token", str);
    }
}
