package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.Resource;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.time.Instant;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import org.springframework.util.Assert;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupport.class */
public final class NimbusJwtDecoderJwkSupport implements JwtDecoder {
    private static final String DECODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to decode the Jwt: %s";
    private final JWSAlgorithm jwsAlgorithm;
    private final ConfigurableJWTProcessor<SecurityContext> jwtProcessor;
    private final RestOperationsResourceRetriever jwkSetRetriever;
    private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter;
    private OAuth2TokenValidator<Jwt> jwtValidator;

    /* loaded from: input_file:org/springframework/security/oauth2/jwt/NimbusJwtDecoderJwkSupport$RestOperationsResourceRetriever.class */
    private static class RestOperationsResourceRetriever implements ResourceRetriever {
        private RestOperations restOperations;

        private RestOperationsResourceRetriever() {
            this.restOperations = new RestTemplate();
        }

        public Resource retrieveResource(URL url) throws IOException {
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));
            try {
                ResponseEntity exchange = this.restOperations.exchange(new RequestEntity(httpHeaders, HttpMethod.GET, url.toURI()), String.class);
                if (exchange.getStatusCodeValue() != 200) {
                    throw new IOException(exchange.toString());
                }
                return new Resource((String) exchange.getBody(), "UTF-8");
            } catch (Exception e) {
                throw new IOException(e);
            }
        }
    }

    public NimbusJwtDecoderJwkSupport(String str) {
        this(str, JwsAlgorithms.RS256);
    }

    public NimbusJwtDecoderJwkSupport(String str, String str2) {
        this.jwkSetRetriever = new RestOperationsResourceRetriever();
        this.claimSetConverter = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
        this.jwtValidator = JwtValidators.createDefault();
        Assert.hasText(str, "jwkSetUrl cannot be empty");
        Assert.hasText(str2, "jwsAlgorithm cannot be empty");
        try {
            RemoteJWKSet remoteJWKSet = new RemoteJWKSet(new URL(str), this.jwkSetRetriever);
            this.jwsAlgorithm = JWSAlgorithm.parse(str2);
            JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(this.jwsAlgorithm, remoteJWKSet);
            this.jwtProcessor = new DefaultJWTProcessor();
            this.jwtProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            this.jwtProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
        } catch (MalformedURLException e) {
            throw new IllegalArgumentException("Invalid JWK Set URL \"" + str + "\" : " + e.getMessage(), e);
        }
    }

    @Override // org.springframework.security.oauth2.jwt.JwtDecoder
    public Jwt decode(String str) throws JwtException {
        JWT parse = parse(str);
        if (parse instanceof SignedJWT) {
            return validateJwt(createJwt(str, parse));
        }
        throw new JwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm());
    }

    public void setJwtValidator(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        Assert.notNull(oAuth2TokenValidator, "jwtValidator cannot be null");
        this.jwtValidator = oAuth2TokenValidator;
    }

    public final void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> converter) {
        Assert.notNull(converter, "claimSetConverter cannot be null");
        this.claimSetConverter = converter;
    }

    private JWT parse(String str) {
        try {
            return JWTParser.parse(str);
        } catch (Exception e) {
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        }
    }

    private Jwt createJwt(String str, JWT jwt) {
        try {
            JWTClaimsSet process = this.jwtProcessor.process(jwt, (SecurityContext) null);
            LinkedHashMap linkedHashMap = new LinkedHashMap((Map) jwt.getHeader().toJSONObject());
            Map map = (Map) this.claimSetConverter.convert(process.getClaims());
            return new Jwt(str, (Instant) map.get(JwtClaimNames.IAT), (Instant) map.get(JwtClaimNames.EXP), linkedHashMap, map);
        } catch (Exception e) {
            if (e.getCause() instanceof ParseException) {
                throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
            }
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        } catch (RemoteKeySourceException e2) {
            if (e2.getCause() instanceof ParseException) {
                throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed Jwk set"));
            }
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e2.getMessage()), e2);
        }
    }

    private Jwt validateJwt(Jwt jwt) {
        OAuth2TokenValidatorResult validate = this.jwtValidator.validate(jwt);
        if (validate.hasErrors()) {
            throw new JwtValidationException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ((OAuth2Error) validate.getErrors().iterator().next()).getDescription()), validate.getErrors());
        }
        return jwt;
    }

    public final void setRestOperations(RestOperations restOperations) {
        Assert.notNull(restOperations, "restOperations cannot be null");
        this.jwkSetRetriever.restOperations = restOperations;
    }
}
