package org.springframework.security.oauth2.server.resource.authentication;

import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import net.minidev.json.JSONObject;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.BearerTokenError;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.class */
public class OAuth2IntrospectionReactiveAuthenticationManager implements ReactiveAuthenticationManager {
    private URI introspectionUri;
    private WebClient webClient;

    public OAuth2IntrospectionReactiveAuthenticationManager(String str, String str2, String str3) {
        Assert.hasText(str, "introspectionUri cannot be empty");
        Assert.hasText(str2, "clientId cannot be empty");
        Assert.notNull(str3, "clientSecret cannot be null");
        this.introspectionUri = URI.create(str);
        this.webClient = WebClient.builder().defaultHeader("Authorization", new String[]{basicHeaderValue(str2, str3)}).build();
    }

    public OAuth2IntrospectionReactiveAuthenticationManager(String str, WebClient webClient) {
        Assert.hasText(str, "introspectionUri cannot be null");
        Assert.notNull(webClient, "webClient cannot be null");
        this.introspectionUri = URI.create(str);
        this.webClient = webClient;
    }

    private static String basicHeaderValue(String str, String str2) {
        String str3 = str + ":";
        if (StringUtils.hasText(str2)) {
            str3 = str3 + str2;
        }
        return "Basic " + Base64.getEncoder().encodeToString(str3.getBytes(StandardCharsets.UTF_8));
    }

    public Mono<Authentication> authenticate(Authentication authentication) {
        Mono justOrEmpty = Mono.justOrEmpty(authentication);
        Class<BearerTokenAuthenticationToken> cls = BearerTokenAuthenticationToken.class;
        BearerTokenAuthenticationToken.class.getClass();
        return justOrEmpty.filter((v1) -> {
            return r1.isInstance(v1);
        }).cast(BearerTokenAuthenticationToken.class).map((v0) -> {
            return v0.getToken();
        }).flatMap(this::authenticate).cast(Authentication.class);
    }

    private Mono<OAuth2IntrospectionAuthenticationToken> authenticate(String str) {
        return introspect(str).map(tokenIntrospectionSuccessResponse -> {
            Map<String, Object> convertClaimsSet = convertClaimsSet(tokenIntrospectionSuccessResponse);
            return new OAuth2IntrospectionAuthenticationToken(new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, str, (Instant) convertClaimsSet.get(OAuth2IntrospectionClaimNames.ISSUED_AT), (Instant) convertClaimsSet.get(OAuth2IntrospectionClaimNames.EXPIRES_AT)), convertClaimsSet, extractAuthorities(convertClaimsSet));
        });
    }

    private Mono<TokenIntrospectionSuccessResponse> introspect(String str) {
        return Mono.just(str).flatMap(this::makeRequest).flatMap(this::adaptToNimbusResponse).map(this::parseNimbusResponse).map(this::castToNimbusSuccess).doOnNext(tokenIntrospectionSuccessResponse -> {
            validate(str, tokenIntrospectionSuccessResponse);
        }).onErrorMap(th -> {
            return !(th instanceof OAuth2AuthenticationException);
        }, this::onError);
    }

    private Mono<ClientResponse> makeRequest(String str) {
        return this.webClient.post().uri(this.introspectionUri).header("Accept", new String[]{"application/json;charset=UTF-8"}).body(BodyInserters.fromFormData("token", str)).exchange();
    }

    private Mono<HTTPResponse> adaptToNimbusResponse(ClientResponse clientResponse) {
        HTTPResponse hTTPResponse = new HTTPResponse(clientResponse.rawStatusCode());
        hTTPResponse.setHeader("Content-Type", new String[]{((MediaType) clientResponse.headers().contentType().get()).toString()});
        if (hTTPResponse.getStatusCode() != 200) {
            throw new OAuth2AuthenticationException(invalidToken("Introspection endpoint responded with " + hTTPResponse.getStatusCode()));
        }
        Mono bodyToMono = clientResponse.bodyToMono(String.class);
        hTTPResponse.getClass();
        return bodyToMono.doOnNext(hTTPResponse::setContent).map(str -> {
            return hTTPResponse;
        });
    }

    private TokenIntrospectionResponse parseNimbusResponse(HTTPResponse hTTPResponse) {
        try {
            return TokenIntrospectionResponse.parse(hTTPResponse);
        } catch (Exception e) {
            throw new OAuth2AuthenticationException(invalidToken(e.getMessage()), e);
        }
    }

    private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse tokenIntrospectionResponse) {
        if (tokenIntrospectionResponse.indicatesSuccess()) {
            return (TokenIntrospectionSuccessResponse) tokenIntrospectionResponse;
        }
        throw new OAuth2AuthenticationException(invalidToken("Token introspection failed"));
    }

    private void validate(String str, TokenIntrospectionSuccessResponse tokenIntrospectionSuccessResponse) {
        if (!tokenIntrospectionSuccessResponse.isActive()) {
            throw new OAuth2AuthenticationException(invalidToken("Provided token [" + str + "] isn't active"));
        }
    }

    private Map<String, Object> convertClaimsSet(TokenIntrospectionSuccessResponse tokenIntrospectionSuccessResponse) {
        JSONObject jSONObject = tokenIntrospectionSuccessResponse.toJSONObject();
        if (tokenIntrospectionSuccessResponse.getAudience() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.AUDIENCE, Collections.unmodifiableList((List) tokenIntrospectionSuccessResponse.getAudience().stream().map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.toList())));
        }
        if (tokenIntrospectionSuccessResponse.getClientID() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.CLIENT_ID, tokenIntrospectionSuccessResponse.getClientID().getValue());
        }
        if (tokenIntrospectionSuccessResponse.getExpirationTime() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.EXPIRES_AT, tokenIntrospectionSuccessResponse.getExpirationTime().toInstant());
        }
        if (tokenIntrospectionSuccessResponse.getIssueTime() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.ISSUED_AT, tokenIntrospectionSuccessResponse.getIssueTime().toInstant());
        }
        if (tokenIntrospectionSuccessResponse.getIssuer() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.ISSUER, issuer(tokenIntrospectionSuccessResponse.getIssuer().getValue()));
        }
        if (tokenIntrospectionSuccessResponse.getNotBeforeTime() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.NOT_BEFORE, tokenIntrospectionSuccessResponse.getNotBeforeTime().toInstant());
        }
        if (tokenIntrospectionSuccessResponse.getScope() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.SCOPE, Collections.unmodifiableList(tokenIntrospectionSuccessResponse.getScope().toStringList()));
        }
        return jSONObject;
    }

    private Collection<GrantedAuthority> extractAuthorities(Map<String, Object> map) {
        return (Collection) ((Collection) Optional.ofNullable((Collection) map.get(OAuth2IntrospectionClaimNames.SCOPE)).orElse(Collections.emptyList())).stream().map(str -> {
            return new SimpleGrantedAuthority("SCOPE_" + str);
        }).collect(Collectors.toList());
    }

    private URL issuer(String str) {
        try {
            return new URL(str);
        } catch (Exception e) {
            throw new OAuth2AuthenticationException(invalidToken("Invalid iss value: " + str), e);
        }
    }

    private static BearerTokenError invalidToken(String str) {
        return new BearerTokenError(BearerTokenErrorCodes.INVALID_TOKEN, HttpStatus.UNAUTHORIZED, str, "https://tools.ietf.org/html/rfc7662#section-2.2");
    }

    private OAuth2AuthenticationException onError(Throwable th) {
        return new OAuth2AuthenticationException(invalidToken(th.getMessage()), th.getMessage());
    }
}
