package org.springframework.security.oauth2.server.resource.authentication;

import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2TokenAttributes;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.BearerTokenError;
import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionClaimNames;
import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
import org.springframework.security.oauth2.server.resource.introspection.ReactiveOAuth2TokenIntrospectionClient;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/server/resource/authentication/OAuth2IntrospectionReactiveAuthenticationManager.class */
public class OAuth2IntrospectionReactiveAuthenticationManager implements ReactiveAuthenticationManager {
    private static final BearerTokenError DEFAULT_INVALID_TOKEN = invalidToken("An error occurred while attempting to introspect the token: Invalid token");
    private ReactiveOAuth2TokenIntrospectionClient introspectionClient;

    public OAuth2IntrospectionReactiveAuthenticationManager(ReactiveOAuth2TokenIntrospectionClient reactiveOAuth2TokenIntrospectionClient) {
        Assert.notNull(reactiveOAuth2TokenIntrospectionClient, "introspectionClient cannot be null");
        this.introspectionClient = reactiveOAuth2TokenIntrospectionClient;
    }

    public Mono<Authentication> authenticate(Authentication authentication) {
        Mono justOrEmpty = Mono.justOrEmpty(authentication);
        Class<BearerTokenAuthenticationToken> cls = BearerTokenAuthenticationToken.class;
        BearerTokenAuthenticationToken.class.getClass();
        return justOrEmpty.filter((v1) -> {
            return r1.isInstance(v1);
        }).cast(BearerTokenAuthenticationToken.class).map((v0) -> {
            return v0.getToken();
        }).flatMap(this::authenticate).cast(Authentication.class);
    }

    private Mono<OAuth2IntrospectionAuthenticationToken> authenticate(String str) {
        return this.introspectionClient.introspect(str).map(map -> {
            return new OAuth2IntrospectionAuthenticationToken(new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, str, (Instant) map.get(OAuth2IntrospectionClaimNames.ISSUED_AT), (Instant) map.get(OAuth2IntrospectionClaimNames.EXPIRES_AT)), new OAuth2TokenAttributes(map), extractAuthorities(map));
        }).onErrorMap(OAuth2IntrospectionException.class, this::onError);
    }

    private Collection<GrantedAuthority> extractAuthorities(Map<String, Object> map) {
        return (Collection) ((Collection) Optional.ofNullable((Collection) map.get(OAuth2IntrospectionClaimNames.SCOPE)).orElse(Collections.emptyList())).stream().map(str -> {
            return new SimpleGrantedAuthority("SCOPE_" + str);
        }).collect(Collectors.toList());
    }

    private static BearerTokenError invalidToken(String str) {
        try {
            return new BearerTokenError(BearerTokenErrorCodes.INVALID_TOKEN, HttpStatus.UNAUTHORIZED, str, "https://tools.ietf.org/html/rfc7662#section-2.2");
        } catch (IllegalArgumentException e) {
            return DEFAULT_INVALID_TOKEN;
        }
    }

    private OAuth2AuthenticationException onError(OAuth2IntrospectionException oAuth2IntrospectionException) {
        return new OAuth2AuthenticationException(invalidToken(oAuth2IntrospectionException.getMessage()), oAuth2IntrospectionException.getMessage());
    }
}
