package com.okta.spring.boot.oauth;

import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.boot.autoconfigure.AutoConfigureAfter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.DelegatingReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginReactiveAuthenticationManager;
import org.springframework.security.oauth2.client.endpoint.WebClientReactiveAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.ClassUtils;
import org.springframework.web.bind.annotation.ResponseStatus;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

@Configuration
@ConditionalOnClass({Flux.class, EnableWebFluxSecurity.class, ClientRegistration.class})
@AutoConfigureAfter({ReactiveOktaOAuth2AutoConfig.class})
@ConditionalOnBean({ReactiveOktaOAuth2AutoConfig.class})
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
/* loaded from: input_file:com/okta/spring/boot/oauth/ReactiveOktaOAuth2ServerHttpServerAutoConfig.class */
class ReactiveOktaOAuth2ServerHttpServerAutoConfig {

    /* loaded from: input_file:com/okta/spring/boot/oauth/ReactiveOktaOAuth2ServerHttpServerAutoConfig$OktaOAuth2LoginServerBeanPostProcessor.class */
    static class OktaOAuth2LoginServerBeanPostProcessor implements BeanPostProcessor {
        private final ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oAuth2UserService;
        private final OidcReactiveOAuth2UserService oidcUserService;

        OktaOAuth2LoginServerBeanPostProcessor(ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> reactiveOAuth2UserService, OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService) {
            this.oAuth2UserService = reactiveOAuth2UserService;
            this.oidcUserService = oidcReactiveOAuth2UserService;
        }

        public Object postProcessAfterInitialization(Object obj, String str) {
            if (obj instanceof ServerHttpSecurity) {
                ((ServerHttpSecurity) obj).oauth2Login().authenticationManager(ReactiveOktaOAuth2ServerHttpServerAutoConfig.reactiveAuthenticationManager(this.oAuth2UserService, this.oidcUserService));
            }
            return obj;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @ResponseStatus(HttpStatus.UNAUTHORIZED)
    /* loaded from: input_file:com/okta/spring/boot/oauth/ReactiveOktaOAuth2ServerHttpServerAutoConfig$UnknownOAuthException.class */
    public static class UnknownOAuthException extends AuthenticationException {
        UnknownOAuthException(String str, Throwable th) {
            super(str, th);
        }
    }

    ReactiveOktaOAuth2ServerHttpServerAutoConfig() {
    }

    @Bean
    BeanPostProcessor authManagerServerHttpSecurityBeanPostProcessor(@Qualifier("oauth2UserService") ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> reactiveOAuth2UserService, @Qualifier("oidcUserService") OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService) {
        return new OktaOAuth2LoginServerBeanPostProcessor(reactiveOAuth2UserService, oidcReactiveOAuth2UserService);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ReactiveAuthenticationManager reactiveAuthenticationManager(ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> reactiveOAuth2UserService, OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService) {
        WebClientReactiveAuthorizationCodeTokenResponseClient webClientReactiveAuthorizationCodeTokenResponseClient = new WebClientReactiveAuthorizationCodeTokenResponseClient();
        ReactiveAuthenticationManager reactiveAuthenticationManager = new OAuth2LoginReactiveAuthenticationManager(webClientReactiveAuthorizationCodeTokenResponseClient, reactiveOAuth2UserService) { // from class: com.okta.spring.boot.oauth.ReactiveOktaOAuth2ServerHttpServerAutoConfig.1
            public Mono<Authentication> authenticate(Authentication authentication) {
                return ReactiveOktaOAuth2ServerHttpServerAutoConfig.wrapOnErrorMap(super.authenticate(authentication));
            }
        };
        if (ClassUtils.isPresent("org.springframework.security.oauth2.jwt.JwtDecoder", ReactiveOktaOAuth2ServerHttpServerAutoConfig.class.getClassLoader())) {
            reactiveAuthenticationManager = new DelegatingReactiveAuthenticationManager(new ReactiveAuthenticationManager[]{new OidcAuthorizationCodeReactiveAuthenticationManager(webClientReactiveAuthorizationCodeTokenResponseClient, oidcReactiveOAuth2UserService) { // from class: com.okta.spring.boot.oauth.ReactiveOktaOAuth2ServerHttpServerAutoConfig.2
                public Mono<Authentication> authenticate(Authentication authentication) {
                    return ReactiveOktaOAuth2ServerHttpServerAutoConfig.wrapOnErrorMap(super.authenticate(authentication));
                }
            }, reactiveAuthenticationManager});
        }
        return reactiveAuthenticationManager;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Mono<Authentication> wrapOnErrorMap(Mono<Authentication> mono) {
        return mono.onErrorMap(ReactiveOktaOAuth2ServerHttpServerAutoConfig::shouldWrapException, th -> {
            return new UnknownOAuthException("An error occurred while attempting to authenticate: ", th);
        });
    }

    private static boolean shouldWrapException(Throwable th) {
        return (th instanceof IllegalStateException) || (th instanceof JwtException) || (th instanceof AuthenticationException);
    }
}
