package org.springframework.security.oauth2.client.oidc.authentication;

import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import javax.crypto.spec.SecretKeySpec;
import org.springframework.core.convert.TypeDescriptor;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.converter.ClaimConversionService;
import org.springframework.security.oauth2.core.converter.ClaimTypeConverter;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoderFactory;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.2.4.jar:org/springframework/security/oauth2/client/oidc/authentication/ReactiveOidcIdTokenDecoderFactory.class */
public final class ReactiveOidcIdTokenDecoderFactory implements ReactiveJwtDecoderFactory<ClientRegistration> {
    private static final String MISSING_SIGNATURE_VERIFIER_ERROR_CODE = "missing_signature_verifier";
    private static final Map<JwsAlgorithm, String> JCA_ALGORITHM_MAPPINGS;
    private static final ClaimTypeConverter DEFAULT_CLAIM_TYPE_CONVERTER;
    private final Map<String, ReactiveJwtDecoder> jwtDecoders = new ConcurrentHashMap();
    private Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtValidatorFactory = new DefaultOidcIdTokenValidatorFactory();
    private Function<ClientRegistration, JwsAlgorithm> jwsAlgorithmResolver = clientRegistration -> {
        return SignatureAlgorithm.RS256;
    };
    private Function<ClientRegistration, Converter<Map<String, Object>, Map<String, Object>>> claimTypeConverterFactory = clientRegistration -> {
        return DEFAULT_CLAIM_TYPE_CONVERTER;
    };

    public static Map<String, Converter<Object, ?>> createDefaultClaimTypeConverters() {
        Converter<Object, ?> converter = getConverter(TypeDescriptor.valueOf(Boolean.class));
        Converter<Object, ?> converter2 = getConverter(TypeDescriptor.valueOf(Instant.class));
        Converter<Object, ?> converter3 = getConverter(TypeDescriptor.valueOf(URL.class));
        Converter<Object, ?> converter4 = getConverter(TypeDescriptor.valueOf(String.class));
        Converter<Object, ?> converter5 = getConverter(TypeDescriptor.collection(Collection.class, TypeDescriptor.valueOf(String.class)));
        HashMap hashMap = new HashMap();
        hashMap.put("iss", converter3);
        hashMap.put("aud", converter5);
        hashMap.put("nonce", converter4);
        hashMap.put("exp", converter2);
        hashMap.put("iat", converter2);
        hashMap.put("auth_time", converter2);
        hashMap.put("amr", converter5);
        hashMap.put("email_verified", converter);
        hashMap.put("phone_number_verified", converter);
        hashMap.put("updated_at", converter2);
        return hashMap;
    }

    private static Converter<Object, ?> getConverter(TypeDescriptor typeDescriptor) {
        TypeDescriptor valueOf = TypeDescriptor.valueOf(Object.class);
        return obj -> {
            return ClaimConversionService.getSharedInstance().convert(obj, valueOf, typeDescriptor);
        };
    }

    @Override // org.springframework.security.oauth2.jwt.ReactiveJwtDecoderFactory
    public ReactiveJwtDecoder createDecoder(ClientRegistration clientRegistration) {
        Assert.notNull(clientRegistration, "clientRegistration cannot be null");
        return this.jwtDecoders.computeIfAbsent(clientRegistration.getRegistrationId(), str -> {
            NimbusReactiveJwtDecoder buildDecoder = buildDecoder(clientRegistration);
            buildDecoder.setJwtValidator(this.jwtValidatorFactory.apply(clientRegistration));
            Converter<Map<String, Object>, Map<String, Object>> apply = this.claimTypeConverterFactory.apply(clientRegistration);
            if (apply != null) {
                buildDecoder.setClaimSetConverter(apply);
            }
            return buildDecoder;
        });
    }

    private NimbusReactiveJwtDecoder buildDecoder(ClientRegistration clientRegistration) {
        JwsAlgorithm apply = this.jwsAlgorithmResolver.apply(clientRegistration);
        if (apply != null && SignatureAlgorithm.class.isAssignableFrom(apply.getClass())) {
            String jwkSetUri = clientRegistration.getProviderDetails().getJwkSetUri();
            if (StringUtils.hasText(jwkSetUri)) {
                return NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri).jwsAlgorithm((SignatureAlgorithm) apply).build();
            }
            OAuth2Error oAuth2Error = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the JwkSet URI.", null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        if (apply == null || !MacAlgorithm.class.isAssignableFrom(apply.getClass())) {
            OAuth2Error oAuth2Error2 = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured a valid JWS Algorithm: '" + apply + "'", null);
            throw new OAuth2AuthenticationException(oAuth2Error2, oAuth2Error2.toString());
        }
        String clientSecret = clientRegistration.getClientSecret();
        if (StringUtils.hasText(clientSecret)) {
            return NimbusReactiveJwtDecoder.withSecretKey(new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8), JCA_ALGORITHM_MAPPINGS.get(apply))).macAlgorithm((MacAlgorithm) apply).build();
        }
        OAuth2Error oAuth2Error3 = new OAuth2Error(MISSING_SIGNATURE_VERIFIER_ERROR_CODE, "Failed to find a Signature Verifier for Client Registration: '" + clientRegistration.getRegistrationId() + "'. Check to ensure you have configured the client secret.", null);
        throw new OAuth2AuthenticationException(oAuth2Error3, oAuth2Error3.toString());
    }

    public void setJwtValidatorFactory(Function<ClientRegistration, OAuth2TokenValidator<Jwt>> function) {
        Assert.notNull(function, "jwtValidatorFactory cannot be null");
        this.jwtValidatorFactory = function;
    }

    public void setJwsAlgorithmResolver(Function<ClientRegistration, JwsAlgorithm> function) {
        Assert.notNull(function, "jwsAlgorithmResolver cannot be null");
        this.jwsAlgorithmResolver = function;
    }

    public void setClaimTypeConverterFactory(Function<ClientRegistration, Converter<Map<String, Object>, Map<String, Object>>> function) {
        Assert.notNull(function, "claimTypeConverterFactory cannot be null");
        this.claimTypeConverterFactory = function;
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put(MacAlgorithm.HS256, "HmacSHA256");
        hashMap.put(MacAlgorithm.HS384, "HmacSHA384");
        hashMap.put(MacAlgorithm.HS512, "HmacSHA512");
        JCA_ALGORITHM_MAPPINGS = Collections.unmodifiableMap(hashMap);
        DEFAULT_CLAIM_TYPE_CONVERTER = new ClaimTypeConverter(createDefaultClaimTypeConverters());
    }
}
