package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.Resource;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import javax.crypto.SecretKey;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.3.9.RELEASE.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder.class */
public final class NimbusJwtDecoder implements JwtDecoder {
    private static final String DECODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to decode the Jwt: %s";
    private final JWTProcessor<SecurityContext> jwtProcessor;
    private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
    private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.3.9.RELEASE.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.class */
    public static final class JwkSetUriJwtDecoderBuilder {
        private String jwkSetUri;
        private Set<SignatureAlgorithm> signatureAlgorithms;
        private RestOperations restOperations;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.3.9.RELEASE.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder$RestOperationsResourceRetriever.class */
        public static class RestOperationsResourceRetriever implements ResourceRetriever {
            private static final MediaType APPLICATION_JWK_SET_JSON = new MediaType("application", "jwk-set+json");
            private final RestOperations restOperations;

            RestOperationsResourceRetriever(RestOperations restOperations) {
                Assert.notNull(restOperations, "restOperations cannot be null");
                this.restOperations = restOperations;
            }

            /* JADX WARN: Multi-variable type inference failed */
            @Override // com.nimbusds.jose.util.ResourceRetriever
            public Resource retrieveResource(URL url) throws IOException {
                HttpHeaders httpHeaders = new HttpHeaders();
                httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON, APPLICATION_JWK_SET_JSON));
                try {
                    ResponseEntity exchange = this.restOperations.exchange(new RequestEntity<>((MultiValueMap<String, String>) httpHeaders, HttpMethod.GET, url.toURI()), String.class);
                    if (exchange.getStatusCodeValue() != 200) {
                        throw new IOException(exchange.toString());
                    }
                    return new Resource((String) exchange.getBody(), "UTF-8");
                } catch (Exception e) {
                    throw new IOException(e);
                }
            }
        }

        private JwkSetUriJwtDecoderBuilder(String str) {
            this.signatureAlgorithms = new HashSet();
            this.restOperations = new RestTemplate();
            Assert.hasText(str, "jwkSetUri cannot be empty");
            this.jwkSetUri = str;
        }

        public JwkSetUriJwtDecoderBuilder jwsAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "signatureAlgorithm cannot be null");
            this.signatureAlgorithms.add(signatureAlgorithm);
            return this;
        }

        public JwkSetUriJwtDecoderBuilder jwsAlgorithms(Consumer<Set<SignatureAlgorithm>> consumer) {
            Assert.notNull(consumer, "signatureAlgorithmsConsumer cannot be null");
            consumer.accept(this.signatureAlgorithms);
            return this;
        }

        public JwkSetUriJwtDecoderBuilder restOperations(RestOperations restOperations) {
            Assert.notNull(restOperations, "restOperations cannot be null");
            this.restOperations = restOperations;
            return this;
        }

        JWSKeySelector<SecurityContext> jwsKeySelector(JWKSource<SecurityContext> jWKSource) {
            if (this.signatureAlgorithms.isEmpty()) {
                return new JWSVerificationKeySelector(JWSAlgorithm.RS256, jWKSource);
            }
            if (this.signatureAlgorithms.size() == 1) {
                return new JWSVerificationKeySelector(JWSAlgorithm.parse(this.signatureAlgorithms.iterator().next().getName()), jWKSource);
            }
            HashMap hashMap = new HashMap();
            Iterator<SignatureAlgorithm> it = this.signatureAlgorithms.iterator();
            while (it.hasNext()) {
                JWSAlgorithm parse = JWSAlgorithm.parse(it.next().getName());
                hashMap.put(parse, new JWSVerificationKeySelector(parse, jWKSource));
            }
            return new JWSAlgorithmMapJWSKeySelector(hashMap);
        }

        JWTProcessor<SecurityContext> processor() {
            RemoteJWKSet remoteJWKSet = new RemoteJWKSet(toURL(this.jwkSetUri), new RestOperationsResourceRetriever(this.restOperations));
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(jwsKeySelector(remoteJWKSet));
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            return defaultJWTProcessor;
        }

        public NimbusJwtDecoder build() {
            return new NimbusJwtDecoder(processor());
        }

        private static URL toURL(String str) {
            try {
                return new URL(str);
            } catch (MalformedURLException e) {
                throw new IllegalArgumentException("Invalid JWK Set URL \"" + str + "\" : " + e.getMessage(), e);
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.3.9.RELEASE.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$PublicKeyJwtDecoderBuilder.class */
    public static final class PublicKeyJwtDecoderBuilder {
        private JWSAlgorithm jwsAlgorithm;
        private RSAPublicKey key;

        private PublicKeyJwtDecoderBuilder(RSAPublicKey rSAPublicKey) {
            Assert.notNull(rSAPublicKey, "key cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.RS256;
            this.key = rSAPublicKey;
        }

        public PublicKeyJwtDecoderBuilder signatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "signatureAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(signatureAlgorithm.getName());
            return this;
        }

        JWTProcessor<SecurityContext> processor() {
            if (!JWSAlgorithm.Family.RSA.contains(this.jwsAlgorithm)) {
                throw new IllegalStateException("The provided key is of type RSA; however the signature algorithm is of some other type: " + this.jwsAlgorithm + ". Please indicate one of RS256, RS384, or RS512.");
            }
            SingleKeyJWSKeySelector singleKeyJWSKeySelector = new SingleKeyJWSKeySelector(this.jwsAlgorithm, this.key);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(singleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            return defaultJWTProcessor;
        }

        public NimbusJwtDecoder build() {
            return new NimbusJwtDecoder(processor());
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.3.9.RELEASE.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$SecretKeyJwtDecoderBuilder.class */
    public static final class SecretKeyJwtDecoderBuilder {
        private final SecretKey secretKey;
        private JWSAlgorithm jwsAlgorithm;

        private SecretKeyJwtDecoderBuilder(SecretKey secretKey) {
            this.jwsAlgorithm = JWSAlgorithm.HS256;
            Assert.notNull(secretKey, "secretKey cannot be null");
            this.secretKey = secretKey;
        }

        public SecretKeyJwtDecoderBuilder macAlgorithm(MacAlgorithm macAlgorithm) {
            Assert.notNull(macAlgorithm, "macAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(macAlgorithm.getName());
            return this;
        }

        public NimbusJwtDecoder build() {
            return new NimbusJwtDecoder(processor());
        }

        JWTProcessor<SecurityContext> processor() {
            SingleKeyJWSKeySelector singleKeyJWSKeySelector = new SingleKeyJWSKeySelector(this.jwsAlgorithm, this.secretKey);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(singleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            return defaultJWTProcessor;
        }
    }

    public NimbusJwtDecoder(JWTProcessor<SecurityContext> jWTProcessor) {
        Assert.notNull(jWTProcessor, "jwtProcessor cannot be null");
        this.jwtProcessor = jWTProcessor;
    }

    public void setJwtValidator(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        Assert.notNull(oAuth2TokenValidator, "jwtValidator cannot be null");
        this.jwtValidator = oAuth2TokenValidator;
    }

    public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> converter) {
        Assert.notNull(converter, "claimSetConverter cannot be null");
        this.claimSetConverter = converter;
    }

    @Override // org.springframework.security.oauth2.jwt.JwtDecoder
    public Jwt decode(String str) throws JwtException {
        JWT parse = parse(str);
        if (parse instanceof PlainJWT) {
            throw new BadJwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm());
        }
        return validateJwt(createJwt(str, parse));
    }

    private JWT parse(String str) {
        try {
            return JWTParser.parse(str);
        } catch (Exception e) {
            throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        }
    }

    private Jwt createJwt(String str, JWT jwt) {
        try {
            JWTClaimsSet process = this.jwtProcessor.process(jwt, (JWT) null);
            LinkedHashMap linkedHashMap = new LinkedHashMap(jwt.getHeader().toJSONObject());
            Map<String, Object> convert = this.claimSetConverter.convert(process.getClaims());
            return Jwt.withTokenValue(str).headers(map -> {
                map.putAll(linkedHashMap);
            }).claims(map2 -> {
                map2.putAll(convert);
            }).build();
        } catch (RemoteKeySourceException e) {
            if (e.getCause() instanceof ParseException) {
                throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed Jwk set"));
            }
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        } catch (JOSEException e2) {
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e2.getMessage()), e2);
        } catch (Exception e3) {
            if (e3.getCause() instanceof ParseException) {
                throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
            }
            throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e3.getMessage()), e3);
        }
    }

    private Jwt validateJwt(Jwt jwt) {
        OAuth2TokenValidatorResult validate = this.jwtValidator.validate(jwt);
        if (!validate.hasErrors()) {
            return jwt;
        }
        String str = "Unable to validate Jwt";
        Iterator<OAuth2Error> it = validate.getErrors().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            OAuth2Error next = it.next();
            if (!StringUtils.isEmpty(next.getDescription())) {
                str = String.format(DECODING_ERROR_MESSAGE_TEMPLATE, next.getDescription());
                break;
            }
        }
        throw new JwtValidationException(str, validate.getErrors());
    }

    public static JwkSetUriJwtDecoderBuilder withJwkSetUri(String str) {
        return new JwkSetUriJwtDecoderBuilder(str);
    }

    public static PublicKeyJwtDecoderBuilder withPublicKey(RSAPublicKey rSAPublicKey) {
        return new PublicKeyJwtDecoderBuilder(rSAPublicKey);
    }

    public static SecretKeyJwtDecoderBuilder withSecretKey(SecretKey secretKey) {
        return new SecretKeyJwtDecoderBuilder(secretKey);
    }
}
