package org.springframework.security.oauth2.client.web.reactive.function.client;

import java.time.Duration;
import java.util.Map;
import java.util.Optional;
import java.util.function.Consumer;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProviderBuilder;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.DefaultReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import org.springframework.web.reactive.function.client.ExchangeFunction;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.class */
public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements ExchangeFilterFunction {
    private static final String OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME = OAuth2AuthorizedClient.class.getName();
    private static final String CLIENT_REGISTRATION_ID_ATTR_NAME = OAuth2AuthorizedClient.class.getName().concat(".CLIENT_REGISTRATION_ID");
    private static final String SERVER_WEB_EXCHANGE_ATTR_NAME = ServerWebExchange.class.getName();
    private static final AnonymousAuthenticationToken ANONYMOUS_USER_TOKEN = new AnonymousAuthenticationToken("anonymous", "anonymousUser", AuthorityUtils.createAuthorityList(new String[]{"ROLE_USER"}));
    private ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
    private boolean defaultAuthorizedClientManager;
    private boolean defaultOAuth2AuthorizedClient;
    private String defaultClientRegistrationId;

    @Deprecated
    private Duration accessTokenExpiresSkew;

    @Deprecated
    private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCredentialsTokenResponseClient;

    public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager) {
        this.accessTokenExpiresSkew = Duration.ofMinutes(1L);
        Assert.notNull(reactiveOAuth2AuthorizedClientManager, "authorizedClientManager cannot be null");
        this.authorizedClientManager = reactiveOAuth2AuthorizedClientManager;
    }

    public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository) {
        this.accessTokenExpiresSkew = Duration.ofMinutes(1L);
        this.authorizedClientManager = createDefaultAuthorizedClientManager(reactiveClientRegistrationRepository, serverOAuth2AuthorizedClientRepository);
        this.defaultAuthorizedClientManager = true;
    }

    private static ReactiveOAuth2AuthorizedClientManager createDefaultAuthorizedClientManager(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository) {
        ReactiveOAuth2AuthorizedClientProvider build = ReactiveOAuth2AuthorizedClientProviderBuilder.builder().authorizationCode().refreshToken().clientCredentials().password().build();
        DefaultReactiveOAuth2AuthorizedClientManager defaultReactiveOAuth2AuthorizedClientManager = new DefaultReactiveOAuth2AuthorizedClientManager(reactiveClientRegistrationRepository, serverOAuth2AuthorizedClientRepository);
        defaultReactiveOAuth2AuthorizedClientManager.setAuthorizedClientProvider(build);
        return defaultReactiveOAuth2AuthorizedClientManager;
    }

    public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return map -> {
            map.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, oAuth2AuthorizedClient);
        };
    }

    private static OAuth2AuthorizedClient oauth2AuthorizedClient(ClientRequest clientRequest) {
        return (OAuth2AuthorizedClient) clientRequest.attributes().get(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME);
    }

    public static Consumer<Map<String, Object>> serverWebExchange(ServerWebExchange serverWebExchange) {
        return map -> {
            map.put(SERVER_WEB_EXCHANGE_ATTR_NAME, serverWebExchange);
        };
    }

    private static ServerWebExchange serverWebExchange(ClientRequest clientRequest) {
        return (ServerWebExchange) clientRequest.attributes().get(SERVER_WEB_EXCHANGE_ATTR_NAME);
    }

    public static Consumer<Map<String, Object>> clientRegistrationId(String str) {
        return map -> {
            map.put(CLIENT_REGISTRATION_ID_ATTR_NAME, str);
        };
    }

    private static String clientRegistrationId(ClientRequest clientRequest) {
        OAuth2AuthorizedClient oauth2AuthorizedClient = oauth2AuthorizedClient(clientRequest);
        return oauth2AuthorizedClient != null ? oauth2AuthorizedClient.getClientRegistration().getRegistrationId() : (String) clientRequest.attributes().get(CLIENT_REGISTRATION_ID_ATTR_NAME);
    }

    public void setDefaultOAuth2AuthorizedClient(boolean z) {
        this.defaultOAuth2AuthorizedClient = z;
    }

    public void setDefaultClientRegistrationId(String str) {
        this.defaultClientRegistrationId = str;
    }

    @Deprecated
    public void setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> reactiveOAuth2AccessTokenResponseClient) {
        Assert.notNull(reactiveOAuth2AccessTokenResponseClient, "clientCredentialsTokenResponseClient cannot be null");
        Assert.state(this.defaultAuthorizedClientManager, "The client cannot be set when the constructor used is \"ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)\". Instead, use the constructor \"ServerOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)\".");
        this.clientCredentialsTokenResponseClient = reactiveOAuth2AccessTokenResponseClient;
        updateDefaultAuthorizedClientManager();
    }

    private void updateDefaultAuthorizedClientManager() {
        ((DefaultReactiveOAuth2AuthorizedClientManager) this.authorizedClientManager).setAuthorizedClientProvider(ReactiveOAuth2AuthorizedClientProviderBuilder.builder().authorizationCode().refreshToken(refreshTokenGrantBuilder -> {
            refreshTokenGrantBuilder.clockSkew(this.accessTokenExpiresSkew);
        }).clientCredentials(this::updateClientCredentialsProvider).password(passwordGrantBuilder -> {
            passwordGrantBuilder.clockSkew(this.accessTokenExpiresSkew);
        }).build());
    }

    private void updateClientCredentialsProvider(ReactiveOAuth2AuthorizedClientProviderBuilder.ClientCredentialsGrantBuilder clientCredentialsGrantBuilder) {
        if (this.clientCredentialsTokenResponseClient != null) {
            clientCredentialsGrantBuilder.accessTokenResponseClient(this.clientCredentialsTokenResponseClient);
        }
        clientCredentialsGrantBuilder.clockSkew(this.accessTokenExpiresSkew);
    }

    @Deprecated
    public void setAccessTokenExpiresSkew(Duration duration) {
        Assert.notNull(duration, "accessTokenExpiresSkew cannot be null");
        Assert.state(this.defaultAuthorizedClientManager, "The accessTokenExpiresSkew cannot be set when the constructor used is \"ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)\". Instead, use the constructor \"ServerOAuth2AuthorizedClientExchangeFilterFunction(ClientRegistrationRepository, OAuth2AuthorizedClientRepository)\".");
        this.accessTokenExpiresSkew = duration;
        updateDefaultAuthorizedClientManager();
    }

    public Mono<ClientResponse> filter(ClientRequest clientRequest, ExchangeFunction exchangeFunction) {
        Mono map = authorizedClient(clientRequest).map(oAuth2AuthorizedClient -> {
            return bearer(clientRequest, oAuth2AuthorizedClient);
        });
        exchangeFunction.getClass();
        return map.flatMap(exchangeFunction::exchange).switchIfEmpty(Mono.defer(() -> {
            return exchangeFunction.exchange(clientRequest);
        }));
    }

    private Mono<OAuth2AuthorizedClient> authorizedClient(ClientRequest clientRequest) {
        return Mono.justOrEmpty(oauth2AuthorizedClient(clientRequest)).switchIfEmpty(Mono.defer(() -> {
            Mono<OAuth2AuthorizeRequest> authorizeRequest = authorizeRequest(clientRequest);
            ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager = this.authorizedClientManager;
            reactiveOAuth2AuthorizedClientManager.getClass();
            return authorizeRequest.flatMap(reactiveOAuth2AuthorizedClientManager::authorize);
        })).flatMap(oAuth2AuthorizedClient -> {
            Mono<OAuth2AuthorizeRequest> reauthorizeRequest = reauthorizeRequest(clientRequest, oAuth2AuthorizedClient);
            ReactiveOAuth2AuthorizedClientManager reactiveOAuth2AuthorizedClientManager = this.authorizedClientManager;
            reactiveOAuth2AuthorizedClientManager.getClass();
            return reauthorizeRequest.flatMap(reactiveOAuth2AuthorizedClientManager::authorize);
        });
    }

    private Mono<OAuth2AuthorizeRequest> authorizeRequest(ClientRequest clientRequest) {
        Mono<Authentication> currentAuthentication = currentAuthentication();
        return Mono.zip(Mono.justOrEmpty(clientRegistrationId(clientRequest)).switchIfEmpty(Mono.justOrEmpty(this.defaultClientRegistrationId)).switchIfEmpty(clientRegistrationId(currentAuthentication)), currentAuthentication, Mono.justOrEmpty(serverWebExchange(clientRequest)).switchIfEmpty(currentServerWebExchange()).map((v0) -> {
            return Optional.of(v0);
        }).defaultIfEmpty(Optional.empty())).map(tuple3 -> {
            OAuth2AuthorizeRequest.Builder principal = OAuth2AuthorizeRequest.withClientRegistrationId((String) tuple3.getT1()).principal((Authentication) tuple3.getT2());
            if (((Optional) tuple3.getT3()).isPresent()) {
                principal.attribute(ServerWebExchange.class.getName(), ((Optional) tuple3.getT3()).get());
            }
            return principal.build();
        });
    }

    private Mono<OAuth2AuthorizeRequest> reauthorizeRequest(ClientRequest clientRequest, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return Mono.zip(currentAuthentication(), Mono.justOrEmpty(serverWebExchange(clientRequest)).switchIfEmpty(currentServerWebExchange()).map((v0) -> {
            return Optional.of(v0);
        }).defaultIfEmpty(Optional.empty())).map(tuple2 -> {
            OAuth2AuthorizeRequest.Builder principal = OAuth2AuthorizeRequest.withAuthorizedClient(oAuth2AuthorizedClient).principal((Authentication) tuple2.getT1());
            if (((Optional) tuple2.getT2()).isPresent()) {
                principal.attribute(ServerWebExchange.class.getName(), ((Optional) tuple2.getT2()).get());
            }
            return principal.build();
        });
    }

    private Mono<Authentication> currentAuthentication() {
        return ReactiveSecurityContextHolder.getContext().map((v0) -> {
            return v0.getAuthentication();
        }).defaultIfEmpty(ANONYMOUS_USER_TOKEN);
    }

    private Mono<String> clientRegistrationId(Mono<Authentication> mono) {
        return mono.filter(authentication -> {
            return this.defaultOAuth2AuthorizedClient && (authentication instanceof OAuth2AuthenticationToken);
        }).cast(OAuth2AuthenticationToken.class).map((v0) -> {
            return v0.getAuthorizedClientRegistrationId();
        });
    }

    private Mono<ServerWebExchange> currentServerWebExchange() {
        return Mono.subscriberContext().filter(context -> {
            return context.hasKey(ServerWebExchange.class);
        }).map(context2 -> {
            return (ServerWebExchange) context2.get(ServerWebExchange.class);
        });
    }

    private ClientRequest bearer(ClientRequest clientRequest, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return ClientRequest.from(clientRequest).headers(httpHeaders -> {
            httpHeaders.setBearerAuth(oAuth2AuthorizedClient.getAccessToken().getTokenValue());
        }).build();
    }
}
