package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.class */
public final class NimbusReactiveJwtDecoder implements ReactiveJwtDecoder {
    private final JWTProcessor<JWKContext> jwtProcessor;
    private final ReactiveJWKSource reactiveJwkSource;
    private final JWKSelectorFactory jwkSelectorFactory;
    private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();

    public NimbusReactiveJwtDecoder(RSAPublicKey rSAPublicKey) {
        JWSAlgorithm parse = JWSAlgorithm.parse(JwsAlgorithms.RS256);
        ImmutableJWKSet immutableJWKSet = new ImmutableJWKSet(new JWKSet(rsaKey(rSAPublicKey)));
        JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(parse, immutableJWKSet);
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
        defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
        });
        this.jwtProcessor = defaultJWTProcessor;
        this.reactiveJwkSource = new ReactiveJWKSourceAdapter(immutableJWKSet);
        this.jwkSelectorFactory = new JWKSelectorFactory(parse);
    }

    public NimbusReactiveJwtDecoder(String str) {
        Assert.hasText(str, "jwkSetUrl cannot be empty");
        JWSAlgorithm parse = JWSAlgorithm.parse(JwsAlgorithms.RS256);
        JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(parse, new JWKContextJWKSource());
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
        defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, jWKContext) -> {
        });
        this.jwtProcessor = defaultJWTProcessor;
        this.reactiveJwkSource = new ReactiveRemoteJWKSource(str);
        this.jwkSelectorFactory = new JWKSelectorFactory(parse);
    }

    public void setJwtValidator(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        Assert.notNull(oAuth2TokenValidator, "jwtValidator cannot be null");
        this.jwtValidator = oAuth2TokenValidator;
    }

    @Override // org.springframework.security.oauth2.jwt.ReactiveJwtDecoder
    public Mono<Jwt> decode(String str) throws JwtException {
        JWT parse = parse(str);
        if (parse instanceof SignedJWT) {
            return decode((SignedJWT) parse);
        }
        throw new JwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm());
    }

    private JWT parse(String str) {
        try {
            return JWTParser.parse(str);
        } catch (Exception e) {
            throw new JwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
        }
    }

    private Mono<Jwt> decode(SignedJWT signedJWT) {
        try {
            return this.reactiveJwkSource.get(this.jwkSelectorFactory.createSelector(signedJWT.getHeader())).onErrorMap(th -> {
                return new IllegalStateException("Could not obtain the keys", th);
            }).map(list -> {
                return createClaimsSet(signedJWT, list);
            }).map(jWTClaimsSet -> {
                return createJwt(signedJWT, jWTClaimsSet);
            }).map(this::validateJwt).onErrorMap(th2 -> {
                return ((th2 instanceof IllegalStateException) || (th2 instanceof JwtException)) ? false : true;
            }, th3 -> {
                return new JwtException("An error occurred while attempting to decode the Jwt: ", th3);
            });
        } catch (RuntimeException e) {
            throw new JwtException("An error occurred while attempting to decode the Jwt: " + e.getMessage(), e);
        }
    }

    private JWTClaimsSet createClaimsSet(JWT jwt, List<JWK> list) {
        try {
            return this.jwtProcessor.process(jwt, new JWKContext(list));
        } catch (BadJOSEException | JOSEException e) {
            throw new JwtException("Failed to validate the token", e);
        }
    }

    private Jwt createJwt(JWT jwt, JWTClaimsSet jWTClaimsSet) {
        Instant instant = null;
        if (jWTClaimsSet.getExpirationTime() != null) {
            instant = jWTClaimsSet.getExpirationTime().toInstant();
        }
        Instant instant2 = null;
        if (jWTClaimsSet.getIssueTime() != null) {
            instant2 = jWTClaimsSet.getIssueTime().toInstant();
        } else if (instant != null) {
            instant2 = Instant.from(instant).minusSeconds(1L);
        }
        return new Jwt(jwt.getParsedString(), instant2, instant, new LinkedHashMap((Map) jwt.getHeader().toJSONObject()), jWTClaimsSet.getClaims());
    }

    private Jwt validateJwt(Jwt jwt) {
        OAuth2TokenValidatorResult validate = this.jwtValidator.validate(jwt);
        if (validate.hasErrors()) {
            throw new JwtValidationException(((OAuth2Error) validate.getErrors().iterator().next()).getDescription(), validate.getErrors());
        }
        return jwt;
    }

    private static RSAKey rsaKey(RSAPublicKey rSAPublicKey) {
        return new RSAKey.Builder(rSAPublicKey).build();
    }
}
