package org.springframework.security.oauth2.client.endpoint;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Consumer;
import java.util.function.Function;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwsHeader;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-5.7.11.jar:org/springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter.class */
public final class NimbusJwtClientAuthenticationParametersConverter<T extends AbstractOAuth2AuthorizationGrantRequest> implements Converter<T, MultiValueMap<String, String>> {
    private static final String INVALID_KEY_ERROR_CODE = "invalid_key";
    private static final String INVALID_ALGORITHM_ERROR_CODE = "invalid_algorithm";
    private static final String CLIENT_ASSERTION_TYPE_VALUE = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
    private final Function<ClientRegistration, JWK> jwkResolver;
    private final Map<String, JwsEncoderHolder> jwsEncoders = new ConcurrentHashMap();
    private Consumer<JwtClientAuthenticationContext<T>> jwtClientAssertionCustomizer = jwtClientAuthenticationContext -> {
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-5.7.11.jar:org/springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter$JwsEncoderHolder.class */
    public static final class JwsEncoderHolder {
        private final JwtEncoder jwsEncoder;
        private final JWK jwk;

        private JwsEncoderHolder(JwtEncoder jwtEncoder, JWK jwk) {
            this.jwsEncoder = jwtEncoder;
            this.jwk = jwk;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public JwtEncoder getJwsEncoder() {
            return this.jwsEncoder;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public JWK getJwk() {
            return this.jwk;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-5.7.11.jar:org/springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter$JwtClientAuthenticationContext.class */
    public static final class JwtClientAuthenticationContext<T extends AbstractOAuth2AuthorizationGrantRequest> {
        private final T authorizationGrantRequest;
        private final JwsHeader.Builder headers;
        private final JwtClaimsSet.Builder claims;

        private JwtClientAuthenticationContext(T t, JwsHeader.Builder builder, JwtClaimsSet.Builder builder2) {
            this.authorizationGrantRequest = t;
            this.headers = builder;
            this.claims = builder2;
        }

        public T getAuthorizationGrantRequest() {
            return this.authorizationGrantRequest;
        }

        public JwsHeader.Builder getHeaders() {
            return this.headers;
        }

        public JwtClaimsSet.Builder getClaims() {
            return this.claims;
        }
    }

    public NimbusJwtClientAuthenticationParametersConverter(Function<ClientRegistration, JWK> function) {
        Assert.notNull(function, "jwkResolver cannot be null");
        this.jwkResolver = function;
    }

    @Override // org.springframework.core.convert.converter.Converter
    public MultiValueMap<String, String> convert(T t) {
        Assert.notNull(t, "authorizationGrantRequest cannot be null");
        ClientRegistration clientRegistration = t.getClientRegistration();
        if (!ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientRegistration.getClientAuthenticationMethod()) && !ClientAuthenticationMethod.CLIENT_SECRET_JWT.equals(clientRegistration.getClientAuthenticationMethod())) {
            return null;
        }
        JWK apply = this.jwkResolver.apply(clientRegistration);
        if (apply == null) {
            throw new OAuth2AuthorizationException(new OAuth2Error(INVALID_KEY_ERROR_CODE, "Failed to resolve JWK signing key for client registration '" + clientRegistration.getRegistrationId() + "'.", null));
        }
        JwsAlgorithm resolveAlgorithm = resolveAlgorithm(apply);
        if (resolveAlgorithm == null) {
            throw new OAuth2AuthorizationException(new OAuth2Error(INVALID_ALGORITHM_ERROR_CODE, "Unable to resolve JWS (signing) algorithm from JWK associated to client registration '" + clientRegistration.getRegistrationId() + "'.", null));
        }
        JwsHeader.Builder with = JwsHeader.with(resolveAlgorithm);
        Instant now = Instant.now();
        JwtClaimsSet.Builder expiresAt = JwtClaimsSet.builder().issuer(clientRegistration.getClientId()).subject(clientRegistration.getClientId()).audience(Collections.singletonList(clientRegistration.getProviderDetails().getTokenUri())).id(UUID.randomUUID().toString()).issuedAt(now).expiresAt(now.plus((TemporalAmount) Duration.ofSeconds(60L)));
        this.jwtClientAssertionCustomizer.accept(new JwtClientAuthenticationContext<>(t, with, expiresAt));
        Jwt encode = this.jwsEncoders.compute(clientRegistration.getRegistrationId(), (str, jwsEncoderHolder) -> {
            return (jwsEncoderHolder == null || !jwsEncoderHolder.getJwk().equals(apply)) ? new JwsEncoderHolder(new NimbusJwtEncoder(new ImmutableJWKSet(new JWKSet(apply))), apply) : jwsEncoderHolder;
        }).getJwsEncoder().encode(JwtEncoderParameters.from(with.build(), expiresAt.build()));
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.set(OAuth2ParameterNames.CLIENT_ASSERTION_TYPE, "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        linkedMultiValueMap.set(OAuth2ParameterNames.CLIENT_ASSERTION, encode.getTokenValue());
        return linkedMultiValueMap;
    }

    private static JwsAlgorithm resolveAlgorithm(JWK jwk) {
        JwsAlgorithm jwsAlgorithm = null;
        if (jwk.getAlgorithm() != null) {
            jwsAlgorithm = SignatureAlgorithm.from(jwk.getAlgorithm().getName());
            if (jwsAlgorithm == null) {
                jwsAlgorithm = MacAlgorithm.from(jwk.getAlgorithm().getName());
            }
        }
        if (jwsAlgorithm == null) {
            if (KeyType.RSA.equals(jwk.getKeyType())) {
                jwsAlgorithm = SignatureAlgorithm.RS256;
            } else if (KeyType.EC.equals(jwk.getKeyType())) {
                jwsAlgorithm = SignatureAlgorithm.ES256;
            } else if (KeyType.OCT.equals(jwk.getKeyType())) {
                jwsAlgorithm = MacAlgorithm.HS256;
            }
        }
        return jwsAlgorithm;
    }

    public void setJwtClientAssertionCustomizer(Consumer<JwtClientAuthenticationContext<T>> consumer) {
        Assert.notNull(consumer, "jwtClientAssertionCustomizer cannot be null");
        this.jwtClientAssertionCustomizer = consumer;
    }
}
