package org.springframework.security.oauth2.server.resource.authentication;

import com.nimbusds.jwt.JWTParser;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import org.springframework.core.convert.converter.Converter;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import reactor.core.scheduler.Schedulers;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-resource-server-5.6.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.class */
public final class JwtIssuerReactiveAuthenticationManagerResolver implements ReactiveAuthenticationManagerResolver<ServerWebExchange> {
    private final ReactiveAuthenticationManager authenticationManager;

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-resource-server-5.6.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver$JwtClaimIssuerConverter.class */
    private static class JwtClaimIssuerConverter implements Converter<BearerTokenAuthenticationToken, Mono<String>> {
        private JwtClaimIssuerConverter() {
        }

        @Override // org.springframework.core.convert.converter.Converter
        public Mono<String> convert(@NonNull BearerTokenAuthenticationToken bearerTokenAuthenticationToken) {
            try {
                String issuer = JWTParser.parse(bearerTokenAuthenticationToken.getToken()).getJWTClaimsSet().getIssuer();
                if (issuer == null) {
                    throw new InvalidBearerTokenException("Missing issuer");
                }
                return Mono.just(issuer);
            } catch (Exception e) {
                return Mono.error(() -> {
                    return new InvalidBearerTokenException(e.getMessage(), e);
                });
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-resource-server-5.6.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver$ResolvingAuthenticationManager.class */
    private static class ResolvingAuthenticationManager implements ReactiveAuthenticationManager {
        private final Converter<BearerTokenAuthenticationToken, Mono<String>> issuerConverter = new JwtClaimIssuerConverter();
        private final ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver;

        ResolvingAuthenticationManager(ReactiveAuthenticationManagerResolver<String> reactiveAuthenticationManagerResolver) {
            this.issuerAuthenticationManagerResolver = reactiveAuthenticationManagerResolver;
        }

        @Override // org.springframework.security.authentication.ReactiveAuthenticationManager
        public Mono<Authentication> authenticate(Authentication authentication) {
            Assert.isTrue(authentication instanceof BearerTokenAuthenticationToken, "Authentication must be of type BearerTokenAuthenticationToken");
            return this.issuerConverter.convert((BearerTokenAuthenticationToken) authentication).flatMap(str -> {
                return this.issuerAuthenticationManagerResolver.resolve(str).switchIfEmpty(Mono.error(() -> {
                    return new InvalidBearerTokenException("Invalid issuer " + str);
                }));
            }).flatMap(reactiveAuthenticationManager -> {
                return reactiveAuthenticationManager.authenticate(authentication);
            });
        }
    }

    /* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-resource-server-5.6.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver$TrustedIssuerJwtAuthenticationManagerResolver.class */
    static class TrustedIssuerJwtAuthenticationManagerResolver implements ReactiveAuthenticationManagerResolver<String> {
        private final Map<String, Mono<ReactiveAuthenticationManager>> authenticationManagers = new ConcurrentHashMap();
        private final Predicate<String> trustedIssuer;

        TrustedIssuerJwtAuthenticationManagerResolver(Predicate<String> predicate) {
            this.trustedIssuer = predicate;
        }

        @Override // org.springframework.security.authentication.ReactiveAuthenticationManagerResolver
        public Mono<ReactiveAuthenticationManager> resolve(String str) {
            return !this.trustedIssuer.test(str) ? Mono.empty() : this.authenticationManagers.computeIfAbsent(str, str2 -> {
                return Mono.fromCallable(() -> {
                    return new JwtReactiveAuthenticationManager(ReactiveJwtDecoders.fromIssuerLocation(str2));
                }).subscribeOn(Schedulers.boundedElastic()).cache(reactiveAuthenticationManager -> {
                    return Duration.ofMillis(Long.MAX_VALUE);
                }, th -> {
                    return Duration.ZERO;
                }, () -> {
                    return Duration.ZERO;
                });
            });
        }
    }

    public JwtIssuerReactiveAuthenticationManagerResolver(String... strArr) {
        this(Arrays.asList(strArr));
    }

    public JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> collection) {
        Assert.notEmpty(collection, "trustedIssuers cannot be empty");
        ArrayList arrayList = new ArrayList(collection);
        this.authenticationManager = new ResolvingAuthenticationManager(new TrustedIssuerJwtAuthenticationManagerResolver((v1) -> {
            return r5.contains(v1);
        }));
    }

    public JwtIssuerReactiveAuthenticationManagerResolver(ReactiveAuthenticationManagerResolver<String> reactiveAuthenticationManagerResolver) {
        Assert.notNull(reactiveAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null");
        this.authenticationManager = new ResolvingAuthenticationManager(reactiveAuthenticationManagerResolver);
    }

    @Override // org.springframework.security.authentication.ReactiveAuthenticationManagerResolver
    public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange serverWebExchange) {
        return Mono.just(this.authenticationManager);
    }
}
