package org.springframework.security.oauth2.server.resource.authentication;

import com.nimbusds.jwt.JWTParser;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.log.LogMessage;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationManagerResolver;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.4.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.class */
public final class JwtIssuerAuthenticationManagerResolver implements AuthenticationManagerResolver<HttpServletRequest> {
    private final AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver;
    private final Converter<HttpServletRequest, String> issuerConverter;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.4.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver$JwtClaimIssuerConverter.class */
    private static class JwtClaimIssuerConverter implements Converter<HttpServletRequest, String> {
        private final BearerTokenResolver resolver;

        private JwtClaimIssuerConverter() {
            this.resolver = new DefaultBearerTokenResolver();
        }

        @Override // org.springframework.core.convert.converter.Converter
        public String convert(@NonNull HttpServletRequest httpServletRequest) {
            try {
                String issuer = JWTParser.parse(this.resolver.resolve(httpServletRequest)).getJWTClaimsSet().getIssuer();
                if (issuer != null) {
                    return issuer;
                }
                throw new InvalidBearerTokenException("Missing issuer");
            } catch (Exception e) {
                throw new InvalidBearerTokenException(e.getMessage(), e);
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.4.1.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver$TrustedIssuerJwtAuthenticationManagerResolver.class */
    private static class TrustedIssuerJwtAuthenticationManagerResolver implements AuthenticationManagerResolver<String> {
        private final Log logger = LogFactory.getLog(getClass());
        private final Map<String, AuthenticationManager> authenticationManagers = new ConcurrentHashMap();
        private final Predicate<String> trustedIssuer;

        TrustedIssuerJwtAuthenticationManagerResolver(Predicate<String> predicate) {
            this.trustedIssuer = predicate;
        }

        @Override // org.springframework.security.authentication.AuthenticationManagerResolver
        public AuthenticationManager resolve(String str) {
            if (!this.trustedIssuer.test(str)) {
                this.logger.debug("Did not resolve AuthenticationManager since issuer is not trusted");
                return null;
            }
            AuthenticationManager computeIfAbsent = this.authenticationManagers.computeIfAbsent(str, str2 -> {
                this.logger.debug("Constructing AuthenticationManager");
                JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(JwtDecoders.fromIssuerLocation(str));
                jwtAuthenticationProvider.getClass();
                return jwtAuthenticationProvider::authenticate;
            });
            this.logger.debug(LogMessage.format("Resolved AuthenticationManager for issuer '%s'", str));
            return computeIfAbsent;
        }
    }

    public JwtIssuerAuthenticationManagerResolver(String... strArr) {
        this(Arrays.asList(strArr));
    }

    public JwtIssuerAuthenticationManagerResolver(Collection<String> collection) {
        this.issuerConverter = new JwtClaimIssuerConverter();
        Assert.notEmpty(collection, "trustedIssuers cannot be empty");
        Collection unmodifiableCollection = Collections.unmodifiableCollection(collection);
        unmodifiableCollection.getClass();
        this.issuerAuthenticationManagerResolver = new TrustedIssuerJwtAuthenticationManagerResolver((v1) -> {
            return r3.contains(v1);
        });
    }

    public JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> authenticationManagerResolver) {
        this.issuerConverter = new JwtClaimIssuerConverter();
        Assert.notNull(authenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null");
        this.issuerAuthenticationManagerResolver = authenticationManagerResolver;
    }

    @Override // org.springframework.security.authentication.AuthenticationManagerResolver
    public AuthenticationManager resolve(HttpServletRequest httpServletRequest) {
        AuthenticationManager resolve = this.issuerAuthenticationManagerResolver.resolve(this.issuerConverter.convert(httpServletRequest));
        if (resolve == null) {
            throw new InvalidBearerTokenException("Invalid issuer");
        }
        return resolve;
    }
}
