package org.springframework.security.oauth2.server.authorization.authentication;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSet;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.time.Clock;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.security.auth.x500.X500Principal;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.SimpleClientHttpRequestFactory;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/authentication/X509SelfSignedCertificateVerifier.class */
public final class X509SelfSignedCertificateVerifier implements Consumer<OAuth2ClientAuthenticationContext> {
    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-3.2.1";
    private static final JWKMatcher HAS_X509_CERT_CHAIN_MATCHER = new JWKMatcher.Builder().hasX509CertChain(true).build();
    private final Function<RegisteredClient, JWKSet> jwkSetSupplier = new JwkSetSupplier();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/authentication/X509SelfSignedCertificateVerifier$JwkSetSupplier.class */
    public static final class JwkSetSupplier implements Function<RegisteredClient, JWKSet> {
        private static final MediaType APPLICATION_JWK_SET_JSON = new MediaType("application", "jwk-set+json");
        private final RestOperations restOperations;
        private final Map<String, Supplier<JWKSet>> jwkSets = new ConcurrentHashMap();

        /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/authentication/X509SelfSignedCertificateVerifier$JwkSetSupplier$JwkSetHolder.class */
        private final class JwkSetHolder implements Supplier<JWKSet> {
            private final ReentrantReadWriteLock rwLock = new ReentrantReadWriteLock();
            private final Clock clock = Clock.systemUTC();
            private final String jwkSetUrl;
            private JWKSet jwkSet;
            private Instant lastUpdatedAt;

            private JwkSetHolder(String str) {
                this.jwkSetUrl = str;
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public JWKSet get() {
                this.rwLock.readLock().lock();
                if (shouldRefresh()) {
                    this.rwLock.readLock().unlock();
                    this.rwLock.writeLock().lock();
                    try {
                        if (shouldRefresh()) {
                            this.jwkSet = JwkSetSupplier.this.retrieve(this.jwkSetUrl);
                            this.lastUpdatedAt = Instant.now();
                        }
                        this.rwLock.readLock().lock();
                    } finally {
                        this.rwLock.writeLock().unlock();
                    }
                }
                try {
                    return this.jwkSet;
                } finally {
                    this.rwLock.readLock().unlock();
                }
            }

            private boolean shouldRefresh() {
                return this.jwkSet == null || this.clock.instant().isAfter(this.lastUpdatedAt.plus(5L, (TemporalUnit) ChronoUnit.MINUTES));
            }
        }

        private JwkSetSupplier() {
            SimpleClientHttpRequestFactory simpleClientHttpRequestFactory = new SimpleClientHttpRequestFactory();
            simpleClientHttpRequestFactory.setConnectTimeout(15000);
            simpleClientHttpRequestFactory.setReadTimeout(15000);
            this.restOperations = new RestTemplate(simpleClientHttpRequestFactory);
        }

        @Override // java.util.function.Function
        public JWKSet apply(RegisteredClient registeredClient) {
            return this.jwkSets.computeIfAbsent(registeredClient.getId(), str -> {
                if (!StringUtils.hasText(registeredClient.getClientSettings().getJwkSetUrl())) {
                    X509SelfSignedCertificateVerifier.throwInvalidClient("client_jwk_set_url");
                }
                return new JwkSetHolder(registeredClient.getClientSettings().getJwkSetUrl());
            }).get();
        }

        /* JADX WARN: Multi-variable type inference failed */
        private JWKSet retrieve(String str) {
            URI uri = null;
            try {
                uri = new URI(str);
            } catch (URISyntaxException e) {
                X509SelfSignedCertificateVerifier.throwInvalidClient("jwk_set_uri", e);
            }
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON, APPLICATION_JWK_SET_JSON));
            ResponseEntity responseEntity = null;
            try {
                responseEntity = this.restOperations.exchange(new RequestEntity<>((MultiValueMap<String, String>) httpHeaders, HttpMethod.GET, uri), String.class);
            } catch (Exception e2) {
                X509SelfSignedCertificateVerifier.throwInvalidClient("jwk_set_response_error", e2);
            }
            if (responseEntity.getStatusCode().value() != 200) {
                X509SelfSignedCertificateVerifier.throwInvalidClient("jwk_set_response_status");
            }
            JWKSet jWKSet = null;
            try {
                jWKSet = JWKSet.parse((String) responseEntity.getBody());
            } catch (ParseException e3) {
                X509SelfSignedCertificateVerifier.throwInvalidClient("jwk_set_response_body", e3);
            }
            return jWKSet;
        }
    }

    @Override // java.util.function.Consumer
    public void accept(OAuth2ClientAuthenticationContext oAuth2ClientAuthenticationContext) {
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) oAuth2ClientAuthenticationContext.getAuthentication();
        RegisteredClient registeredClient = oAuth2ClientAuthenticationContext.getRegisteredClient();
        X509Certificate x509Certificate = ((X509Certificate[]) oAuth2ClientAuthenticationToken.getCredentials())[0];
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        if (issuerX500Principal == null || !issuerX500Principal.equals(subjectX500Principal)) {
            throwInvalidClient("x509_certificate_issuer");
        }
        boolean z = false;
        Iterator<JWK> it = this.jwkSetSupplier.apply(registeredClient).filter(HAS_X509_CERT_CHAIN_MATCHER).getKeys().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (Arrays.equals(x509Certificate.getPublicKey().getEncoded(), it.next().getParsedX509CertChain().get(0).getPublicKey().getEncoded())) {
                z = true;
                break;
            }
        }
        if (z) {
            return;
        }
        throwInvalidClient("x509_certificate");
    }

    private static void throwInvalidClient(String str) {
        throwInvalidClient(str, null);
    }

    private static void throwInvalidClient(String str, Throwable th) {
        OAuth2Error oAuth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT, "Client authentication failed: " + str, ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), th);
    }
}
