package org.springframework.security.oauth2.server.authorization.oidc.converter;

import java.time.Instant;
import java.util.Base64;
import java.util.UUID;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.crypto.keygen.Base64StringKeyGenerator;
import org.springframework.security.crypto.keygen.StringKeyGenerator;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.oidc.OidcClientRegistration;
import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.4.1.jar:org/springframework/security/oauth2/server/authorization/oidc/converter/OidcClientRegistrationRegisteredClientConverter.class */
public final class OidcClientRegistrationRegisteredClientConverter implements Converter<OidcClientRegistration, RegisteredClient> {
    private static final StringKeyGenerator CLIENT_ID_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 32);
    private static final StringKeyGenerator CLIENT_SECRET_GENERATOR = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 48);

    @Override // org.springframework.core.convert.converter.Converter
    public RegisteredClient convert(OidcClientRegistration oidcClientRegistration) {
        RegisteredClient.Builder clientName = RegisteredClient.withId(UUID.randomUUID().toString()).clientId(CLIENT_ID_GENERATOR.generateKey()).clientIdIssuedAt(Instant.now()).clientName(oidcClientRegistration.getClientName());
        if (ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue().equals(oidcClientRegistration.getTokenEndpointAuthenticationMethod())) {
            clientName.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST).clientSecret(CLIENT_SECRET_GENERATOR.generateKey());
        } else if (ClientAuthenticationMethod.CLIENT_SECRET_JWT.getValue().equals(oidcClientRegistration.getTokenEndpointAuthenticationMethod())) {
            clientName.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_JWT).clientSecret(CLIENT_SECRET_GENERATOR.generateKey());
        } else if (ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue().equals(oidcClientRegistration.getTokenEndpointAuthenticationMethod())) {
            clientName.clientAuthenticationMethod(ClientAuthenticationMethod.PRIVATE_KEY_JWT);
        } else {
            clientName.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC).clientSecret(CLIENT_SECRET_GENERATOR.generateKey());
        }
        clientName.redirectUris(set -> {
            set.addAll(oidcClientRegistration.getRedirectUris());
        });
        if (!CollectionUtils.isEmpty(oidcClientRegistration.getPostLogoutRedirectUris())) {
            clientName.postLogoutRedirectUris(set2 -> {
                set2.addAll(oidcClientRegistration.getPostLogoutRedirectUris());
            });
        }
        if (CollectionUtils.isEmpty(oidcClientRegistration.getGrantTypes())) {
            clientName.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
        } else {
            clientName.authorizationGrantTypes(set3 -> {
                oidcClientRegistration.getGrantTypes().forEach(str -> {
                    set3.add(new AuthorizationGrantType(str));
                });
            });
        }
        if (CollectionUtils.isEmpty(oidcClientRegistration.getResponseTypes()) || oidcClientRegistration.getResponseTypes().contains(OAuth2AuthorizationResponseType.CODE.getValue())) {
            clientName.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
        }
        if (!CollectionUtils.isEmpty(oidcClientRegistration.getScopes())) {
            clientName.scopes(set4 -> {
                set4.addAll(oidcClientRegistration.getScopes());
            });
        }
        ClientSettings.Builder requireAuthorizationConsent = ClientSettings.builder().requireProofKey(true).requireAuthorizationConsent(true);
        if (ClientAuthenticationMethod.CLIENT_SECRET_JWT.getValue().equals(oidcClientRegistration.getTokenEndpointAuthenticationMethod())) {
            MacAlgorithm from = MacAlgorithm.from(oidcClientRegistration.getTokenEndpointAuthenticationSigningAlgorithm());
            if (from == null) {
                from = MacAlgorithm.HS256;
            }
            requireAuthorizationConsent.tokenEndpointAuthenticationSigningAlgorithm(from);
        } else if (ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue().equals(oidcClientRegistration.getTokenEndpointAuthenticationMethod())) {
            SignatureAlgorithm from2 = SignatureAlgorithm.from(oidcClientRegistration.getTokenEndpointAuthenticationSigningAlgorithm());
            if (from2 == null) {
                from2 = SignatureAlgorithm.RS256;
            }
            requireAuthorizationConsent.tokenEndpointAuthenticationSigningAlgorithm(from2);
            requireAuthorizationConsent.jwkSetUrl(oidcClientRegistration.getJwkSetUrl().toString());
        }
        clientName.clientSettings(requireAuthorizationConsent.build()).tokenSettings(TokenSettings.builder().idTokenSignatureAlgorithm(SignatureAlgorithm.RS256).build());
        return clientName.build();
    }
}
