package org.springframework.security.oauth2.server.resource.authentication;

import com.nimbusds.jwt.JWTParser;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import org.springframework.core.convert.converter.Converter;
import org.springframework.lang.NonNull;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.authentication.ReactiveAuthenticationManagerResolver;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
import org.springframework.security.oauth2.server.resource.web.server.ServerBearerTokenAuthenticationConverter;
import org.springframework.util.Assert;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
import reactor.core.scheduler.Schedulers;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.3.8.RELEASE.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver.class */
public final class JwtIssuerReactiveAuthenticationManagerResolver implements ReactiveAuthenticationManagerResolver<ServerWebExchange> {
    private final ReactiveAuthenticationManagerResolver<String> issuerAuthenticationManagerResolver;
    private final Converter<ServerWebExchange, Mono<String>> issuerConverter;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.3.8.RELEASE.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver$JwtClaimIssuerConverter.class */
    private static class JwtClaimIssuerConverter implements Converter<ServerWebExchange, Mono<String>> {
        private final ServerBearerTokenAuthenticationConverter converter;

        private JwtClaimIssuerConverter() {
            this.converter = new ServerBearerTokenAuthenticationConverter();
        }

        @Override // org.springframework.core.convert.converter.Converter
        public Mono<String> convert(@NonNull ServerWebExchange serverWebExchange) {
            return this.converter.convert(serverWebExchange).map(authentication -> {
                try {
                    String issuer = JWTParser.parse(((BearerTokenAuthenticationToken) authentication).getToken()).getJWTClaimsSet().getIssuer();
                    if (issuer == null) {
                        throw new InvalidBearerTokenException("Missing issuer");
                    }
                    return issuer;
                } catch (Exception e) {
                    throw new InvalidBearerTokenException(e.getMessage(), e);
                }
            });
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.3.8.RELEASE.jar:org/springframework/security/oauth2/server/resource/authentication/JwtIssuerReactiveAuthenticationManagerResolver$TrustedIssuerJwtAuthenticationManagerResolver.class */
    private static class TrustedIssuerJwtAuthenticationManagerResolver implements ReactiveAuthenticationManagerResolver<String> {
        private final Map<String, Mono<ReactiveAuthenticationManager>> authenticationManagers = new ConcurrentHashMap();
        private final Predicate<String> trustedIssuer;

        TrustedIssuerJwtAuthenticationManagerResolver(Predicate<String> predicate) {
            this.trustedIssuer = predicate;
        }

        @Override // org.springframework.security.authentication.ReactiveAuthenticationManagerResolver
        public Mono<ReactiveAuthenticationManager> resolve(String str) {
            return !this.trustedIssuer.test(str) ? Mono.empty() : this.authenticationManagers.computeIfAbsent(str, str2 -> {
                return Mono.fromCallable(() -> {
                    return new JwtReactiveAuthenticationManager(ReactiveJwtDecoders.fromIssuerLocation(str2));
                }).subscribeOn(Schedulers.boundedElastic()).cache();
            });
        }
    }

    public JwtIssuerReactiveAuthenticationManagerResolver(String... strArr) {
        this(Arrays.asList(strArr));
    }

    public JwtIssuerReactiveAuthenticationManagerResolver(Collection<String> collection) {
        this.issuerConverter = new JwtClaimIssuerConverter();
        Assert.notEmpty(collection, "trustedIssuers cannot be empty");
        ArrayList arrayList = new ArrayList(collection);
        arrayList.getClass();
        this.issuerAuthenticationManagerResolver = new TrustedIssuerJwtAuthenticationManagerResolver((v1) -> {
            return r3.contains(v1);
        });
    }

    public JwtIssuerReactiveAuthenticationManagerResolver(ReactiveAuthenticationManagerResolver<String> reactiveAuthenticationManagerResolver) {
        this.issuerConverter = new JwtClaimIssuerConverter();
        Assert.notNull(reactiveAuthenticationManagerResolver, "issuerAuthenticationManagerResolver cannot be null");
        this.issuerAuthenticationManagerResolver = reactiveAuthenticationManagerResolver;
    }

    @Override // org.springframework.security.authentication.ReactiveAuthenticationManagerResolver
    public Mono<ReactiveAuthenticationManager> resolve(ServerWebExchange serverWebExchange) {
        return this.issuerConverter.convert(serverWebExchange).flatMap(str -> {
            return this.issuerAuthenticationManagerResolver.resolve(str).switchIfEmpty(Mono.error(() -> {
                return new InvalidBearerTokenException("Invalid issuer " + str);
            }));
        });
    }
}
