package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.JWKSetCache;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.proc.SingleKeyJWSKeySelector;
import com.nimbusds.jose.util.Resource;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Supplier;
import javax.crypto.SecretKey;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.cache.Cache;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.util.Assert;
import org.springframework.util.MultiValueMap;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder.class */
public final class NimbusJwtDecoder implements JwtDecoder {
    private static final String DECODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to decode the Jwt: %s";
    private final JWTProcessor<SecurityContext> jwtProcessor;
    private final Log logger = LogFactory.getLog(getClass());
    private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());
    private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();

    /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.class */
    public static final class JwkSetUriJwtDecoderBuilder {
        private String jwkSetUri;
        private Set<SignatureAlgorithm> signatureAlgorithms;
        private RestOperations restOperations;
        private Cache cache;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder$CachingResourceRetriever.class */
        public static class CachingResourceRetriever implements ResourceRetriever {
            private final Cache cache;
            private final ResourceRetriever resourceRetriever;

            CachingResourceRetriever(Cache cache, ResourceRetriever resourceRetriever) {
                this.cache = cache;
                this.resourceRetriever = resourceRetriever;
            }

            @Override // com.nimbusds.jose.util.ResourceRetriever
            public Resource retrieveResource(URL url) throws IOException {
                try {
                    return new Resource((String) this.cache.get(url.toString(), () -> {
                        return this.resourceRetriever.retrieveResource(url).getContent();
                    }), "UTF-8");
                } catch (Cache.ValueRetrievalException e) {
                    Throwable cause = e.getCause();
                    if (cause instanceof IOException) {
                        throw ((IOException) cause);
                    }
                    throw new IOException(cause);
                } catch (Exception e2) {
                    throw new IOException(e2);
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder$NoOpJwkSetCache.class */
        public static class NoOpJwkSetCache implements JWKSetCache {
            private NoOpJwkSetCache() {
            }

            @Override // com.nimbusds.jose.jwk.source.JWKSetCache
            public void put(JWKSet jWKSet) {
            }

            @Override // com.nimbusds.jose.jwk.source.JWKSetCache
            public JWKSet get() {
                return null;
            }

            @Override // com.nimbusds.jose.jwk.source.JWKSetCache
            public boolean requiresRefresh() {
                return true;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder$RestOperationsResourceRetriever.class */
        public static class RestOperationsResourceRetriever implements ResourceRetriever {
            private static final MediaType APPLICATION_JWK_SET_JSON = new MediaType("application", "jwk-set+json");
            private final RestOperations restOperations;

            RestOperationsResourceRetriever(RestOperations restOperations) {
                Assert.notNull(restOperations, "restOperations cannot be null");
                this.restOperations = restOperations;
            }

            @Override // com.nimbusds.jose.util.ResourceRetriever
            public Resource retrieveResource(URL url) throws IOException {
                HttpHeaders httpHeaders = new HttpHeaders();
                httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON, APPLICATION_JWK_SET_JSON));
                ResponseEntity<String> response = getResponse(url, httpHeaders);
                if (response.getStatusCodeValue() != 200) {
                    throw new IOException(response.toString());
                }
                return new Resource(response.getBody(), "UTF-8");
            }

            private ResponseEntity<String> getResponse(URL url, HttpHeaders httpHeaders) throws IOException {
                try {
                    return this.restOperations.exchange(new RequestEntity<>((MultiValueMap<String, String>) httpHeaders, HttpMethod.GET, url.toURI()), String.class);
                } catch (Exception e) {
                    throw new IOException(e);
                }
            }
        }

        private JwkSetUriJwtDecoderBuilder(String str) {
            this.signatureAlgorithms = new HashSet();
            this.restOperations = new RestTemplate();
            Assert.hasText(str, "jwkSetUri cannot be empty");
            this.jwkSetUri = str;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public JwkSetUriJwtDecoderBuilder jwsAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "signatureAlgorithm cannot be null");
            this.signatureAlgorithms.add(signatureAlgorithm);
            return this;
        }

        public JwkSetUriJwtDecoderBuilder jwsAlgorithms(Consumer<Set<SignatureAlgorithm>> consumer) {
            Assert.notNull(consumer, "signatureAlgorithmsConsumer cannot be null");
            consumer.accept(this.signatureAlgorithms);
            return this;
        }

        public JwkSetUriJwtDecoderBuilder restOperations(RestOperations restOperations) {
            Assert.notNull(restOperations, "restOperations cannot be null");
            this.restOperations = restOperations;
            return this;
        }

        public JwkSetUriJwtDecoderBuilder cache(Cache cache) {
            Assert.notNull(cache, "cache cannot be null");
            this.cache = cache;
            return this;
        }

        public JwkSetUriJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        JWSKeySelector<SecurityContext> jwsKeySelector(JWKSource<SecurityContext> jWKSource) {
            if (this.signatureAlgorithms.isEmpty()) {
                return new JWSVerificationKeySelector(JWSAlgorithm.RS256, jWKSource);
            }
            HashSet hashSet = new HashSet();
            Iterator<SignatureAlgorithm> it = this.signatureAlgorithms.iterator();
            while (it.hasNext()) {
                hashSet.add(JWSAlgorithm.parse(it.next().getName()));
            }
            return new JWSVerificationKeySelector(hashSet, jWKSource);
        }

        JWKSource<SecurityContext> jwkSource(ResourceRetriever resourceRetriever) {
            if (this.cache == null) {
                return new RemoteJWKSet(toURL(this.jwkSetUri), resourceRetriever);
            }
            return new RemoteJWKSet(toURL(this.jwkSetUri), new CachingResourceRetriever(this.cache, resourceRetriever), new NoOpJwkSetCache());
        }

        JWTProcessor<SecurityContext> processor() {
            JWKSource<SecurityContext> jwkSource = jwkSource(new RestOperationsResourceRetriever(this.restOperations));
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(jwsKeySelector(jwkSource));
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return defaultJWTProcessor;
        }

        public NimbusJwtDecoder build() {
            return new NimbusJwtDecoder(processor());
        }

        private static URL toURL(String str) {
            try {
                return new URL(str);
            } catch (MalformedURLException e) {
                throw new IllegalArgumentException("Invalid JWK Set URL \"" + str + "\" : " + e.getMessage(), e);
            }
        }
    }

    /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$PublicKeyJwtDecoderBuilder.class */
    public static final class PublicKeyJwtDecoderBuilder {
        private JWSAlgorithm jwsAlgorithm;
        private RSAPublicKey key;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        private PublicKeyJwtDecoderBuilder(RSAPublicKey rSAPublicKey) {
            Assert.notNull(rSAPublicKey, "key cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.RS256;
            this.key = rSAPublicKey;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public PublicKeyJwtDecoderBuilder signatureAlgorithm(SignatureAlgorithm signatureAlgorithm) {
            Assert.notNull(signatureAlgorithm, "signatureAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(signatureAlgorithm.getName());
            return this;
        }

        public PublicKeyJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        JWTProcessor<SecurityContext> processor() {
            Assert.state(JWSAlgorithm.Family.RSA.contains(this.jwsAlgorithm), (Supplier<String>) () -> {
                return "The provided key is of type RSA; however the signature algorithm is of some other type: " + this.jwsAlgorithm + ". Please indicate one of RS256, RS384, or RS512.";
            });
            SingleKeyJWSKeySelector singleKeyJWSKeySelector = new SingleKeyJWSKeySelector(this.jwsAlgorithm, this.key);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(singleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return defaultJWTProcessor;
        }

        public NimbusJwtDecoder build() {
            return new NimbusJwtDecoder(processor());
        }
    }

    /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-jose-5.5.4.jar:org/springframework/security/oauth2/jwt/NimbusJwtDecoder$SecretKeyJwtDecoderBuilder.class */
    public static final class SecretKeyJwtDecoderBuilder {
        private final SecretKey secretKey;
        private JWSAlgorithm jwsAlgorithm;
        private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;

        private SecretKeyJwtDecoderBuilder(SecretKey secretKey) {
            this.jwsAlgorithm = JWSAlgorithm.HS256;
            Assert.notNull(secretKey, "secretKey cannot be null");
            this.secretKey = secretKey;
            this.jwtProcessorCustomizer = configurableJWTProcessor -> {
            };
        }

        public SecretKeyJwtDecoderBuilder macAlgorithm(MacAlgorithm macAlgorithm) {
            Assert.notNull(macAlgorithm, "macAlgorithm cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(macAlgorithm.getName());
            return this;
        }

        public SecretKeyJwtDecoderBuilder jwtProcessorCustomizer(Consumer<ConfigurableJWTProcessor<SecurityContext>> consumer) {
            Assert.notNull(consumer, "jwtProcessorCustomizer cannot be null");
            this.jwtProcessorCustomizer = consumer;
            return this;
        }

        public NimbusJwtDecoder build() {
            return new NimbusJwtDecoder(processor());
        }

        JWTProcessor<SecurityContext> processor() {
            SingleKeyJWSKeySelector singleKeyJWSKeySelector = new SingleKeyJWSKeySelector(this.jwsAlgorithm, this.secretKey);
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(singleKeyJWSKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            this.jwtProcessorCustomizer.accept(defaultJWTProcessor);
            return defaultJWTProcessor;
        }
    }

    public NimbusJwtDecoder(JWTProcessor<SecurityContext> jWTProcessor) {
        Assert.notNull(jWTProcessor, "jwtProcessor cannot be null");
        this.jwtProcessor = jWTProcessor;
    }

    public void setJwtValidator(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        Assert.notNull(oAuth2TokenValidator, "jwtValidator cannot be null");
        this.jwtValidator = oAuth2TokenValidator;
    }

    public void setClaimSetConverter(Converter<Map<String, Object>, Map<String, Object>> converter) {
        Assert.notNull(converter, "claimSetConverter cannot be null");
        this.claimSetConverter = converter;
    }

    @Override // org.springframework.security.oauth2.jwt.JwtDecoder
    public Jwt decode(String str) throws JwtException {
        JWT parse = parse(str);
        if (!(parse instanceof PlainJWT)) {
            return validateJwt(createJwt(str, parse));
        }
        this.logger.trace("Failed to decode unsigned token");
        throw new BadJwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm());
    }

    private JWT parse(String str) {
        try {
            return JWTParser.parse(str);
        } catch (Exception e) {
            this.logger.trace("Failed to parse token", e);
            throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        }
    }

    private Jwt createJwt(String str, JWT jwt) {
        try {
            JWTClaimsSet process = this.jwtProcessor.process(jwt, (JWT) null);
            LinkedHashMap linkedHashMap = new LinkedHashMap(jwt.getHeader().toJSONObject());
            Map<String, Object> convert = this.claimSetConverter.convert(process.getClaims());
            return Jwt.withTokenValue(str).headers(map -> {
                map.putAll(linkedHashMap);
            }).claims(map2 -> {
                map2.putAll(convert);
            }).build();
        } catch (RemoteKeySourceException e) {
            this.logger.trace("Failed to retrieve JWK set", e);
            if (e.getCause() instanceof ParseException) {
                throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed Jwk set"));
            }
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        } catch (JOSEException e2) {
            this.logger.trace("Failed to process JWT", e2);
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e2.getMessage()), e2);
        } catch (Exception e3) {
            this.logger.trace("Failed to process JWT", e3);
            if (e3.getCause() instanceof ParseException) {
                throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
            }
            throw new BadJwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e3.getMessage()), e3);
        }
    }

    private Jwt validateJwt(Jwt jwt) {
        OAuth2TokenValidatorResult validate = this.jwtValidator.validate(jwt);
        if (!validate.hasErrors()) {
            return jwt;
        }
        Collection<OAuth2Error> errors = validate.getErrors();
        throw new JwtValidationException(getJwtValidationExceptionMessage(errors), errors);
    }

    private String getJwtValidationExceptionMessage(Collection<OAuth2Error> collection) {
        for (OAuth2Error oAuth2Error : collection) {
            if (!StringUtils.isEmpty(oAuth2Error.getDescription())) {
                return String.format(DECODING_ERROR_MESSAGE_TEMPLATE, oAuth2Error.getDescription());
            }
        }
        return "Unable to validate Jwt";
    }

    public static JwkSetUriJwtDecoderBuilder withJwkSetUri(String str) {
        return new JwkSetUriJwtDecoderBuilder(str);
    }

    public static PublicKeyJwtDecoderBuilder withPublicKey(RSAPublicKey rSAPublicKey) {
        return new PublicKeyJwtDecoderBuilder(rSAPublicKey);
    }

    public static SecretKeyJwtDecoderBuilder withSecretKey(SecretKey secretKey) {
        return new SecretKeyJwtDecoderBuilder(secretKey);
    }
}
