package org.springframework.security.oauth2.server.resource.introspection;

import java.net.URI;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.core.convert.converter.Converter;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimAccessor;
import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

/* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-resource-server-6.3.3.jar:org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector.class */
public class SpringReactiveOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
    private static final String AUTHORITY_PREFIX = "SCOPE_";
    private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP = new ParameterizedTypeReference<Map<String, Object>>() { // from class: org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector.1
    };
    private final URI introspectionUri;
    private final WebClient webClient;
    private Converter<OAuth2TokenIntrospectionClaimAccessor, Mono<? extends OAuth2AuthenticatedPrincipal>> authenticationConverter = this::defaultAuthenticationConverter;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-resource-server-6.3.3.jar:org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector$ArrayListFromString.class */
    public static final class ArrayListFromString extends ArrayList<String> {
        ArrayListFromString(String... strArr) {
            super(Arrays.asList(strArr));
        }
    }

    /* loaded from: input_file:datasets/datasets-service.jar:BOOT-INF/lib/spring-security-oauth2-resource-server-6.3.3.jar:org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector$ArrayListFromStringClaimAccessor.class */
    private interface ArrayListFromStringClaimAccessor extends OAuth2TokenIntrospectionClaimAccessor {
        @Override // org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimAccessor
        default List<String> getScopes() {
            Object obj = getClaims().get("scope");
            return obj instanceof ArrayListFromString ? (ArrayListFromString) obj : super.getScopes();
        }
    }

    public SpringReactiveOpaqueTokenIntrospector(String str, String str2, String str3) {
        Assert.hasText(str, "introspectionUri cannot be empty");
        Assert.hasText(str2, "clientId cannot be empty");
        Assert.notNull(str3, "clientSecret cannot be null");
        this.introspectionUri = URI.create(str);
        this.webClient = WebClient.builder().defaultHeaders(httpHeaders -> {
            httpHeaders.setBasicAuth(str2, str3);
        }).build();
    }

    public SpringReactiveOpaqueTokenIntrospector(String str, WebClient webClient) {
        Assert.hasText(str, "introspectionUri cannot be null");
        Assert.notNull(webClient, "webClient cannot be null");
        this.introspectionUri = URI.create(str);
        this.webClient = webClient;
    }

    @Override // org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector
    public Mono<OAuth2AuthenticatedPrincipal> introspect(String str) {
        Mono map = Mono.just(str).flatMap(this::makeRequest).flatMap(this::adaptToNimbusResponse).map(this::convertClaimsSet);
        Converter<OAuth2TokenIntrospectionClaimAccessor, Mono<? extends OAuth2AuthenticatedPrincipal>> converter = this.authenticationConverter;
        Objects.requireNonNull(converter);
        return map.flatMap((v1) -> {
            return r1.convert(v1);
        }).cast(OAuth2AuthenticatedPrincipal.class).onErrorMap(th -> {
            return !(th instanceof OAuth2IntrospectionException);
        }, this::onError);
    }

    private Mono<ClientResponse> makeRequest(String str) {
        return this.webClient.post().uri(this.introspectionUri).header("Accept", new String[]{"application/json"}).body(BodyInserters.fromFormData(OAuth2ParameterNames.TOKEN, str)).exchange();
    }

    private Mono<Map<String, Object>> adaptToNimbusResponse(ClientResponse clientResponse) {
        return clientResponse.statusCode() != HttpStatus.OK ? clientResponse.bodyToFlux(DataBuffer.class).map(DataBufferUtils::release).then(Mono.error(new OAuth2IntrospectionException("Introspection endpoint responded with " + clientResponse.statusCode()))) : clientResponse.bodyToMono(STRING_OBJECT_MAP).filter(map -> {
            return ((Boolean) map.compute(OAuth2TokenIntrospectionClaimNames.ACTIVE, (str, obj) -> {
                if (obj instanceof String) {
                    return Boolean.valueOf(Boolean.parseBoolean((String) obj));
                }
                if (obj instanceof Boolean) {
                    return obj;
                }
                return false;
            })).booleanValue();
        }).switchIfEmpty(Mono.error(() -> {
            return new BadOpaqueTokenException("Provided token isn't active");
        }));
    }

    private ArrayListFromStringClaimAccessor convertClaimsSet(Map<String, Object> map) {
        LinkedHashMap linkedHashMap = new LinkedHashMap(map);
        linkedHashMap.computeIfPresent("aud", (str, obj) -> {
            return obj instanceof String ? Collections.singletonList(obj) : obj;
        });
        linkedHashMap.computeIfPresent("client_id", (str2, obj2) -> {
            return obj2.toString();
        });
        linkedHashMap.computeIfPresent("exp", (str3, obj3) -> {
            return Instant.ofEpochSecond(((Number) obj3).longValue());
        });
        linkedHashMap.computeIfPresent("iat", (str4, obj4) -> {
            return Instant.ofEpochSecond(((Number) obj4).longValue());
        });
        linkedHashMap.computeIfPresent("iss", (str5, obj5) -> {
            return obj5.toString();
        });
        linkedHashMap.computeIfPresent("nbf", (str6, obj6) -> {
            return Instant.ofEpochSecond(((Number) obj6).longValue());
        });
        linkedHashMap.computeIfPresent("scope", (str7, obj7) -> {
            return obj7 instanceof String ? new ArrayListFromString(((String) obj7).split(" ")) : obj7;
        });
        return () -> {
            return linkedHashMap;
        };
    }

    private OAuth2IntrospectionException onError(Throwable th) {
        return new OAuth2IntrospectionException(th.getMessage(), th);
    }

    public void setAuthenticationConverter(Converter<OAuth2TokenIntrospectionClaimAccessor, Mono<? extends OAuth2AuthenticatedPrincipal>> converter) {
        Assert.notNull(converter, "authenticationConverter cannot be null");
        this.authenticationConverter = converter;
    }

    private Mono<OAuth2IntrospectionAuthenticatedPrincipal> defaultAuthenticationConverter(OAuth2TokenIntrospectionClaimAccessor oAuth2TokenIntrospectionClaimAccessor) {
        return Mono.just(new OAuth2IntrospectionAuthenticatedPrincipal(oAuth2TokenIntrospectionClaimAccessor.getClaims(), authorities(oAuth2TokenIntrospectionClaimAccessor.getScopes())));
    }

    private Collection<GrantedAuthority> authorities(List<String> list) {
        if (!(list instanceof ArrayListFromString)) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority("SCOPE_" + it.next()));
        }
        return arrayList;
    }
}
