package org.springframework.security.oauth2.client.oidc.authentication;

import com.nimbusds.openid.connect.sdk.id.HashBasedPairwiseSubjectCodec;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Map;
import org.springframework.security.authentication.ReactiveAuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthorizationCodeAuthenticationToken;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoderFactory;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:WEB-INF/lib/spring-security-oauth2-client-5.3.0.RELEASE.jar:org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.class */
public class OidcAuthorizationCodeReactiveAuthenticationManager implements ReactiveAuthenticationManager {
    private static final String INVALID_STATE_PARAMETER_ERROR_CODE = "invalid_state_parameter";
    private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";
    private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";
    private final ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient;
    private final ReactiveOAuth2UserService<OidcUserRequest, OidcUser> userService;
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private ReactiveJwtDecoderFactory<ClientRegistration> jwtDecoderFactory = new ReactiveOidcIdTokenDecoderFactory();

    public OidcAuthorizationCodeReactiveAuthenticationManager(ReactiveOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> reactiveOAuth2AccessTokenResponseClient, ReactiveOAuth2UserService<OidcUserRequest, OidcUser> reactiveOAuth2UserService) {
        Assert.notNull(reactiveOAuth2AccessTokenResponseClient, "accessTokenResponseClient cannot be null");
        Assert.notNull(reactiveOAuth2UserService, "userService cannot be null");
        this.accessTokenResponseClient = reactiveOAuth2AccessTokenResponseClient;
        this.userService = reactiveOAuth2UserService;
    }

    @Override // org.springframework.security.authentication.ReactiveAuthenticationManager
    public Mono<Authentication> authenticate(Authentication authentication) {
        return Mono.defer(() -> {
            OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
            if (!oAuth2AuthorizationCodeAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest().getScopes().contains(OidcScopes.OPENID)) {
                return Mono.empty();
            }
            OAuth2AuthorizationRequest authorizationRequest = oAuth2AuthorizationCodeAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest();
            OAuth2AuthorizationResponse authorizationResponse = oAuth2AuthorizationCodeAuthenticationToken.getAuthorizationExchange().getAuthorizationResponse();
            if (authorizationResponse.statusError()) {
                throw new OAuth2AuthenticationException(authorizationResponse.getError(), authorizationResponse.getError().toString());
            }
            if (authorizationResponse.getState().equals(authorizationRequest.getState())) {
                return this.accessTokenResponseClient.getTokenResponse(new OAuth2AuthorizationCodeGrantRequest(oAuth2AuthorizationCodeAuthenticationToken.getClientRegistration(), oAuth2AuthorizationCodeAuthenticationToken.getAuthorizationExchange())).flatMap(oAuth2AccessTokenResponse -> {
                    return authenticationResult(oAuth2AuthorizationCodeAuthenticationToken, oAuth2AccessTokenResponse);
                }).onErrorMap(OAuth2AuthorizationException.class, oAuth2AuthorizationException -> {
                    return new OAuth2AuthenticationException(oAuth2AuthorizationException.getError(), oAuth2AuthorizationException.getError().toString());
                }).onErrorMap(JwtException.class, jwtException -> {
                    OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, jwtException.getMessage(), null);
                    throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), jwtException);
                });
            }
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        });
    }

    public final void setJwtDecoderFactory(ReactiveJwtDecoderFactory<ClientRegistration> reactiveJwtDecoderFactory) {
        Assert.notNull(reactiveJwtDecoderFactory, "jwtDecoderFactory cannot be null");
        this.jwtDecoderFactory = reactiveJwtDecoderFactory;
    }

    private Mono<OAuth2LoginAuthenticationToken> authenticationResult(OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        OAuth2AccessToken accessToken = oAuth2AccessTokenResponse.getAccessToken();
        ClientRegistration clientRegistration = oAuth2AuthorizationCodeAuthenticationToken.getClientRegistration();
        Map<String, Object> additionalParameters = oAuth2AccessTokenResponse.getAdditionalParameters();
        if (!additionalParameters.containsKey(OidcParameterNames.ID_TOKEN)) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Missing (required) ID Token in Token Response for Client Registration: " + clientRegistration.getRegistrationId(), null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
        Mono map = createOidcToken(clientRegistration, oAuth2AccessTokenResponse).doOnNext(oidcIdToken -> {
            validateNonce(oAuth2AuthorizationCodeAuthenticationToken, oidcIdToken);
        }).map(oidcIdToken2 -> {
            return new OidcUserRequest(clientRegistration, accessToken, oidcIdToken2, additionalParameters);
        });
        ReactiveOAuth2UserService<OidcUserRequest, OidcUser> reactiveOAuth2UserService = this.userService;
        reactiveOAuth2UserService.getClass();
        return map.flatMap((v1) -> {
            return r1.loadUser(v1);
        }).map(oidcUser -> {
            return new OAuth2LoginAuthenticationToken(oAuth2AuthorizationCodeAuthenticationToken.getClientRegistration(), oAuth2AuthorizationCodeAuthenticationToken.getAuthorizationExchange(), oidcUser, this.authoritiesMapper.mapAuthorities(oidcUser.getAuthorities()), accessToken, oAuth2AccessTokenResponse.getRefreshToken());
        });
    }

    private Mono<OidcIdToken> createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        return this.jwtDecoderFactory.createDecoder(clientRegistration).decode((String) oAuth2AccessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN)).map(jwt -> {
            return new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Mono<OidcIdToken> validateNonce(OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken, OidcIdToken oidcIdToken) {
        String str = (String) oAuth2AuthorizationCodeAuthenticationToken.getAuthorizationExchange().getAuthorizationRequest().getAttribute("nonce");
        if (str != null) {
            try {
                String createHash = createHash(str);
                String nonce = oidcIdToken.getNonce();
                if (nonce == null || !nonce.equals(createHash)) {
                    OAuth2Error oAuth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
                    throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
                }
            } catch (NoSuchAlgorithmException e) {
                OAuth2Error oAuth2Error2 = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
                throw new OAuth2AuthenticationException(oAuth2Error2, oAuth2Error2.toString());
            }
        }
        return Mono.just(oidcIdToken);
    }

    static String createHash(String str) throws NoSuchAlgorithmException {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance(HashBasedPairwiseSubjectCodec.HASH_ALGORITHM).digest(str.getBytes(StandardCharsets.US_ASCII)));
    }
}
