package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.Resource;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTProcessor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import org.springframework.util.Assert;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtProcessors.class */
public final class JwtProcessors {

    /* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtProcessors$JwkSetUriJwtProcessorBuilder.class */
    public static final class JwkSetUriJwtProcessorBuilder {
        private String jwkSetUri;
        private JWSAlgorithm jwsAlgorithm;
        private RestOperations restOperations;

        /* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtProcessors$JwkSetUriJwtProcessorBuilder$RestOperationsResourceRetriever.class */
        private static class RestOperationsResourceRetriever implements ResourceRetriever {
            private final RestOperations restOperations;

            RestOperationsResourceRetriever(RestOperations restOperations) {
                Assert.notNull(restOperations, "restOperations cannot be null");
                this.restOperations = restOperations;
            }

            public Resource retrieveResource(URL url) throws IOException {
                HttpHeaders httpHeaders = new HttpHeaders();
                httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));
                try {
                    ResponseEntity exchange = this.restOperations.exchange(new RequestEntity(httpHeaders, HttpMethod.GET, url.toURI()), String.class);
                    if (exchange.getStatusCodeValue() != 200) {
                        throw new IOException(exchange.toString());
                    }
                    return new Resource((String) exchange.getBody(), "UTF-8");
                } catch (Exception e) {
                    throw new IOException(e);
                }
            }
        }

        private JwkSetUriJwtProcessorBuilder(String str) {
            this.jwsAlgorithm = JWSAlgorithm.RS256;
            this.restOperations = new RestTemplate();
            Assert.hasText(str, "jwkSetUri cannot be empty");
            this.jwkSetUri = str;
        }

        public JwkSetUriJwtProcessorBuilder jwsAlgorithm(String str) {
            Assert.hasText(str, "jwsAlgorithm cannot be empty");
            this.jwsAlgorithm = JWSAlgorithm.parse(str);
            return this;
        }

        public JwkSetUriJwtProcessorBuilder restOperations(RestOperations restOperations) {
            Assert.notNull(restOperations, "restOperations cannot be null");
            this.restOperations = restOperations;
            return this;
        }

        public JWTProcessor<SecurityContext> build() {
            JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(this.jwsAlgorithm, new RemoteJWKSet(toURL(this.jwkSetUri), new RestOperationsResourceRetriever(this.restOperations)));
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            return defaultJWTProcessor;
        }

        private static URL toURL(String str) {
            try {
                return new URL(str);
            } catch (MalformedURLException e) {
                throw new IllegalArgumentException("Invalid JWK Set URL \"" + str + "\" : " + e.getMessage(), e);
            }
        }
    }

    /* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtProcessors$PublicKeyJwtProcessorBuilder.class */
    public static final class PublicKeyJwtProcessorBuilder {
        private JWSAlgorithm jwsAlgorithm;
        private RSAKey key;

        private PublicKeyJwtProcessorBuilder(RSAPublicKey rSAPublicKey) {
            Assert.notNull(rSAPublicKey, "key cannot be null");
            this.jwsAlgorithm = JWSAlgorithm.parse(JwsAlgorithms.RS256);
            this.key = rsaKey(rSAPublicKey);
        }

        private static RSAKey rsaKey(RSAPublicKey rSAPublicKey) {
            return new RSAKey.Builder(rSAPublicKey).build();
        }

        public PublicKeyJwtProcessorBuilder jwsAlgorithm(String str) {
            Assert.hasText(str, "jwsAlgorithm cannot be empty");
            this.jwsAlgorithm = JWSAlgorithm.parse(str);
            return this;
        }

        public JWTProcessor<SecurityContext> build() {
            if (!JWSAlgorithm.Family.RSA.contains(this.jwsAlgorithm)) {
                throw new IllegalStateException("The provided key is of type RSA; however the signature algorithm is of some other type: " + this.jwsAlgorithm + ". Please indicate one of RS256, RS384, or RS512.");
            }
            JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(this.jwsAlgorithm, new ImmutableJWKSet(new JWKSet(this.key)));
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
            defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
            });
            return defaultJWTProcessor;
        }
    }

    public static JwkSetUriJwtProcessorBuilder withJwkSetUri(String str) {
        return new JwkSetUriJwtProcessorBuilder(str);
    }

    public static PublicKeyJwtProcessorBuilder withPublicKey(RSAPublicKey rSAPublicKey) {
        return new PublicKeyJwtProcessorBuilder(rSAPublicKey);
    }
}
