package org.springframework.security.oauth2.server.resource.introspection;

import java.net.URI;
import java.net.URL;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.core.io.buffer.DataBuffer;
import org.springframework.core.io.buffer.DataBufferUtils;
import org.springframework.http.HttpStatus;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospector.class */
public class SpringReactiveOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {
    private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP = new ParameterizedTypeReference<Map<String, Object>>() { // from class: org.springframework.security.oauth2.server.resource.introspection.SpringReactiveOpaqueTokenIntrospector.1
    };
    private final URI introspectionUri;
    private final WebClient webClient;
    private String authorityPrefix = "SCOPE_";

    public SpringReactiveOpaqueTokenIntrospector(String str, String str2, String str3) {
        Assert.hasText(str, "introspectionUri cannot be empty");
        Assert.hasText(str2, "clientId cannot be empty");
        Assert.notNull(str3, "clientSecret cannot be null");
        this.introspectionUri = URI.create(str);
        this.webClient = WebClient.builder().defaultHeaders(httpHeaders -> {
            httpHeaders.setBasicAuth(str2, str3);
        }).build();
    }

    public SpringReactiveOpaqueTokenIntrospector(String str, WebClient webClient) {
        Assert.hasText(str, "introspectionUri cannot be null");
        Assert.notNull(webClient, "webClient cannot be null");
        this.introspectionUri = URI.create(str);
        this.webClient = webClient;
    }

    @Override // org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector
    public Mono<OAuth2AuthenticatedPrincipal> introspect(String str) {
        return Mono.just(str).flatMap(this::makeRequest).flatMap(this::adaptToNimbusResponse).map(this::convertClaimsSet).onErrorMap(th -> {
            return !(th instanceof OAuth2IntrospectionException);
        }, this::onError);
    }

    private Mono<ClientResponse> makeRequest(String str) {
        return this.webClient.post().uri(this.introspectionUri).header("Accept", new String[]{"application/json"}).body(BodyInserters.fromFormData("token", str)).exchange();
    }

    private Mono<Map<String, Object>> adaptToNimbusResponse(ClientResponse clientResponse) {
        return clientResponse.statusCode() != HttpStatus.OK ? clientResponse.bodyToFlux(DataBuffer.class).map(DataBufferUtils::release).then(Mono.error(new OAuth2IntrospectionException("Introspection endpoint responded with " + clientResponse.statusCode()))) : clientResponse.bodyToMono(STRING_OBJECT_MAP).filter(map -> {
            return ((Boolean) map.compute("active", (str, obj) -> {
                if (obj instanceof String) {
                    return Boolean.valueOf(Boolean.parseBoolean((String) obj));
                }
                if (obj instanceof Boolean) {
                    return obj;
                }
                return false;
            })).booleanValue();
        }).switchIfEmpty(Mono.error(() -> {
            return new BadOpaqueTokenException("Provided token isn't active");
        }));
    }

    private OAuth2AuthenticatedPrincipal convertClaimsSet(Map<String, Object> map) {
        map.computeIfPresent(OAuth2IntrospectionClaimNames.AUDIENCE, (str, obj) -> {
            return obj instanceof String ? Collections.singletonList(obj) : obj;
        });
        map.computeIfPresent("client_id", (str2, obj2) -> {
            return obj2.toString();
        });
        map.computeIfPresent(OAuth2IntrospectionClaimNames.EXPIRES_AT, (str3, obj3) -> {
            return Instant.ofEpochSecond(((Number) obj3).longValue());
        });
        map.computeIfPresent(OAuth2IntrospectionClaimNames.ISSUED_AT, (str4, obj4) -> {
            return Instant.ofEpochSecond(((Number) obj4).longValue());
        });
        map.computeIfPresent(OAuth2IntrospectionClaimNames.ISSUER, (str5, obj5) -> {
            return issuer(obj5.toString());
        });
        map.computeIfPresent(OAuth2IntrospectionClaimNames.NOT_BEFORE, (str6, obj6) -> {
            return Instant.ofEpochSecond(((Number) obj6).longValue());
        });
        ArrayList arrayList = new ArrayList();
        map.computeIfPresent("scope", (str7, obj7) -> {
            if (!(obj7 instanceof String)) {
                return obj7;
            }
            List asList = Arrays.asList(((String) obj7).split(" "));
            Iterator it = asList.iterator();
            while (it.hasNext()) {
                arrayList.add(new SimpleGrantedAuthority(this.authorityPrefix + ((String) it.next())));
            }
            return asList;
        });
        return new OAuth2IntrospectionAuthenticatedPrincipal(map, arrayList);
    }

    private URL issuer(String str) {
        try {
            return new URL(str);
        } catch (Exception e) {
            throw new OAuth2IntrospectionException("Invalid iss value: " + str);
        }
    }

    private OAuth2IntrospectionException onError(Throwable th) {
        return new OAuth2IntrospectionException(th.getMessage(), th);
    }
}
