package org.springframework.security.oauth2.server.resource.authentication;

import com.nimbusds.jose.jwk.JWK;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.time.Instant;
import java.util.Base64;
import java.util.Map;
import java.util.function.Function;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.ClaimAccessor;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.DPoPProofContext;
import org.springframework.security.oauth2.jwt.DPoPProofJwtDecoderFactory;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-6.5.1.jar:org/springframework/security/oauth2/server/resource/authentication/DPoPAuthenticationProvider.class */
public final class DPoPAuthenticationProvider implements AuthenticationProvider {
    private final AuthenticationManager tokenAuthenticationManager;
    private JwtDecoderFactory<DPoPProofContext> dPoPProofVerifierFactory;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-6.5.1.jar:org/springframework/security/oauth2/server/resource/authentication/DPoPAuthenticationProvider$AthClaimValidator.class */
    public static final class AthClaimValidator implements OAuth2TokenValidator<Jwt> {
        private final OAuth2AccessTokenClaims accessToken;

        private AthClaimValidator(OAuth2AccessTokenClaims oAuth2AccessTokenClaims) {
            Assert.notNull(oAuth2AccessTokenClaims, "accessToken cannot be null");
            this.accessToken = oAuth2AccessTokenClaims;
        }

        @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
        public OAuth2TokenValidatorResult validate(Jwt jwt) {
            Assert.notNull(jwt, "DPoP proof jwt cannot be null");
            String claimAsString = jwt.getClaimAsString("ath");
            if (!StringUtils.hasText(claimAsString)) {
                return OAuth2TokenValidatorResult.failure(createOAuth2Error("ath claim is required."));
            }
            try {
                return !claimAsString.equals(computeSHA256(this.accessToken.getTokenValue())) ? OAuth2TokenValidatorResult.failure(createOAuth2Error("ath claim is invalid.")) : OAuth2TokenValidatorResult.success();
            } catch (Exception e) {
                return OAuth2TokenValidatorResult.failure(createOAuth2Error("Failed to compute SHA-256 Thumbprint for access token."));
            }
        }

        private static OAuth2Error createOAuth2Error(String str) {
            return new OAuth2Error("invalid_dpop_proof", str, null);
        }

        private static String computeSHA256(String str) throws Exception {
            return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes(StandardCharsets.UTF_8)));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-6.5.1.jar:org/springframework/security/oauth2/server/resource/authentication/DPoPAuthenticationProvider$JwkThumbprintValidator.class */
    public static final class JwkThumbprintValidator implements OAuth2TokenValidator<Jwt> {
        private final OAuth2AccessTokenClaims accessToken;

        private JwkThumbprintValidator(OAuth2AccessTokenClaims oAuth2AccessTokenClaims) {
            Assert.notNull(oAuth2AccessTokenClaims, "accessToken cannot be null");
            this.accessToken = oAuth2AccessTokenClaims;
        }

        @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
        public OAuth2TokenValidatorResult validate(Jwt jwt) {
            Assert.notNull(jwt, "DPoP proof jwt cannot be null");
            String str = null;
            Map<String, Object> claimAsMap = this.accessToken.getClaimAsMap("cnf");
            if (!CollectionUtils.isEmpty(claimAsMap) && claimAsMap.containsKey("jkt")) {
                str = (String) claimAsMap.get("jkt");
            }
            if (str == null) {
                return OAuth2TokenValidatorResult.failure(createOAuth2Error("jkt claim is required."));
            }
            JWK jwk = null;
            try {
                jwk = JWK.parse((Map<String, Object>) jwt.getHeaders().get("jwk"));
            } catch (Exception e) {
            }
            if (jwk == null) {
                return OAuth2TokenValidatorResult.failure(createOAuth2Error("jwk header is missing or invalid."));
            }
            try {
                return !str.equals(jwk.computeThumbprint().toString()) ? OAuth2TokenValidatorResult.failure(createOAuth2Error("jkt claim is invalid.")) : OAuth2TokenValidatorResult.success();
            } catch (Exception e2) {
                return OAuth2TokenValidatorResult.failure(createOAuth2Error("Failed to compute SHA-256 Thumbprint for jwk."));
            }
        }

        private static OAuth2Error createOAuth2Error(String str) {
            return new OAuth2Error("invalid_dpop_proof", str, null);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-6.5.1.jar:org/springframework/security/oauth2/server/resource/authentication/DPoPAuthenticationProvider$OAuth2AccessTokenClaims.class */
    public static final class OAuth2AccessTokenClaims implements OAuth2Token, ClaimAccessor {
        private final OAuth2Token accessToken;
        private final Map<String, Object> claims;

        private OAuth2AccessTokenClaims(OAuth2Token oAuth2Token, Map<String, Object> map) {
            this.accessToken = oAuth2Token;
            this.claims = map;
        }

        @Override // org.springframework.security.oauth2.core.OAuth2Token
        public String getTokenValue() {
            return this.accessToken.getTokenValue();
        }

        @Override // org.springframework.security.oauth2.core.OAuth2Token
        public Instant getIssuedAt() {
            return this.accessToken.getIssuedAt();
        }

        @Override // org.springframework.security.oauth2.core.OAuth2Token
        public Instant getExpiresAt() {
            return this.accessToken.getExpiresAt();
        }

        @Override // org.springframework.security.oauth2.core.ClaimAccessor
        public Map<String, Object> getClaims() {
            return this.claims;
        }
    }

    public DPoPAuthenticationProvider(AuthenticationManager authenticationManager) {
        Assert.notNull(authenticationManager, "tokenAuthenticationManager cannot be null");
        this.tokenAuthenticationManager = authenticationManager;
        Function<DPoPProofContext, OAuth2TokenValidator<Jwt>> function = dPoPProofContext -> {
            return new DelegatingOAuth2TokenValidator(DPoPProofJwtDecoderFactory.DEFAULT_JWT_VALIDATOR_FACTORY.apply(dPoPProofContext), new AthClaimValidator((OAuth2AccessTokenClaims) dPoPProofContext.getAccessToken()), new JwkThumbprintValidator((OAuth2AccessTokenClaims) dPoPProofContext.getAccessToken()));
        };
        DPoPProofJwtDecoderFactory dPoPProofJwtDecoderFactory = new DPoPProofJwtDecoderFactory();
        dPoPProofJwtDecoderFactory.setJwtValidatorFactory(function);
        this.dPoPProofVerifierFactory = dPoPProofJwtDecoderFactory;
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        DPoPAuthenticationToken dPoPAuthenticationToken = (DPoPAuthenticationToken) authentication;
        Authentication authenticate = this.tokenAuthenticationManager.authenticate(new BearerTokenAuthenticationToken(dPoPAuthenticationToken.getAccessToken()));
        AbstractOAuth2TokenAuthenticationToken abstractOAuth2TokenAuthenticationToken = null;
        if (authenticate instanceof AbstractOAuth2TokenAuthenticationToken) {
            abstractOAuth2TokenAuthenticationToken = (AbstractOAuth2TokenAuthenticationToken) authenticate;
        }
        if (abstractOAuth2TokenAuthenticationToken == null) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_token", "Unable to authenticate the DPoP-bound access token.", null));
        }
        DPoPProofContext build = DPoPProofContext.withDPoPProof(dPoPAuthenticationToken.getDPoPProof()).accessToken(new OAuth2AccessTokenClaims(abstractOAuth2TokenAuthenticationToken.getToken(), abstractOAuth2TokenAuthenticationToken.getTokenAttributes())).method(dPoPAuthenticationToken.getMethod()).targetUri(dPoPAuthenticationToken.getResourceUri()).build();
        try {
            this.dPoPProofVerifierFactory.createDecoder(build).decode(build.getDPoPProof());
            return authenticate;
        } catch (JwtException e) {
            throw new OAuth2AuthenticationException(new OAuth2Error("invalid_dpop_proof"), e);
        }
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return DPoPAuthenticationToken.class.isAssignableFrom(cls);
    }

    public void setDPoPProofVerifierFactory(JwtDecoderFactory<DPoPProofContext> jwtDecoderFactory) {
        Assert.notNull(jwtDecoderFactory, "dPoPProofVerifierFactory cannot be null");
        this.dPoPProofVerifierFactory = jwtDecoderFactory;
    }
}
