package org.springframework.security.oauth2.client.oidc.authentication;

import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.ApplicationListener;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.event.OAuth2AuthorizedClientRefreshedEvent;
import org.springframework.security.oauth2.client.oidc.authentication.event.OidcUserRefreshedEvent;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.oauth2.core.user.OAuth2User;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-6.5.1.jar:org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizedClientRefreshedEventListener.class */
public final class OidcAuthorizedClientRefreshedEventListener implements ApplicationEventPublisherAware, ApplicationListener<OAuth2AuthorizedClientRefreshedEvent> {
    private static final String INVALID_ID_TOKEN_ERROR_CODE = "invalid_id_token";
    private static final String INVALID_NONCE_ERROR_CODE = "invalid_nonce";
    private static final String REFRESH_TOKEN_RESPONSE_ERROR_URI = "https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse";
    private ApplicationEventPublisher applicationEventPublisher;
    private OAuth2UserService<OidcUserRequest, OidcUser> userService = new OidcUserService();
    private JwtDecoderFactory<ClientRegistration> jwtDecoderFactory = new OidcIdTokenDecoderFactory();
    private GrantedAuthoritiesMapper authoritiesMapper = collection -> {
        return collection;
    };
    private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder.getContextHolderStrategy();
    private Duration clockSkew = Duration.ofSeconds(60);

    @Override // org.springframework.context.ApplicationListener
    public void onApplicationEvent(OAuth2AuthorizedClientRefreshedEvent oAuth2AuthorizedClientRefreshedEvent) {
        if (this.applicationEventPublisher == null) {
            return;
        }
        OAuth2AccessTokenResponse accessTokenResponse = oAuth2AuthorizedClientRefreshedEvent.getAccessTokenResponse();
        if (accessTokenResponse.getAccessToken().getScopes().contains(OidcScopes.OPENID)) {
            Map<String, Object> additionalParameters = accessTokenResponse.getAdditionalParameters();
            if (StringUtils.hasText((String) additionalParameters.get(OidcParameterNames.ID_TOKEN))) {
                Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
                if (authentication instanceof OAuth2AuthenticationToken) {
                    OAuth2AuthenticationToken oAuth2AuthenticationToken = (OAuth2AuthenticationToken) authentication;
                    if (oAuth2AuthenticationToken.getClass() != OAuth2AuthenticationToken.class) {
                        return;
                    }
                    OAuth2User principal = oAuth2AuthenticationToken.getPrincipal();
                    if (principal instanceof OidcUser) {
                        OidcUser oidcUser = (OidcUser) principal;
                        ClientRegistration clientRegistration = oAuth2AuthorizedClientRefreshedEvent.getAuthorizedClient().getClientRegistration();
                        if (oAuth2AuthenticationToken.getAuthorizedClientRegistrationId().equals(clientRegistration.getRegistrationId())) {
                            OidcIdToken createOidcToken = createOidcToken(clientRegistration, accessTokenResponse);
                            validateIdToken(oidcUser, createOidcToken);
                            OidcUser loadUser = this.userService.loadUser(new OidcUserRequest(clientRegistration, accessTokenResponse.getAccessToken(), createOidcToken, additionalParameters));
                            OAuth2AuthenticationToken oAuth2AuthenticationToken2 = new OAuth2AuthenticationToken(loadUser, this.authoritiesMapper.mapAuthorities(loadUser.getAuthorities()), clientRegistration.getRegistrationId());
                            oAuth2AuthenticationToken2.setDetails(oAuth2AuthenticationToken.getDetails());
                            this.applicationEventPublisher.publishEvent((ApplicationEvent) new OidcUserRefreshedEvent(accessTokenResponse, oidcUser, loadUser, oAuth2AuthenticationToken2));
                        }
                    }
                }
            }
        }
    }

    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
        Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
        this.securityContextHolderStrategy = securityContextHolderStrategy;
    }

    public void setJwtDecoderFactory(JwtDecoderFactory<ClientRegistration> jwtDecoderFactory) {
        Assert.notNull(jwtDecoderFactory, "jwtDecoderFactory cannot be null");
        this.jwtDecoderFactory = jwtDecoderFactory;
    }

    public void setUserService(OAuth2UserService<OidcUserRequest, OidcUser> oAuth2UserService) {
        Assert.notNull(oAuth2UserService, "userService cannot be null");
        this.userService = oAuth2UserService;
    }

    public void setAuthoritiesMapper(GrantedAuthoritiesMapper grantedAuthoritiesMapper) {
        Assert.notNull(grantedAuthoritiesMapper, "authoritiesMapper cannot be null");
        this.authoritiesMapper = grantedAuthoritiesMapper;
    }

    @Override // org.springframework.context.ApplicationEventPublisherAware
    public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) {
        Assert.notNull(applicationEventPublisher, "applicationEventPublisher cannot be null");
        this.applicationEventPublisher = applicationEventPublisher;
    }

    public void setClockSkew(Duration duration) {
        Assert.notNull(duration, "clockSkew cannot be null");
        Assert.isTrue(duration.getSeconds() >= 0, "clockSkew must be >= 0");
        this.clockSkew = duration;
    }

    private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth2AccessTokenResponse oAuth2AccessTokenResponse) {
        Jwt jwt = getJwt(oAuth2AccessTokenResponse, this.jwtDecoderFactory.createDecoder(clientRegistration));
        return new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
    }

    private Jwt getJwt(OAuth2AccessTokenResponse oAuth2AccessTokenResponse, JwtDecoder jwtDecoder) {
        try {
            return jwtDecoder.decode((String) oAuth2AccessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN));
        } catch (JwtException e) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, e.getMessage(), null);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString(), e);
        }
    }

    private void validateIdToken(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        validateIssuer(oidcUser, oidcIdToken);
        validateSubject(oidcUser, oidcIdToken);
        validateIssuedAt(oidcUser, oidcIdToken);
        validateAudience(oidcUser, oidcIdToken);
        validateAuthenticatedAt(oidcUser, oidcIdToken);
        validateNonce(oidcUser, oidcIdToken);
    }

    private void validateIssuer(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        if (oidcIdToken.getIssuer().toString().equals(oidcUser.getIdToken().getIssuer().toString())) {
            return;
        }
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Invalid issuer", REFRESH_TOKEN_RESPONSE_ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private void validateSubject(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        if (oidcIdToken.getSubject().equals(oidcUser.getIdToken().getSubject())) {
            return;
        }
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Invalid subject", REFRESH_TOKEN_RESPONSE_ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private void validateIssuedAt(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        if (oidcIdToken.getIssuedAt().isAfter(oidcUser.getIdToken().getIssuedAt().minus((TemporalAmount) this.clockSkew))) {
            return;
        }
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Invalid issued at time", REFRESH_TOKEN_RESPONSE_ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private void validateAudience(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        if (isValidAudience(oidcUser, oidcIdToken)) {
            return;
        }
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Invalid audience", REFRESH_TOKEN_RESPONSE_ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private boolean isValidAudience(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        List<String> audience = oidcIdToken.getAudience();
        HashSet hashSet = new HashSet(oidcUser.getIdToken().getAudience());
        if (audience.size() != hashSet.size()) {
            return false;
        }
        Iterator<String> it = audience.iterator();
        while (it.hasNext()) {
            if (!hashSet.contains(it.next())) {
                return false;
            }
        }
        return true;
    }

    private void validateAuthenticatedAt(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        if (oidcIdToken.getAuthenticatedAt() == null || oidcIdToken.getAuthenticatedAt().equals(oidcUser.getIdToken().getAuthenticatedAt())) {
            return;
        }
        OAuth2Error oAuth2Error = new OAuth2Error(INVALID_ID_TOKEN_ERROR_CODE, "Invalid authenticated at time", REFRESH_TOKEN_RESPONSE_ERROR_URI);
        throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
    }

    private void validateNonce(OidcUser oidcUser, OidcIdToken oidcIdToken) {
        if (StringUtils.hasText(oidcIdToken.getNonce()) && !oidcIdToken.getNonce().equals(oidcUser.getIdToken().getNonce())) {
            OAuth2Error oAuth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE, "Invalid nonce", REFRESH_TOKEN_RESPONSE_ERROR_URI);
            throw new OAuth2AuthenticationException(oAuth2Error, oAuth2Error.toString());
        }
    }
}
