package org.springframework.security.oauth2.server.resource.introspection;

import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.Audience;
import java.net.URI;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import net.minidev.json.JSONObject;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.http.client.support.BasicAuthenticationInterceptor;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
import org.springframework.util.Assert;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

/* loaded from: input_file:org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.class */
public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
    private Converter<String, RequestEntity<?>> requestEntityConverter;
    private RestOperations restOperations;
    private final String authorityPrefix = "SCOPE_";

    public NimbusOpaqueTokenIntrospector(String str, String str2, String str3) {
        Assert.notNull(str, "introspectionUri cannot be null");
        Assert.notNull(str2, "clientId cannot be null");
        Assert.notNull(str3, "clientSecret cannot be null");
        this.requestEntityConverter = defaultRequestEntityConverter(URI.create(str));
        RestTemplate restTemplate = new RestTemplate();
        restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(str2, str3));
        this.restOperations = restTemplate;
    }

    public NimbusOpaqueTokenIntrospector(String str, RestOperations restOperations) {
        Assert.notNull(str, "introspectionUri cannot be null");
        Assert.notNull(restOperations, "restOperations cannot be null");
        this.requestEntityConverter = defaultRequestEntityConverter(URI.create(str));
        this.restOperations = restOperations;
    }

    private Converter<String, RequestEntity<?>> defaultRequestEntityConverter(URI uri) {
        return str -> {
            return new RequestEntity(requestBody(str), requestHeaders(), HttpMethod.POST, uri);
        };
    }

    private HttpHeaders requestHeaders() {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8));
        return httpHeaders;
    }

    private MultiValueMap<String, String> requestBody(String str) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("token", str);
        return linkedMultiValueMap;
    }

    @Override // org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector
    public OAuth2AuthenticatedPrincipal introspect(String str) {
        RequestEntity<?> requestEntity = (RequestEntity) this.requestEntityConverter.convert(str);
        if (requestEntity == null) {
            throw new OAuth2IntrospectionException("requestEntityConverter returned a null entity");
        }
        TokenIntrospectionSuccessResponse castToNimbusSuccess = castToNimbusSuccess(parseNimbusResponse(adaptToNimbusResponse(makeRequest(requestEntity))));
        if (castToNimbusSuccess.isActive()) {
            return convertClaimsSet(castToNimbusSuccess);
        }
        throw new BadOpaqueTokenException("Provided token isn't active");
    }

    public void setRequestEntityConverter(Converter<String, RequestEntity<?>> converter) {
        Assert.notNull(converter, "requestEntityConverter cannot be null");
        this.requestEntityConverter = converter;
    }

    private ResponseEntity<String> makeRequest(RequestEntity<?> requestEntity) {
        try {
            return this.restOperations.exchange(requestEntity, String.class);
        } catch (Exception e) {
            throw new OAuth2IntrospectionException(e.getMessage(), e);
        }
    }

    private HTTPResponse adaptToNimbusResponse(ResponseEntity<String> responseEntity) {
        HTTPResponse hTTPResponse = new HTTPResponse(responseEntity.getStatusCodeValue());
        hTTPResponse.setHeader("Content-Type", new String[]{responseEntity.getHeaders().getContentType().toString()});
        hTTPResponse.setContent((String) responseEntity.getBody());
        if (hTTPResponse.getStatusCode() != 200) {
            throw new OAuth2IntrospectionException("Introspection endpoint responded with " + hTTPResponse.getStatusCode());
        }
        return hTTPResponse;
    }

    private TokenIntrospectionResponse parseNimbusResponse(HTTPResponse hTTPResponse) {
        try {
            return TokenIntrospectionResponse.parse(hTTPResponse);
        } catch (Exception e) {
            throw new OAuth2IntrospectionException(e.getMessage(), e);
        }
    }

    private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse tokenIntrospectionResponse) {
        if (tokenIntrospectionResponse.indicatesSuccess()) {
            return (TokenIntrospectionSuccessResponse) tokenIntrospectionResponse;
        }
        throw new OAuth2IntrospectionException("Token introspection failed");
    }

    private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse tokenIntrospectionSuccessResponse) {
        ArrayList arrayList = new ArrayList();
        JSONObject jSONObject = tokenIntrospectionSuccessResponse.toJSONObject();
        if (tokenIntrospectionSuccessResponse.getAudience() != null) {
            ArrayList arrayList2 = new ArrayList();
            Iterator it = tokenIntrospectionSuccessResponse.getAudience().iterator();
            while (it.hasNext()) {
                arrayList2.add(((Audience) it.next()).getValue());
            }
            jSONObject.put(OAuth2IntrospectionClaimNames.AUDIENCE, Collections.unmodifiableList(arrayList2));
        }
        if (tokenIntrospectionSuccessResponse.getClientID() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.CLIENT_ID, tokenIntrospectionSuccessResponse.getClientID().getValue());
        }
        if (tokenIntrospectionSuccessResponse.getExpirationTime() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.EXPIRES_AT, tokenIntrospectionSuccessResponse.getExpirationTime().toInstant());
        }
        if (tokenIntrospectionSuccessResponse.getIssueTime() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.ISSUED_AT, tokenIntrospectionSuccessResponse.getIssueTime().toInstant());
        }
        if (tokenIntrospectionSuccessResponse.getIssuer() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.ISSUER, issuer(tokenIntrospectionSuccessResponse.getIssuer().getValue()));
        }
        if (tokenIntrospectionSuccessResponse.getNotBeforeTime() != null) {
            jSONObject.put(OAuth2IntrospectionClaimNames.NOT_BEFORE, tokenIntrospectionSuccessResponse.getNotBeforeTime().toInstant());
        }
        if (tokenIntrospectionSuccessResponse.getScope() != null) {
            List<String> unmodifiableList = Collections.unmodifiableList(tokenIntrospectionSuccessResponse.getScope().toStringList());
            jSONObject.put(OAuth2IntrospectionClaimNames.SCOPE, unmodifiableList);
            for (String str : unmodifiableList) {
                StringBuilder sb = new StringBuilder();
                getClass();
                arrayList.add(new SimpleGrantedAuthority(sb.append("SCOPE_").append(str).toString()));
            }
        }
        return new OAuth2IntrospectionAuthenticatedPrincipal(jSONObject, arrayList);
    }

    private URL issuer(String str) {
        try {
            return new URL(str);
        } catch (Exception e) {
            throw new OAuth2IntrospectionException("Invalid iss value: " + str);
        }
    }
}
