package org.springframework.security.oauth2.client.web.reactive.function.client;

import java.net.URI;
import java.time.Clock;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import java.util.Map;
import java.util.Optional;
import java.util.function.Consumer;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.config.Elements;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.reactive.function.client.OAuth2AuthorizedClientResolver;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.web.reactive.function.OAuth2BodyExtractors;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.BodyInserters;
import org.springframework.web.reactive.function.client.ClientRequest;
import org.springframework.web.reactive.function.client.ClientResponse;
import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
import org.springframework.web.reactive.function.client.ExchangeFunction;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-client-5.1.8.RELEASE.jar:org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.class */
public final class ServerOAuth2AuthorizedClientExchangeFilterFunction implements ExchangeFilterFunction {
    private static final String OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME = OAuth2AuthorizedClient.class.getName();
    private static final String CLIENT_REGISTRATION_ID_ATTR_NAME = OAuth2AuthorizedClient.class.getName().concat(".CLIENT_REGISTRATION_ID");
    private static final String SERVER_WEB_EXCHANGE_ATTR_NAME = ServerWebExchange.class.getName();
    private static final AnonymousAuthenticationToken ANONYMOUS_USER_TOKEN = new AnonymousAuthenticationToken(Elements.ANONYMOUS, "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_USER"));
    private Clock clock;
    private Duration accessTokenExpiresSkew;
    private ServerOAuth2AuthorizedClientRepository authorizedClientRepository;
    private final OAuth2AuthorizedClientResolver authorizedClientResolver;

    public ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveClientRegistrationRepository reactiveClientRegistrationRepository, ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository) {
        this(serverOAuth2AuthorizedClientRepository, new OAuth2AuthorizedClientResolver(reactiveClientRegistrationRepository, serverOAuth2AuthorizedClientRepository));
    }

    ServerOAuth2AuthorizedClientExchangeFilterFunction(ServerOAuth2AuthorizedClientRepository serverOAuth2AuthorizedClientRepository, OAuth2AuthorizedClientResolver oAuth2AuthorizedClientResolver) {
        this.clock = Clock.systemUTC();
        this.accessTokenExpiresSkew = Duration.ofMinutes(1L);
        this.authorizedClientRepository = serverOAuth2AuthorizedClientRepository;
        this.authorizedClientResolver = oAuth2AuthorizedClientResolver;
    }

    public static Consumer<Map<String, Object>> oauth2AuthorizedClient(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return map -> {
            map.put(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME, oAuth2AuthorizedClient);
        };
    }

    private static OAuth2AuthorizedClient oauth2AuthorizedClient(ClientRequest clientRequest) {
        return (OAuth2AuthorizedClient) clientRequest.attributes().get(OAUTH2_AUTHORIZED_CLIENT_ATTR_NAME);
    }

    public static Consumer<Map<String, Object>> serverWebExchange(ServerWebExchange serverWebExchange) {
        return map -> {
            map.put(SERVER_WEB_EXCHANGE_ATTR_NAME, serverWebExchange);
        };
    }

    private static ServerWebExchange serverWebExchange(ClientRequest clientRequest) {
        return (ServerWebExchange) clientRequest.attributes().get(SERVER_WEB_EXCHANGE_ATTR_NAME);
    }

    public static Consumer<Map<String, Object>> clientRegistrationId(String str) {
        return map -> {
            map.put(CLIENT_REGISTRATION_ID_ATTR_NAME, str);
        };
    }

    private static String clientRegistrationId(ClientRequest clientRequest) {
        OAuth2AuthorizedClient oauth2AuthorizedClient = oauth2AuthorizedClient(clientRequest);
        return oauth2AuthorizedClient != null ? oauth2AuthorizedClient.getClientRegistration().getRegistrationId() : (String) clientRequest.attributes().get(CLIENT_REGISTRATION_ID_ATTR_NAME);
    }

    public void setDefaultOAuth2AuthorizedClient(boolean z) {
        this.authorizedClientResolver.setDefaultOAuth2AuthorizedClient(z);
    }

    public void setDefaultClientRegistrationId(String str) {
        this.authorizedClientResolver.setDefaultClientRegistrationId(str);
    }

    public void setClientCredentialsTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> reactiveOAuth2AccessTokenResponseClient) {
        this.authorizedClientResolver.setClientCredentialsTokenResponseClient(reactiveOAuth2AccessTokenResponseClient);
    }

    public void setAccessTokenExpiresSkew(Duration duration) {
        Assert.notNull(duration, "accessTokenExpiresSkew cannot be null");
        this.accessTokenExpiresSkew = duration;
    }

    public Mono<ClientResponse> filter(ClientRequest clientRequest, ExchangeFunction exchangeFunction) {
        Mono map = authorizedClient(clientRequest, exchangeFunction).map(oAuth2AuthorizedClient -> {
            return bearer(clientRequest, oAuth2AuthorizedClient);
        });
        exchangeFunction.getClass();
        return map.flatMap(exchangeFunction::exchange).switchIfEmpty(Mono.defer(() -> {
            return exchangeFunction.exchange(clientRequest);
        }));
    }

    private Mono<OAuth2AuthorizedClient> authorizedClient(ClientRequest clientRequest, ExchangeFunction exchangeFunction) {
        return Mono.justOrEmpty(oauth2AuthorizedClient(clientRequest)).switchIfEmpty(Mono.defer(() -> {
            return loadAuthorizedClient(clientRequest);
        })).flatMap(oAuth2AuthorizedClient -> {
            return refreshIfNecessary(clientRequest, exchangeFunction, oAuth2AuthorizedClient);
        });
    }

    private Mono<OAuth2AuthorizedClient> loadAuthorizedClient(ClientRequest clientRequest) {
        return createRequest(clientRequest).flatMap(request -> {
            return this.authorizedClientResolver.loadAuthorizedClient(request);
        });
    }

    private Mono<OAuth2AuthorizedClientResolver.Request> createRequest(ClientRequest clientRequest) {
        return this.authorizedClientResolver.createDefaultedRequest(clientRegistrationId(clientRequest), null, serverWebExchange(clientRequest));
    }

    private Mono<OAuth2AuthorizedClient> refreshIfNecessary(ClientRequest clientRequest, ExchangeFunction exchangeFunction, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        ClientRegistration clientRegistration = oAuth2AuthorizedClient.getClientRegistration();
        return (isClientCredentialsGrantType(clientRegistration) && hasTokenExpired(oAuth2AuthorizedClient)) ? createRequest(clientRequest).flatMap(request -> {
            return authorizeWithClientCredentials(clientRegistration, request);
        }) : shouldRefresh(oAuth2AuthorizedClient) ? createRequest(clientRequest).flatMap(request2 -> {
            return refreshAuthorizedClient(exchangeFunction, oAuth2AuthorizedClient, request2);
        }) : Mono.just(oAuth2AuthorizedClient);
    }

    private boolean isClientCredentialsGrantType(ClientRegistration clientRegistration) {
        return AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType());
    }

    private Mono<OAuth2AuthorizedClient> authorizeWithClientCredentials(ClientRegistration clientRegistration, OAuth2AuthorizedClientResolver.Request request) {
        Authentication authentication = request.getAuthentication();
        ServerWebExchange exchange = request.getExchange();
        return this.authorizedClientResolver.clientCredentials(clientRegistration, authentication, exchange).flatMap(oAuth2AuthorizedClient -> {
            return this.authorizedClientRepository.saveAuthorizedClient(oAuth2AuthorizedClient, authentication, exchange).thenReturn(oAuth2AuthorizedClient);
        });
    }

    private Mono<OAuth2AuthorizedClient> refreshAuthorizedClient(ExchangeFunction exchangeFunction, OAuth2AuthorizedClient oAuth2AuthorizedClient, OAuth2AuthorizedClientResolver.Request request) {
        ServerWebExchange exchange = request.getExchange();
        Authentication authentication = request.getAuthentication();
        ClientRegistration clientRegistration = oAuth2AuthorizedClient.getClientRegistration();
        return exchangeFunction.exchange(ClientRequest.create(HttpMethod.POST, URI.create(clientRegistration.getProviderDetails().getTokenUri())).header("Accept", new String[]{"application/json"}).headers(httpHeaders -> {
            httpHeaders.setBasicAuth(clientRegistration.getClientId(), clientRegistration.getClientSecret());
        }).body(refreshTokenBody(oAuth2AuthorizedClient.getRefreshToken().getTokenValue())).build()).flatMap(clientResponse -> {
            return (Mono) clientResponse.body(OAuth2BodyExtractors.oauth2AccessTokenResponse());
        }).map(oAuth2AccessTokenResponse -> {
            return new OAuth2AuthorizedClient(oAuth2AuthorizedClient.getClientRegistration(), oAuth2AuthorizedClient.getPrincipalName(), oAuth2AccessTokenResponse.getAccessToken(), (OAuth2RefreshToken) Optional.ofNullable(oAuth2AccessTokenResponse.getRefreshToken()).orElse(oAuth2AuthorizedClient.getRefreshToken()));
        }).flatMap(oAuth2AuthorizedClient2 -> {
            return this.authorizedClientRepository.saveAuthorizedClient(oAuth2AuthorizedClient2, authentication, exchange).thenReturn(oAuth2AuthorizedClient2);
        });
    }

    private boolean shouldRefresh(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        if (this.authorizedClientRepository == null || oAuth2AuthorizedClient.getRefreshToken() == null) {
            return false;
        }
        return hasTokenExpired(oAuth2AuthorizedClient);
    }

    private boolean hasTokenExpired(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return this.clock.instant().isAfter(oAuth2AuthorizedClient.getAccessToken().getExpiresAt().minus((TemporalAmount) this.accessTokenExpiresSkew));
    }

    private ClientRequest bearer(ClientRequest clientRequest, OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        return ClientRequest.from(clientRequest).headers(httpHeaders -> {
            httpHeaders.setBearerAuth(oAuth2AuthorizedClient.getAccessToken().getTokenValue());
        }).build();
    }

    private static BodyInserters.FormInserter<String> refreshTokenBody(String str) {
        return BodyInserters.fromFormData("grant_type", AuthorizationGrantType.REFRESH_TOKEN.getValue()).with("refresh_token", str);
    }
}
