package org.springframework.security.oauth2.jwt;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Predicate;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtValidators.class */
public final class JwtValidators {

    /* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtValidators$AtJwtBuilder.class */
    public static final class AtJwtBuilder {
        Map<String, OAuth2TokenValidator<Jwt>> validators = new LinkedHashMap();

        private AtJwtBuilder() {
            JwtTimestampValidator jwtTimestampValidator = new JwtTimestampValidator();
            this.validators.put(JoseHeaderNames.TYP, new JwtTypeValidator(List.of("at+jwt", "application/at+jwt")));
            this.validators.put(JwtClaimNames.EXP, JwtValidators.require(JwtClaimNames.EXP).and(jwtTimestampValidator));
            this.validators.put(JwtClaimNames.SUB, JwtValidators.require(JwtClaimNames.SUB));
            this.validators.put(JwtClaimNames.IAT, JwtValidators.require(JwtClaimNames.IAT).and(jwtTimestampValidator));
            this.validators.put(JwtClaimNames.JTI, JwtValidators.require(JwtClaimNames.JTI));
        }

        public AtJwtBuilder issuer(String str) {
            return validators(map -> {
                map.put(JwtClaimNames.ISS, new JwtIssuerValidator(str));
            });
        }

        public AtJwtBuilder audience(String str) {
            return validators(map -> {
                map.put(JwtClaimNames.AUD, new JwtAudienceValidator(str));
            });
        }

        public AtJwtBuilder clientId(String str) {
            return validators(map -> {
                map.put("client_id", JwtValidators.require("client_id").isEqualTo(str));
            });
        }

        public AtJwtBuilder validators(Consumer<Map<String, OAuth2TokenValidator<Jwt>>> consumer) {
            consumer.accept(this.validators);
            return this;
        }

        public OAuth2TokenValidator<Jwt> build() {
            List.of(JoseHeaderNames.TYP, JwtClaimNames.EXP, JwtClaimNames.SUB, JwtClaimNames.IAT, JwtClaimNames.JTI, JwtClaimNames.ISS, JwtClaimNames.AUD, "client_id").forEach(str -> {
                Assert.isTrue(this.validators.containsKey(str), str + " must be validated");
            });
            return new DelegatingOAuth2TokenValidator(this.validators.values());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/springframework/security/oauth2/jwt/JwtValidators$RequireClaimValidator.class */
    public static final class RequireClaimValidator implements OAuth2TokenValidator<Jwt> {
        private final String claimName;

        RequireClaimValidator(String str) {
            this.claimName = str;
        }

        public OAuth2TokenValidatorResult validate(Jwt jwt) {
            return jwt.getClaim(this.claimName) == null ? OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_token", this.claimName + " must have a value", "https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure")}) : OAuth2TokenValidatorResult.success();
        }

        OAuth2TokenValidator<Jwt> isEqualTo(String str) {
            return and(satisfies(jwt -> {
                return str.equals(jwt.getClaim(this.claimName));
            }));
        }

        OAuth2TokenValidator<Jwt> satisfies(Predicate<Jwt> predicate) {
            return and(jwt -> {
                return predicate.test(jwt) ? OAuth2TokenValidatorResult.success() : OAuth2TokenValidatorResult.failure(new OAuth2Error[]{new OAuth2Error("invalid_token", this.claimName + " is not valid", "https://datatracker.ietf.org/doc/html/rfc9068#name-data-structure")});
            });
        }

        OAuth2TokenValidator<Jwt> and(OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
            return jwt -> {
                OAuth2TokenValidatorResult validate = validate(jwt);
                return validate.hasErrors() ? validate : oAuth2TokenValidator.validate(jwt);
            };
        }
    }

    private JwtValidators() {
    }

    public static OAuth2TokenValidator<Jwt> createDefaultWithIssuer(String str) {
        return createDefaultWithValidators((OAuth2TokenValidator<Jwt>[]) new OAuth2TokenValidator[]{new JwtIssuerValidator(str)});
    }

    public static OAuth2TokenValidator<Jwt> createDefault() {
        return new DelegatingOAuth2TokenValidator(Arrays.asList(new JwtTimestampValidator(), new X509CertificateThumbprintValidator(X509CertificateThumbprintValidator.DEFAULT_X509_CERTIFICATE_SUPPLIER)));
    }

    public static OAuth2TokenValidator<Jwt> createDefaultWithValidators(List<OAuth2TokenValidator<Jwt>> list) {
        Assert.notEmpty(list, "validators cannot be null or empty");
        ArrayList arrayList = new ArrayList(list);
        if (((X509CertificateThumbprintValidator) CollectionUtils.findValueOfType(arrayList, X509CertificateThumbprintValidator.class)) == null) {
            arrayList.add(0, new X509CertificateThumbprintValidator(X509CertificateThumbprintValidator.DEFAULT_X509_CERTIFICATE_SUPPLIER));
        }
        if (((JwtTimestampValidator) CollectionUtils.findValueOfType(arrayList, JwtTimestampValidator.class)) == null) {
            arrayList.add(0, new JwtTimestampValidator());
        }
        return new DelegatingOAuth2TokenValidator(arrayList);
    }

    public static OAuth2TokenValidator<Jwt> createDefaultWithValidators(OAuth2TokenValidator<Jwt>... oAuth2TokenValidatorArr) {
        Assert.notEmpty(oAuth2TokenValidatorArr, "validators cannot be null or empty");
        return createDefaultWithValidators(new ArrayList(Arrays.asList(oAuth2TokenValidatorArr)));
    }

    public static AtJwtBuilder createAtJwtValidator() {
        return new AtJwtBuilder();
    }

    private static RequireClaimValidator require(String str) {
        return new RequireClaimValidator(str);
    }
}
