package org.birchframework.security.oauth2;

import com.fasterxml.jackson.core.type.TypeReference;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.configuration.jsse.TLSClientParameters;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.transport.http.HTTPConduit;
import org.birchframework.framework.jaxrs.Responses;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;

/* loaded from: input_file:org/birchframework/security/oauth2/IssuerAwareJWTDecoderAdapter.class */
public class IssuerAwareJWTDecoderAdapter implements JwtDecoder {
    public static final String OIDC_METADATA_PATH = "/.well-known/openid-configuration";
    protected static final TypeReference<HashMap<String, Object>> ISSUER_RESPONSE_TYPE = new TypeReference<HashMap<String, Object>>() { // from class: org.birchframework.security.oauth2.IssuerAwareJWTDecoderAdapter.1
    };
    private final JwtDecoder delegate;

    /* loaded from: input_file:org/birchframework/security/oauth2/IssuerAwareJWTDecoderAdapter$DummyX509TrustManager.class */
    protected static class DummyX509TrustManager implements X509TrustManager {
        protected DummyX509TrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }
    }

    public IssuerAwareJWTDecoderAdapter(String str) {
        this(str, false);
    }

    public IssuerAwareJWTDecoderAdapter(String str, boolean z) {
        WebClient create = WebClient.create(str);
        if (z) {
            HTTPConduit httpConduit = WebClient.getConfig(create).getHttpConduit();
            TLSClientParameters tlsClientParameters = httpConduit.getTlsClientParameters();
            if (tlsClientParameters == null) {
                tlsClientParameters = new TLSClientParameters();
                httpConduit.setTlsClientParameters(tlsClientParameters);
            }
            tlsClientParameters.setTrustManagers(new TrustManager[]{new DummyX509TrustManager()});
            tlsClientParameters.setDisableCNCheck(true);
        }
        AtomicReference atomicReference = new AtomicReference();
        Responses.of(create.path(OIDC_METADATA_PATH).get()).ifOKOrElse(ISSUER_RESPONSE_TYPE, hashMap -> {
            String str2 = (String) hashMap.getOrDefault("issuer", "(none)");
            if (!StringUtils.equals(str2, str)) {
                throw new IllegalStateException(String.format("The issuer %s configuration did not match %s", str2, str));
            }
            OAuth2TokenValidator createDefaultWithIssuer = JwtValidators.createDefaultWithIssuer(str);
            NimbusJwtDecoder build = NimbusJwtDecoder.withJwkSetUri(hashMap.get("jwks_uri").toString()).build();
            build.setJwtValidator(createDefaultWithIssuer);
            atomicReference.set(build);
        }, errorCode -> {
            throw new IllegalStateException(String.format("Unable to obtain configuration from the issuer %s", str));
        });
        this.delegate = (JwtDecoder) atomicReference.get();
    }

    public Jwt decode(String str) throws JwtException {
        return this.delegate.decode(str);
    }
}
