package org.nentangso.core.security.oauth2;

import java.net.URI;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.MediaType;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Component;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

@Component
/* loaded from: input_file:org/nentangso/core/security/oauth2/AuthorizationHeaderUtil.class */
public class AuthorizationHeaderUtil {
    private final ReactiveOAuth2AuthorizedClientService clientService;
    private final WebClient webClient = WebClient.create();
    private final Logger log = LoggerFactory.getLogger(AuthorizationHeaderUtil.class);

    public AuthorizationHeaderUtil(ReactiveOAuth2AuthorizedClientService reactiveOAuth2AuthorizedClientService) {
        this.clientService = reactiveOAuth2AuthorizedClientService;
    }

    public Mono<String> getAuthorizationHeader() {
        return ReactiveSecurityContextHolder.getContext().map((v0) -> {
            return v0.getAuthentication();
        }).flatMap(authentication -> {
            if (!(authentication instanceof OAuth2AuthenticationToken)) {
                return authentication instanceof JwtAuthenticationToken ? Mono.just(String.format("%s %s", OAuth2AccessToken.TokenType.BEARER.getValue(), ((JwtAuthenticationToken) authentication).getToken().getTokenValue())) : Mono.empty();
            }
            OAuth2AuthenticationToken oAuth2AuthenticationToken = (OAuth2AuthenticationToken) authentication;
            return this.clientService.loadAuthorizedClient(oAuth2AuthenticationToken.getAuthorizedClientRegistrationId(), oAuth2AuthenticationToken.getName()).switchIfEmpty(Mono.error(new OAuth2AuthorizationException(new OAuth2Error("access_denied", "The token is expired", (String) null)))).flatMap(oAuth2AuthorizedClient -> {
                OAuth2AccessToken accessToken = oAuth2AuthorizedClient.getAccessToken();
                if (accessToken == null) {
                    return Mono.empty();
                }
                String value = accessToken.getTokenType().getValue();
                String tokenValue = accessToken.getTokenValue();
                if (!isExpired(accessToken)) {
                    return Mono.just(String.format("%s %s", value, tokenValue));
                }
                this.log.info("AccessToken expired, refreshing automatically");
                return refreshToken(oAuth2AuthorizedClient, oAuth2AuthenticationToken).switchIfEmpty(Mono.error(new OAuth2AuthorizationException(new OAuth2Error("access_denied", "The token is expired", (String) null)))).map(str -> {
                    return String.format("%s %s", value, str);
                });
            });
        });
    }

    private Mono<String> refreshToken(OAuth2AuthorizedClient oAuth2AuthorizedClient, OAuth2AuthenticationToken oAuth2AuthenticationToken) {
        return refreshTokenClient(oAuth2AuthorizedClient).flatMap(oAuth2AccessTokenResponse -> {
            if (oAuth2AccessTokenResponse.getAccessToken() == null) {
                this.log.info("Failed to refresh token for user");
                return Mono.empty();
            }
            return this.clientService.saveAuthorizedClient(new OAuth2AuthorizedClient(oAuth2AuthorizedClient.getClientRegistration(), oAuth2AuthorizedClient.getPrincipalName(), oAuth2AccessTokenResponse.getAccessToken(), oAuth2AccessTokenResponse.getRefreshToken() != null ? oAuth2AccessTokenResponse.getRefreshToken() : oAuth2AuthorizedClient.getRefreshToken()), oAuth2AuthenticationToken).then(Mono.just(oAuth2AccessTokenResponse.getAccessToken().getTokenValue()));
        });
    }

    private Mono<OAuth2AccessTokenResponse> refreshTokenClient(OAuth2AuthorizedClient oAuth2AuthorizedClient) {
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", AuthorizationGrantType.REFRESH_TOKEN.getValue());
        linkedMultiValueMap.add("refresh_token", oAuth2AuthorizedClient.getRefreshToken().getTokenValue());
        linkedMultiValueMap.add("client_id", oAuth2AuthorizedClient.getClientRegistration().getClientId());
        return this.webClient.post().uri(URI.create(oAuth2AuthorizedClient.getClientRegistration().getProviderDetails().getTokenUri())).contentType(MediaType.APPLICATION_FORM_URLENCODED).headers(httpHeaders -> {
            httpHeaders.setBasicAuth(oAuth2AuthorizedClient.getClientRegistration().getClientId(), oAuth2AuthorizedClient.getClientRegistration().getClientSecret());
        }).bodyValue(linkedMultiValueMap).retrieve().bodyToMono(OAuthIdpTokenResponseDTO.class).map(this::toOAuth2AccessTokenResponse).onErrorMap(OAuth2AuthorizationException.class, oAuth2AuthorizationException -> {
            this.log.error("Unable to refresh token", oAuth2AuthorizationException);
            throw new OAuth2AuthenticationException(oAuth2AuthorizationException.getError(), oAuth2AuthorizationException);
        });
    }

    private OAuth2AccessTokenResponse toOAuth2AccessTokenResponse(OAuthIdpTokenResponseDTO oAuthIdpTokenResponseDTO) {
        HashMap hashMap = new HashMap();
        hashMap.put("id_token", oAuthIdpTokenResponseDTO.getIdToken());
        hashMap.put("not-before-policy", oAuthIdpTokenResponseDTO.getNotBefore());
        hashMap.put("refresh_expires_in", oAuthIdpTokenResponseDTO.getRefreshExpiresIn());
        hashMap.put("session_state", oAuthIdpTokenResponseDTO.getSessionState());
        return OAuth2AccessTokenResponse.withToken(oAuthIdpTokenResponseDTO.getAccessToken()).expiresIn(oAuthIdpTokenResponseDTO.getExpiresIn().longValue()).refreshToken(oAuthIdpTokenResponseDTO.getRefreshToken()).scopes((Set) Pattern.compile("\\s").splitAsStream(oAuthIdpTokenResponseDTO.getScope()).collect(Collectors.toSet())).tokenType(OAuth2AccessToken.TokenType.BEARER).additionalParameters(hashMap).build();
    }

    private boolean isExpired(OAuth2AccessToken oAuth2AccessToken) {
        return Instant.now().isAfter(oAuth2AccessToken.getExpiresAt().minus((TemporalAmount) Duration.ofMinutes(1L)));
    }
}
