package com.vaadin.flow.spring.security.stateless;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.SecurityContextRepository;

/* loaded from: input_file:BOOT-INF/lib/vaadin-spring-24.4.4.jar:com/vaadin/flow/spring/security/stateless/JwtSecurityContextRepository.class */
class JwtSecurityContextRepository implements SecurityContextRepository {
    private static final String ROLES_CLAIM = "roles";
    private static final String ROLE_AUTHORITY_PREFIX = "ROLE_";
    private final SerializedJwtSplitCookieRepository serializedJwtSplitCookieRepository;
    private final JwtAuthenticationConverter jwtAuthenticationConverter;
    private String issuer;
    private JWKSource<SecurityContext> jwkSource;
    private JWSAlgorithm jwsAlgorithm;
    private JwtDecoder jwtDecoder;
    private final Log logger = LogFactory.getLog(getClass());
    private long expiresIn = 1800;
    private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSecurityContextRepository(SerializedJwtSplitCookieRepository serializedJwtSplitCookieRepository) {
        this.serializedJwtSplitCookieRepository = serializedJwtSplitCookieRepository;
        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthorityPrefix(ROLE_AUTHORITY_PREFIX);
        jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("roles");
        this.jwtAuthenticationConverter = new JwtAuthenticationConverter();
        this.jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setJwkSource(JWKSource<SecurityContext> jWKSource) {
        this.jwkSource = jWKSource;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setJwsAlgorithm(JWSAlgorithm jWSAlgorithm) {
        this.jwsAlgorithm = jWSAlgorithm;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setExpiresIn(long j) {
        this.expiresIn = j;
        this.serializedJwtSplitCookieRepository.setExpiresIn(j);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setIssuer(String str) {
        this.issuer = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
        this.trustResolver = authenticationTrustResolver;
    }

    private JwtDecoder getJwtDecoder() {
        if (this.jwtDecoder != null) {
            return this.jwtDecoder;
        }
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWTClaimsSetVerifier((jWTClaimsSet, securityContext) -> {
        });
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(this.jwsAlgorithm, this.jwkSource));
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(defaultJWTProcessor);
        nimbusJwtDecoder.setJwtValidator(this.issuer != null ? JwtValidators.createDefaultWithIssuer(this.issuer) : JwtValidators.createDefault());
        this.jwtDecoder = nimbusJwtDecoder;
        return this.jwtDecoder;
    }

    private String encodeJwt(Authentication authentication) throws JOSEException {
        if (authentication == null || this.trustResolver.isAnonymous(authentication)) {
            return null;
        }
        Date date = new Date();
        List list = (List) authentication.getAuthorities().stream().map((v0) -> {
            return Objects.toString(v0);
        }).filter(str -> {
            return str.startsWith(ROLE_AUTHORITY_PREFIX);
        }).map(str2 -> {
            return str2.substring(ROLE_AUTHORITY_PREFIX.length());
        }).collect(Collectors.toList());
        JWSHeader jWSHeader = new JWSHeader(this.jwsAlgorithm);
        JWSSigner createJWSSigner = new DefaultJWSSignerFactory().createJWSSigner(this.jwkSource.get(new JWKSelector(JWKMatcher.forJWSHeader(jWSHeader)), null).get(0), this.jwsAlgorithm);
        SignedJWT signedJWT = new SignedJWT(jWSHeader, new JWTClaimsSet.Builder().subject(authentication.getName()).issuer(this.issuer).issueTime(date).expirationTime(new Date(date.getTime() + (this.expiresIn * 1000))).claim("roles", list).build());
        signedJWT.sign(createJWSSigner);
        return signedJWT.serialize();
    }

    private Jwt decodeJwt(HttpServletRequest httpServletRequest) {
        String loadSerializedJwt = this.serializedJwtSplitCookieRepository.loadSerializedJwt(httpServletRequest);
        if (loadSerializedJwt == null) {
            return null;
        }
        try {
            return getJwtDecoder().decode(loadSerializedJwt);
        } catch (JwtException e) {
            if (!this.logger.isTraceEnabled()) {
                return null;
            }
            this.logger.trace("Cannot decode JWT when loading SecurityContext", e);
            return null;
        }
    }

    public org.springframework.security.core.context.SecurityContext loadContext(HttpRequestResponseHolder httpRequestResponseHolder) {
        org.springframework.security.core.context.SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
        Jwt decodeJwt = decodeJwt(httpRequestResponseHolder.getRequest());
        if (decodeJwt != null) {
            createEmptyContext.setAuthentication(this.jwtAuthenticationConverter.convert(decodeJwt));
        }
        return createEmptyContext;
    }

    public void saveContext(org.springframework.security.core.context.SecurityContext securityContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String str = null;
        try {
            try {
                str = encodeJwt(securityContext.getAuthentication());
                this.serializedJwtSplitCookieRepository.saveSerializedJwt(str, httpServletRequest, httpServletResponse);
            } catch (JOSEException e) {
                this.logger.warn("Cannot serialize SecurityContext as JWT", e);
                this.serializedJwtSplitCookieRepository.saveSerializedJwt(str, httpServletRequest, httpServletResponse);
            }
        } catch (Throwable th) {
            this.serializedJwtSplitCookieRepository.saveSerializedJwt(str, httpServletRequest, httpServletResponse);
            throw th;
        }
    }

    public boolean containsContext(HttpServletRequest httpServletRequest) {
        return this.serializedJwtSplitCookieRepository.containsSerializedJwt(httpServletRequest);
    }
}
