package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import java.text.ParseException;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import org.springframework.util.Assert;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-5.7.8.jar:org/springframework/security/oauth2/jwt/ReactiveRemoteJWKSource.class */
class ReactiveRemoteJWKSource implements ReactiveJWKSource {
    private final AtomicReference<Mono<JWKSet>> cachedJWKSet = new AtomicReference<>(Mono.empty());
    private WebClient webClient = WebClient.create();
    private final String jwkSetURL;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReactiveRemoteJWKSource(String str) {
        Assert.hasText(str, "jwkSetURL cannot be empty");
        this.jwkSetURL = str;
    }

    @Override // org.springframework.security.oauth2.jwt.ReactiveJWKSource
    public Mono<List<JWK>> get(JWKSelector jWKSelector) {
        return this.cachedJWKSet.get().switchIfEmpty(Mono.defer(() -> {
            return getJWKSet();
        })).flatMap(jWKSet -> {
            return get(jWKSelector, jWKSet);
        }).switchIfEmpty(Mono.defer(() -> {
            return getJWKSet().map(jWKSet2 -> {
                return jWKSelector.select(jWKSet2);
            });
        }));
    }

    private Mono<List<JWK>> get(JWKSelector jWKSelector, JWKSet jWKSet) {
        return Mono.defer(() -> {
            List<JWK> select = jWKSelector.select(jWKSet);
            if (!select.isEmpty()) {
                return Mono.just(select);
            }
            String firstSpecifiedKeyID = getFirstSpecifiedKeyID(jWKSelector.getMatcher());
            if (firstSpecifiedKeyID != null && jWKSet.getKeyByKeyId(firstSpecifiedKeyID) == null) {
                return Mono.empty();
            }
            return Mono.just(Collections.emptyList());
        });
    }

    private Mono<JWKSet> getJWKSet() {
        return this.webClient.get().uri(this.jwkSetURL, new Object[0]).retrieve().bodyToMono(String.class).map(this::parse).doOnNext(jWKSet -> {
            this.cachedJWKSet.set(Mono.just(jWKSet));
        }).cache();
    }

    private JWKSet parse(String str) {
        try {
            return JWKSet.parse(str);
        } catch (ParseException e) {
            throw new RuntimeException(e);
        }
    }

    protected static String getFirstSpecifiedKeyID(JWKMatcher jWKMatcher) {
        Set<String> keyIDs = jWKMatcher.getKeyIDs();
        if (keyIDs == null || keyIDs.isEmpty()) {
            return null;
        }
        for (String str : keyIDs) {
            if (str != null) {
                return str;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setWebClient(WebClient webClient) {
        this.webClient = webClient;
    }
}
