package org.springframework.boot.actuate.autoconfigure.cloudfoundry.reactive;

import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.TimeUnit;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.CloudFoundryAuthorizationException;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.Token;
import org.springframework.util.Base64Utils;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-boot-actuator-autoconfigure-2.7.11.jar:org/springframework/boot/actuate/autoconfigure/cloudfoundry/reactive/ReactiveTokenValidator.class */
class ReactiveTokenValidator {
    private final ReactiveCloudFoundrySecurityService securityService;
    private volatile ConcurrentMap<String, String> cachedTokenKeys = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    public ReactiveTokenValidator(ReactiveCloudFoundrySecurityService reactiveCloudFoundrySecurityService) {
        this.securityService = reactiveCloudFoundrySecurityService;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Mono<Void> validate(Token token) {
        return validateAlgorithm(token).then(validateKeyIdAndSignature(token)).then(validateExpiry(token)).then(validateIssuer(token)).then(validateAudience(token));
    }

    private Mono<Void> validateAlgorithm(Token token) {
        String signatureAlgorithm = token.getSignatureAlgorithm();
        return signatureAlgorithm == null ? Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_SIGNATURE, "Signing algorithm cannot be null")) : !signatureAlgorithm.equals("RS256") ? Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.UNSUPPORTED_TOKEN_SIGNING_ALGORITHM, "Signing algorithm " + signatureAlgorithm + " not supported")) : Mono.empty();
    }

    private Mono<Void> validateKeyIdAndSignature(Token token) {
        return getTokenKey(token).filter(str -> {
            return hasValidSignature(token, str);
        }).switchIfEmpty(Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_SIGNATURE, "RSA Signature did not match content"))).then();
    }

    private Mono<String> getTokenKey(Token token) {
        String keyId = token.getKeyId();
        String str = this.cachedTokenKeys.get(keyId);
        return str != null ? Mono.just(str) : this.securityService.fetchTokenKeys().doOnSuccess(this::cacheTokenKeys).filter(map -> {
            return map.containsKey(keyId);
        }).map(map2 -> {
            return (String) map2.get(keyId);
        }).switchIfEmpty(Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_KEY_ID, "Key Id present in token header does not match")));
    }

    private void cacheTokenKeys(Map<String, String> map) {
        this.cachedTokenKeys = new ConcurrentHashMap(map);
    }

    private boolean hasValidSignature(Token token, String str) {
        try {
            PublicKey publicKey = getPublicKey(str);
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(publicKey);
            signature.update(token.getContent());
            return signature.verify(token.getSignature());
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    private PublicKey getPublicKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64Utils.decodeFromString(str.replace("-----BEGIN PUBLIC KEY-----\n", "").replace("-----END PUBLIC KEY-----", "").trim().replace("\n", ""))));
    }

    private Mono<Void> validateExpiry(Token token) {
        return TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) > token.getExpiry() ? Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.TOKEN_EXPIRED, "Token expired")) : Mono.empty();
    }

    private Mono<Void> validateIssuer(Token token) {
        return this.securityService.getUaaUrl().map(str -> {
            return String.format("%s/oauth/token", str);
        }).filter(str2 -> {
            return str2.equals(token.getIssuer());
        }).switchIfEmpty(Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_ISSUER, "Token issuer does not match"))).then();
    }

    private Mono<Void> validateAudience(Token token) {
        return !token.getScope().contains("actuator.read") ? Mono.error(new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_AUDIENCE, "Token does not have audience actuator")) : Mono.empty();
    }
}
