package org.springframework.security.oauth2.client;

import java.time.Clock;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.WebClientReactiveClientCredentialsTokenResponseClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
import org.springframework.util.Assert;
import reactor.core.publisher.Mono;

/* loaded from: input_file:org/springframework/security/oauth2/client/ClientCredentialsReactiveOAuth2AuthorizedClientProvider.class */
public final class ClientCredentialsReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
    private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient = new WebClientReactiveClientCredentialsTokenResponseClient();
    private Duration clockSkew = Duration.ofSeconds(60);
    private Clock clock = Clock.systemUTC();

    @Override // org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider
    public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext oAuth2AuthorizationContext) {
        Assert.notNull(oAuth2AuthorizationContext, "context cannot be null");
        ClientRegistration clientRegistration = oAuth2AuthorizationContext.getClientRegistration();
        if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) {
            return Mono.empty();
        }
        OAuth2AuthorizedClient authorizedClient = oAuth2AuthorizationContext.getAuthorizedClient();
        if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) {
            return Mono.empty();
        }
        Mono just = Mono.just(new OAuth2ClientCredentialsGrantRequest(clientRegistration));
        ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> reactiveOAuth2AccessTokenResponseClient = this.accessTokenResponseClient;
        reactiveOAuth2AccessTokenResponseClient.getClass();
        return just.flatMap((v1) -> {
            return r1.getTokenResponse(v1);
        }).onErrorMap(OAuth2AuthorizationException.class, oAuth2AuthorizationException -> {
            return new ClientAuthorizationException(oAuth2AuthorizationException.getError(), clientRegistration.getRegistrationId(), oAuth2AuthorizationException);
        }).map(oAuth2AccessTokenResponse -> {
            return new OAuth2AuthorizedClient(clientRegistration, oAuth2AuthorizationContext.getPrincipal().getName(), oAuth2AccessTokenResponse.getAccessToken());
        });
    }

    private boolean hasTokenExpired(AbstractOAuth2Token abstractOAuth2Token) {
        return this.clock.instant().isAfter(abstractOAuth2Token.getExpiresAt().minus((TemporalAmount) this.clockSkew));
    }

    public void setAccessTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> reactiveOAuth2AccessTokenResponseClient) {
        Assert.notNull(reactiveOAuth2AccessTokenResponseClient, "accessTokenResponseClient cannot be null");
        this.accessTokenResponseClient = reactiveOAuth2AccessTokenResponseClient;
    }

    public void setClockSkew(Duration duration) {
        Assert.notNull(duration, "clockSkew cannot be null");
        Assert.isTrue(duration.getSeconds() >= 0, "clockSkew must be >= 0");
        this.clockSkew = duration;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }
}
