package no.difi.move.common.oauth;

import java.time.Clock;
import java.time.Duration;
import java.time.temporal.TemporalAmount;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.lang.Nullable;
import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.AbstractOAuth2Token;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.util.Assert;

/* loaded from: input_file:no/difi/move/common/oauth/JwtBearerOAuth2AuthorizedClientProvider.class */
public class JwtBearerOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JwtBearerOAuth2AuthorizedClientProvider.class);
    private final OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> tokenResponseClient;

    @Generated
    private final Object $lock = new Object[0];
    private Duration clockSkew = Duration.ofSeconds(30);
    private Clock clock = Clock.systemUTC();

    @Nullable
    public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext oAuth2AuthorizationContext) {
        synchronized (this.$lock) {
            Assert.notNull(oAuth2AuthorizationContext, "context cannot be null");
            log.debug("Attempts to authorize client assuming JWT bearer token grant type");
            ClientRegistration clientRegistration = oAuth2AuthorizationContext.getClientRegistration();
            if (!AuthorizationGrantType.JWT_BEARER.equals(clientRegistration.getAuthorizationGrantType())) {
                log.debug("Invalid grant type: {}", clientRegistration.getAuthorizationGrantType());
                return null;
            }
            OAuth2AuthorizedClient authorizedClient = oAuth2AuthorizationContext.getAuthorizedClient();
            if (null != authorizedClient && !isExpired(authorizedClient.getAccessToken())) {
                return authorizedClient;
            }
            return new OAuth2AuthorizedClient(clientRegistration, clientRegistration.getRegistrationId(), this.tokenResponseClient.getTokenResponse(new JwtBearerGrantRequest(clientRegistration)).getAccessToken());
        }
    }

    private boolean isExpired(AbstractOAuth2Token abstractOAuth2Token) {
        if (abstractOAuth2Token.getExpiresAt() != null) {
            return this.clock.instant().isAfter(abstractOAuth2Token.getExpiresAt().minus((TemporalAmount) this.clockSkew));
        }
        return true;
    }

    @Generated
    public JwtBearerOAuth2AuthorizedClientProvider setClockSkew(Duration duration) {
        this.clockSkew = duration;
        return this;
    }

    @Generated
    public JwtBearerOAuth2AuthorizedClientProvider setClock(Clock clock) {
        this.clock = clock;
        return this;
    }

    @Generated
    public JwtBearerOAuth2AuthorizedClientProvider(OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> oAuth2AccessTokenResponseClient) {
        this.tokenResponseClient = oAuth2AccessTokenResponseClient;
    }
}
