package io.confluent.common.security.util;

import com.google.common.base.Strings;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.kafka.clients.plugins.auth.jwt.CloseableVerificationKeyResolver;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.net.ssl.SSLContext;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.ssl.HostSslSocketFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.jose4j.http.Get;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/util/JwtUtils.class */
public class JwtUtils {
    private static final Logger log = LoggerFactory.getLogger(JwtUtils.class);

    public static Set<String> getGroupsFromJwtPrincipal(JwtPrincipal jwtPrincipal) {
        return Objects.equals(jwtPrincipal.jwtClaims().get("iss"), "Confluent") ? getGroupsFromJwtPrincipal(jwtPrincipal, "groups") : getGroupsFromJwtPrincipal(jwtPrincipal, jwtPrincipal.getGroupsClaimName());
    }

    private static Set<String> getGroupsFromJwtPrincipal(JwtPrincipal jwtPrincipal, String str) {
        if (Objects.isNull(str) || str.isEmpty()) {
            return Collections.emptySet();
        }
        Object orDefault = jwtPrincipal.jwtClaims().getOrDefault(str, Collections.emptyList());
        if (Objects.nonNull(orDefault) && !(orDefault instanceof List)) {
            throw new IllegalArgumentException(String.format("Unexpected type of groups in jwt. Expected type: %s, Actual type: %s", List.class, orDefault.getClass()));
        }
        HashSet hashSet = new HashSet();
        for (Object obj : (List) orDefault) {
            if (!(obj instanceof String)) {
                throw new IllegalArgumentException(String.format("Unexpected type of %s. Expected type: %s, Actual type: %s", str, String.class, obj.getClass()));
            }
            hashSet.add((String) obj);
        }
        return hashSet;
    }

    public static CloseableVerificationKeyResolver createJwksVerificationKeyResolver(HttpsJwks httpsJwks) {
        final HttpsJwksVerificationKeyResolver httpsJwksVerificationKeyResolver = new HttpsJwksVerificationKeyResolver(httpsJwks);
        return new CloseableVerificationKeyResolver() { // from class: io.confluent.common.security.util.JwtUtils.1
            public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
                return httpsJwksVerificationKeyResolver.resolveKey(jsonWebSignature, list);
            }

            public void close() {
            }
        };
    }

    public static CloseableVerificationKeyResolver getJwtKeyResolver(String str, String str2, SslContextFactory sslContextFactory) {
        if (Objects.nonNull(sslContextFactory) && !sslContextFactory.isRunning()) {
            try {
                sslContextFactory.start();
            } catch (Exception e) {
                throw new IllegalStateException("SSL Context Factory failed to start. One of the reason could be wrong truststore and keystore password.", e);
            }
        }
        URL url = null;
        if (!Strings.isNullOrEmpty(str)) {
            try {
                url = new URL(str);
            } catch (MalformedURLException e2) {
                log.error("Received invalid IDP JWKS endpoint: {}", str, e2);
                throw new RuntimeException(e2);
            }
        }
        Get createGetForIdpJwksEndpoint = createGetForIdpJwksEndpoint(url, sslContextFactory, str2);
        HttpsJwks httpsJwks = new HttpsJwks(str);
        httpsJwks.setSimpleHttpGet(createGetForIdpJwksEndpoint);
        return createJwksVerificationKeyResolver(httpsJwks);
    }

    private static Get createGetForIdpJwksEndpoint(URL url, SslContextFactory sslContextFactory, String str) {
        Get get = new Get();
        if (Objects.nonNull(sslContextFactory) && Objects.nonNull(sslContextFactory.getSslContext())) {
            log.info("Setting up custom SSLContext for OAuth JWT authenticator.");
            get.setSslSocketFactory(new HostSslSocketFactory(sslContextFactory.getSslContext().getSocketFactory(), Objects.nonNull(url) ? url.getHost() : null, false));
            if (StringUtils.isAllBlank(new CharSequence[]{str})) {
                log.info("Provided ssl.endpoint.identification.algorithm={}. Skipping hostname verification in OAuth JWT authenticator.", str);
                get.setHostnameVerifier((str2, sSLSession) -> {
                    return true;
                });
            }
        } else if (Objects.nonNull(url) && url.getProtocol().equals("https")) {
            try {
                get.setSslSocketFactory(new HostSslSocketFactory(SSLContext.getDefault().getSocketFactory(), url.getHost(), false));
            } catch (NoSuchAlgorithmException e) {
                log.error("Error while getting default SSLContext: ", e);
                throw new RuntimeException(e);
            }
        }
        return get;
    }
}
