package io.confluent.security.authentication.oauthbearer;

import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonSetter;
import com.fasterxml.jackson.annotation.Nulls;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import io.confluent.security.authentication.AuthenticationConfig;
import io.confluent.security.authentication.Authenticator;
import io.confluent.security.authentication.credential.BearerCredential;
import java.util.Collections;
import java.util.List;
import java.util.Set;

@JsonIgnoreProperties(ignoreUnknown = true)
@JsonDeserialize(builder = Builder.class)
/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticationConfig.class */
public final class JwtAuthenticationConfig extends AuthenticationConfig<BearerCredential, JwtPrincipal> {
    public static final String CONFLUENT_ISSUER = "Confluent";
    public static final String CONFIG_PREFIX = "authenticator.jwt.";
    public static final String CONFLUENT_SPIRE_ISSUER_SUFFIX_PROP = "authenticator.jwt.spire.issuers.suffix";
    public static final String CONFLUENT_SPIRE_ISSUER_SUFFIX = "spire.internal.confluent.cloud";
    private final List<JwtIssuer> issuers;
    private final Set<SignatureAlgorithm> algorithmWhitelist;
    private final String spireAgentSocketEndpoint;

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticationConfig$Builder.class */
    public static class Builder {
        private List<JwtIssuer> issuers;
        private Set<SignatureAlgorithm> algorithmWhitelist;
        private String spireAgentSocketEndpoint;

        private Builder() {
        }

        @JsonSetter(value = "issuers", nulls = Nulls.AS_EMPTY)
        public Builder issuers(List<JwtIssuer> list) {
            this.issuers = list;
            return this;
        }

        @JsonSetter(value = "algorithmWhitelist", nulls = Nulls.AS_EMPTY)
        public Builder algorithmWhitelist(Set<SignatureAlgorithm> set) {
            this.algorithmWhitelist = set;
            return this;
        }

        @JsonSetter("spireAgentSocketEndpoint")
        public Builder spireAgentSocketEndpoint(String str) {
            this.spireAgentSocketEndpoint = str;
            return this;
        }

        public JwtAuthenticationConfig build() {
            return new JwtAuthenticationConfig(this.issuers, (this.algorithmWhitelist == null || this.algorithmWhitelist.isEmpty()) ? DefaultWhiteList.INSTANCE : this.algorithmWhitelist, this.spireAgentSocketEndpoint);
        }
    }

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticationConfig$DefaultWhiteList.class */
    private static class DefaultWhiteList {
        private static final Set<SignatureAlgorithm> INSTANCE = Set.of(SignatureAlgorithm.RS256, SignatureAlgorithm.ES256);

        private DefaultWhiteList() {
        }
    }

    private JwtAuthenticationConfig(List<JwtIssuer> list, Set<SignatureAlgorithm> set, String str) {
        this.issuers = Collections.unmodifiableList(list);
        this.algorithmWhitelist = Collections.unmodifiableSet(set);
        this.spireAgentSocketEndpoint = str;
    }

    @Override // io.confluent.security.authentication.AuthenticationConfig
    @JsonIgnore
    public AuthenticationConfig.Kind kind() {
        return AuthenticationConfig.Kind.JWT;
    }

    @JsonProperty("algorithmWhitelist")
    public Set<SignatureAlgorithm> algorithmWhitelist() {
        return this.algorithmWhitelist;
    }

    @JsonProperty("issuers")
    public List<JwtIssuer> issuers() {
        return this.issuers;
    }

    @JsonProperty("spireAgentSocketEndpoint")
    public String spireAgentSocketEndpoint() {
        return this.spireAgentSocketEndpoint;
    }

    @Override // io.confluent.security.authentication.AuthenticationConfig
    public Authenticator<BearerCredential, JwtPrincipal> createAuthenticator() {
        return new JwtAuthenticator(this.issuers, Collections.singletonList(new AlgorithmWhitelist(this.algorithmWhitelist)));
    }

    public static Builder builder() {
        return new Builder();
    }
}
