package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.credential.BearerCredential;
import io.spiffe.bundle.jwtbundle.JwtBundle;
import io.spiffe.bundle.jwtbundle.JwtBundleSet;
import io.spiffe.exception.BundleNotFoundException;
import io.spiffe.spiffeid.SpiffeId;
import io.spiffe.spiffeid.TrustDomain;
import io.spiffe.svid.jwtsvid.JwtSvid;
import io.spiffe.workloadapi.JwtSource;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.jose4j.jwk.EcJwkGenerator;
import org.jose4j.jwk.EllipticCurveJsonWebKey;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.keys.EllipticCurves;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/MockJwtSource.class */
public class MockJwtSource implements JwtSource {
    private final JwtBundleSet bundles = JWT_BUNDLE_SET;
    public static final String SPIRE_ISSUER = "test.prefix.spire.internal.confluent.cloud";
    public static final TrustDomain SPIRE_TRUST_DOMAIN_1 = TrustDomain.parse("spire.test.domain.one");
    public static final TrustDomain SPIRE_TRUST_DOMAIN_2 = TrustDomain.parse("spire.test.domain.two");
    public static final List<String> VALID_AUD = Collections.singletonList("mockAud");
    public static final JwtBundleSet JWT_BUNDLE_SET;
    public static RsaJsonWebKey rsaSpire1;
    public static RsaJsonWebKey rsaSpire2;
    public static RsaJsonWebKey rsa512Spire1;
    public static RsaJsonWebKey rsa512Spire2;
    public static EllipticCurveJsonWebKey ecSpire1;
    public static EllipticCurveJsonWebKey ecSpire2;
    private static final JsonWebKeySet JWKS;

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/MockJwtSource$Kid.class */
    public enum Kid {
        RSA_SPIRE_1,
        RSA_EXCLUDE_SPIRE_1,
        EU_SPIRE_1,
        RSA_SPIRE_2,
        RSA_EXCLUDE_SPIRE_2,
        EU_SPIRE_2,
        INVALID_KID
    }

    /* renamed from: getBundleForTrustDomain, reason: merged with bridge method [inline-methods] */
    public JwtBundle m13getBundleForTrustDomain(TrustDomain trustDomain) throws BundleNotFoundException {
        return this.bundles.getBundleForTrustDomain(trustDomain);
    }

    public JwtSvid fetchJwtSvid(String str, String... strArr) {
        return null;
    }

    public JwtSvid fetchJwtSvid(SpiffeId spiffeId, String str, String... strArr) {
        return null;
    }

    public List<JwtSvid> fetchJwtSvids(String str, String... strArr) {
        return null;
    }

    public List<JwtSvid> fetchJwtSvids(SpiffeId spiffeId, String str, String... strArr) {
        return null;
    }

    public void close() throws IOException {
    }

    public static BearerCredential createEncodedJws(Kid kid, JwtClaims jwtClaims) throws JoseException {
        return new BearerCredential(createJws(kid, jwtClaims).getCompactSerialization());
    }

    public static JsonWebSignature createJws(Kid kid, JwtClaims jwtClaims) {
        PublicJsonWebKey findJsonWebKey = JWKS.findJsonWebKey(kid.name(), (String) null, (String) null, (String) null);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(findJsonWebKey.getPrivateKey());
        if (!kid.name().endsWith("PEM")) {
            jsonWebSignature.setKeyIdHeaderValue(kid.name());
        }
        jsonWebSignature.setAlgorithmHeaderValue(findJsonWebKey.getAlgorithm());
        jsonWebSignature.setPayload(jwtClaims.toJson());
        return jsonWebSignature;
    }

    public static JsonWebSignature createJwsWithInvalidKid(JwtClaims jwtClaims) {
        PublicJsonWebKey findJsonWebKey = JWKS.findJsonWebKey(Kid.RSA_SPIRE_1.name(), (String) null, (String) null, (String) null);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(findJsonWebKey.getPrivateKey());
        jsonWebSignature.setKeyIdHeaderValue(Kid.INVALID_KID.name());
        jsonWebSignature.setAlgorithmHeaderValue(findJsonWebKey.getAlgorithm());
        jsonWebSignature.setPayload(jwtClaims.toJson());
        return jsonWebSignature;
    }

    static {
        try {
            rsaSpire1 = RsaJwkGenerator.generateJwk(2048);
            rsaSpire1.setKeyId(Kid.RSA_SPIRE_1.name());
            rsaSpire1.setAlgorithm("RS256");
            rsaSpire2 = RsaJwkGenerator.generateJwk(2048);
            rsaSpire2.setKeyId(Kid.RSA_SPIRE_2.name());
            rsaSpire2.setAlgorithm("RS256");
            rsa512Spire1 = RsaJwkGenerator.generateJwk(2048);
            rsa512Spire1.setKeyId(Kid.RSA_EXCLUDE_SPIRE_1.name());
            rsa512Spire1.setAlgorithm("RS512");
            rsa512Spire2 = RsaJwkGenerator.generateJwk(2048);
            rsa512Spire2.setKeyId(Kid.RSA_EXCLUDE_SPIRE_2.name());
            rsa512Spire2.setAlgorithm("RS512");
            ecSpire1 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            ecSpire1.setKeyId(Kid.EU_SPIRE_1.name());
            ecSpire1.setAlgorithm("ES256");
            ecSpire2 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            ecSpire2.setKeyId(Kid.EU_SPIRE_2.name());
            ecSpire2.setAlgorithm("ES256");
            JWT_BUNDLE_SET = JwtBundleSet.of(Arrays.asList(new JwtBundle(SPIRE_TRUST_DOMAIN_1, Map.of(rsaSpire1.getKeyId(), rsaSpire1.getPublicKey(), rsa512Spire1.getKeyId(), rsa512Spire1.getPublicKey(), ecSpire1.getKeyId(), ecSpire1.getPublicKey())), new JwtBundle(SPIRE_TRUST_DOMAIN_2, Map.of(rsaSpire2.getKeyId(), rsaSpire2.getPublicKey(), rsa512Spire2.getKeyId(), rsa512Spire2.getPublicKey(), ecSpire2.getKeyId(), ecSpire2.getPublicKey()))));
            JWKS = new JsonWebKeySet(new JsonWebKey[]{rsaSpire1, rsa512Spire1, ecSpire1, rsaSpire2, rsa512Spire2, ecSpire2});
        } catch (JoseException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
