package org.apache.kafka.common.security.oauthbearer.internals.secured;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.kafka.common.utils.MockTime;
import org.apache.kafka.common.utils.Time;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenBuilder.class */
public class AccessTokenBuilder {
    private final ObjectMapper objectMapper;
    private String alg;
    private String jwtId;
    private String audience;
    private String subject;
    private String subjectClaimName;
    private Object scope;
    private final String scopeClaimName = "scope";
    private final Long issuedAtSeconds;
    private Long expirationSeconds;
    private PublicJsonWebKey jwk;
    private final Map<String, String> customClaims;
    private Set<String> excludedClaims;

    public AccessTokenBuilder(Set<String> set) {
        this(new MockTime());
        this.excludedClaims = set;
    }

    public AccessTokenBuilder() {
        this(new MockTime());
    }

    public AccessTokenBuilder(Time time) {
        this.objectMapper = new ObjectMapper();
        this.subject = "jdoe";
        this.subjectClaimName = "sub";
        this.scope = "engineering";
        this.scopeClaimName = "scope";
        this.customClaims = new HashMap();
        this.issuedAtSeconds = Long.valueOf(time.milliseconds() / 1000);
        this.expirationSeconds = Long.valueOf(this.issuedAtSeconds.longValue() + 60);
        this.excludedClaims = Collections.emptySet();
    }

    public AccessTokenBuilder jwtId(String str) {
        this.jwtId = str;
        return this;
    }

    public String alg() {
        return this.alg;
    }

    public AccessTokenBuilder alg(String str) {
        this.alg = str;
        return this;
    }

    public AccessTokenBuilder audience(String str) {
        this.audience = str;
        return this;
    }

    public String audience() {
        return this.audience;
    }

    public String subject() {
        return this.subject;
    }

    public AccessTokenBuilder subject(String str) {
        this.subject = str;
        return this;
    }

    public String subjectClaimName() {
        return this.subjectClaimName;
    }

    public AccessTokenBuilder subjectClaimName(String str) {
        this.subjectClaimName = str;
        return this;
    }

    public Object scope() {
        return this.scope;
    }

    public AccessTokenBuilder scope(Object obj) {
        this.scope = obj;
        if (!(obj instanceof String) && !(obj instanceof Collection)) {
            throw new IllegalArgumentException(String.format("%s parameter must be a %s or a %s containing %s", "scope", String.class.getName(), Collection.class.getName(), String.class.getName()));
        }
        return this;
    }

    public String scopeClaimName() {
        return "scope";
    }

    public Long issuedAtSeconds() {
        return this.issuedAtSeconds;
    }

    public Long expirationSeconds() {
        return this.expirationSeconds;
    }

    public AccessTokenBuilder expirationSeconds(Long l) {
        this.expirationSeconds = l;
        return this;
    }

    public PublicJsonWebKey jwk() {
        return this.jwk;
    }

    public AccessTokenBuilder jwk(PublicJsonWebKey publicJsonWebKey) {
        this.jwk = publicJsonWebKey;
        return this;
    }

    public AccessTokenBuilder addCustomClaim(String str, String str2) {
        String validateClaimNameOverride = ClaimValidationUtils.validateClaimNameOverride("claim name", str);
        this.customClaims.put(validateClaimNameOverride, ClaimValidationUtils.validateClaimNameOverride(validateClaimNameOverride, str2));
        return this;
    }

    public String build() throws JoseException, IOException {
        ObjectNode createObjectNode = this.objectMapper.createObjectNode();
        if (this.audience != null && includeClaimInToken("aud")) {
            createObjectNode.put("aud", this.audience);
        }
        if (this.subject != null && includeClaimInToken(this.subjectClaimName)) {
            createObjectNode.put(this.subjectClaimName, this.subject);
        }
        if (this.scope != null && includeClaimInToken("scope")) {
            if (this.scope instanceof String) {
                createObjectNode.put("scope", (String) this.scope);
            } else {
                if (!(this.scope instanceof Collection)) {
                    throw new IllegalArgumentException(String.format("%s claim must be a %s or a %s containing %s", "scope", String.class.getName(), Collection.class.getName(), String.class.getName()));
                }
                ArrayNode putArray = createObjectNode.putArray("scope");
                Collection collection = (Collection) this.scope;
                Objects.requireNonNull(putArray);
                collection.forEach(putArray::add);
            }
        }
        if (this.issuedAtSeconds != null && includeClaimInToken("iat")) {
            createObjectNode.put("iat", this.issuedAtSeconds);
        }
        if (this.expirationSeconds != null && includeClaimInToken("exp")) {
            createObjectNode.put("exp", this.expirationSeconds);
        }
        if (this.jwtId != null && includeClaimInToken("jti")) {
            createObjectNode.put("jti", this.jwtId);
        }
        for (Map.Entry<String, String> entry : this.customClaims.entrySet()) {
            createObjectNode.put(entry.getKey(), entry.getValue());
        }
        String writeValueAsString = this.objectMapper.writeValueAsString(createObjectNode);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(writeValueAsString);
        if (this.jwk != null) {
            jsonWebSignature.setKey(this.jwk.getPrivateKey());
            jsonWebSignature.setKeyIdHeaderValue(this.jwk.getKeyId());
        }
        if (this.alg != null) {
            jsonWebSignature.setAlgorithmHeaderValue(this.alg);
        }
        return jsonWebSignature.getCompactSerialization();
    }

    private boolean includeClaimInToken(String str) {
        return !this.excludedClaims.contains(str);
    }
}
