package io.confluent.kafka.security.oauthbearer;

import com.fasterxml.jackson.core.StreamReadFeature;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import io.confluent.kafka.security.PemUtils;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.utils.FileWatchService;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/security/oauthbearer/PrivateKeyClientAssertion.class */
public class PrivateKeyClientAssertion implements ClientAssertion {
    private String iss;
    private String aud;
    private String sub;
    private Boolean setNotBefore;
    private final Integer expirationTime;
    private Boolean setJti;
    private final PrivateKeyWatchListener privateKeyWatchListener;
    private final String privateKeyPath;
    private final String clientAssertionConfigPath;
    private final String passPhrase;
    private AtomicReference<PrivateKeyAndClientAssertionClaims> privateKeyAndClientAssertionClaims = new AtomicReference<>(null);
    private static final Logger log = LoggerFactory.getLogger(PrivateKeyClientAssertion.class);
    private static final FileWatchService PRIVATE_KEY_WATCH_SERVICE = new FileWatchService();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/security/oauthbearer/PrivateKeyClientAssertion$PrivateKeyAndClientAssertionClaims.class */
    public static class PrivateKeyAndClientAssertionClaims {
        final PrivateKey privateKey;
        final Map<String, Object> headerKeyValues;
        final Map<String, Object> payloadKeyValues;

        PrivateKeyAndClientAssertionClaims(PrivateKey privateKey, Map<String, Object> map, Map<String, Object> map2) {
            this.privateKey = privateKey;
            this.headerKeyValues = map;
            this.payloadKeyValues = map2;
        }
    }

    /* loaded from: input_file:io/confluent/kafka/security/oauthbearer/PrivateKeyClientAssertion$PrivateKeyWatchListener.class */
    static class PrivateKeyWatchListener implements FileWatchService.Listener {
        private final File privateKeyFile;
        private final Runnable setPrivateKey;

        PrivateKeyWatchListener(String str, Runnable runnable) {
            this.privateKeyFile = Paths.get(str, new String[0]).toFile();
            this.setPrivateKey = runnable;
        }

        @Override // org.apache.kafka.common.utils.FileWatchService.Listener
        public File file() {
            return this.privateKeyFile;
        }

        @Override // org.apache.kafka.common.utils.FileWatchService.Listener
        public void onInit() {
        }

        @Override // org.apache.kafka.common.utils.FileWatchService.Listener
        public void onUpdate() {
            this.setPrivateKey.run();
        }
    }

    public PrivateKeyClientAssertion(String str, String str2, String str3, Integer num, Boolean bool, Boolean bool2, String str4, String str5, String str6) {
        this.iss = ValidationUtils.sanitizeString("the client assertion issuer claim", str);
        this.aud = ValidationUtils.sanitizeString("the client assertion audience claim", str2);
        this.sub = ValidationUtils.sanitizeString("the client assertion subject claim", str3);
        this.expirationTime = ValidationUtils.sanitizeInteger("the client assertion expiration time", num, 1);
        this.clientAssertionConfigPath = str6;
        this.setJti = bool2;
        this.setNotBefore = bool;
        this.privateKeyPath = str4;
        this.passPhrase = str5;
        setPrivateKey();
        this.privateKeyWatchListener = new PrivateKeyWatchListener(str4, this::setPrivateKey);
        PRIVATE_KEY_WATCH_SERVICE.add(this.privateKeyWatchListener);
    }

    @Override // io.confluent.kafka.security.oauthbearer.ClientAssertion
    public String getJwt() {
        try {
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setIssuer(this.iss);
            jwtClaims.setAudience(this.aud);
            jwtClaims.setExpirationTimeMinutesInTheFuture(this.expirationTime.intValue());
            if (this.setJti.booleanValue()) {
                jwtClaims.setGeneratedJwtId(16);
            }
            jwtClaims.setIssuedAtToNow();
            if (this.setNotBefore.booleanValue()) {
                jwtClaims.setNotBeforeMinutesInThePast(1.0f);
            }
            jwtClaims.setSubject(this.sub);
            if (this.privateKeyAndClientAssertionClaims.get().payloadKeyValues != null) {
                for (Map.Entry<String, Object> entry : this.privateKeyAndClientAssertionClaims.get().payloadKeyValues.entrySet()) {
                    jwtClaims.setClaim(entry.getKey(), entry.getValue());
                }
            }
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(jwtClaims.toJson());
            jsonWebSignature.setKey(this.privateKeyAndClientAssertionClaims.get().privateKey);
            if (this.privateKeyAndClientAssertionClaims.get().headerKeyValues != null) {
                for (Map.Entry<String, Object> entry2 : this.privateKeyAndClientAssertionClaims.get().headerKeyValues.entrySet()) {
                    jsonWebSignature.setHeader(entry2.getKey(), entry2.getValue());
                }
            }
            jsonWebSignature.setAlgorithmHeaderValue("RS256");
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            throw new KafkaException((Throwable) e);
        }
    }

    private void setPrivateKey() {
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(this.privateKeyPath, new String[0]), new OpenOption[0]);
            try {
                KeyPair loadKeyPair = (this.passPhrase == null || this.passPhrase.isEmpty()) ? PemUtils.loadKeyPair(newInputStream) : PemUtils.loadKeyPair(newInputStream, this.passPhrase);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                if (this.privateKeyAndClientAssertionClaims.get() != null) {
                    log.info("Private key has been updated");
                }
                setPrivateKeyAndHeaderValues(loadKeyPair.getPrivate());
            } finally {
            }
        } catch (IOException e) {
            throw new KafkaException(e);
        }
    }

    protected PrivateKey getPrivateKey() {
        return this.privateKeyAndClientAssertionClaims.get().privateKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v20, types: [java.util.Map] */
    /* JADX WARN: Type inference failed for: r0v23, types: [java.util.Map] */
    private void setPrivateKeyAndHeaderValues(PrivateKey privateKey) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        if (this.clientAssertionConfigPath == null || this.clientAssertionConfigPath.isEmpty()) {
            log.info("Client assertion config path is not provided, not configuring additional header and payload values");
        } else {
            ObjectMapper build = JsonMapper.builder().enable(new StreamReadFeature[]{StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION}).build();
            try {
                Map map = (Map) build.readValue(new File(this.clientAssertionConfigPath), new TypeReference<Map<String, Object>>() { // from class: io.confluent.kafka.security.oauthbearer.PrivateKeyClientAssertion.1
                });
                hashMap = (Map) build.convertValue(map.get("headers"), new TypeReference<Map<String, Object>>() { // from class: io.confluent.kafka.security.oauthbearer.PrivateKeyClientAssertion.2
                });
                hashMap2 = (Map) build.convertValue(map.get("payload"), new TypeReference<Map<String, Object>>() { // from class: io.confluent.kafka.security.oauthbearer.PrivateKeyClientAssertion.3
                });
            } catch (IOException e) {
                throw new KafkaException("Error parsing the json file, failed with exception :", e);
            }
        }
        this.privateKeyAndClientAssertionClaims.set(new PrivateKeyAndClientAssertionClaims(privateKey, hashMap, hashMap2));
    }

    @Override // io.confluent.kafka.security.oauthbearer.ClientAssertion, java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        PRIVATE_KEY_WATCH_SERVICE.remove(this.privateKeyWatchListener);
    }
}
