package com.azure.spring.cloud.autoconfigure.implementation.aad.security.jwt;

import com.azure.spring.cloud.autoconfigure.implementation.aad.security.constants.AadJwtClaimNames;
import com.azure.spring.cloud.autoconfigure.implementation.aad.utils.AadRestTemplateCreator;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSAlgorithmFamilyJWSKeySelector;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.JWTClaimsSetAwareJWSKeySelector;
import java.net.URL;
import java.security.Key;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/security/jwt/AadIssuerJwsKeySelector.class */
public class AadIssuerJwsKeySelector implements JWTClaimsSetAwareJWSKeySelector<SecurityContext> {
    private final AadTrustedIssuerRepository trustedIssuerRepo;
    private final Map<String, JWSKeySelector<SecurityContext>> selectors = new ConcurrentHashMap();
    private final RestOperations restOperations;
    private final ResourceRetriever resourceRetriever;

    public AadIssuerJwsKeySelector(RestTemplateBuilder restTemplateBuilder, AadTrustedIssuerRepository aadTrustedIssuerRepository, ResourceRetriever resourceRetriever) {
        this.restOperations = AadRestTemplateCreator.createRestTemplate(restTemplateBuilder);
        this.trustedIssuerRepo = aadTrustedIssuerRepository;
        this.resourceRetriever = resourceRetriever;
    }

    public List<? extends Key> selectKeys(JWSHeader jWSHeader, JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws KeySourceException {
        String str = (String) jWTClaimsSet.getClaim(AadJwtClaimNames.ISS);
        if (this.trustedIssuerRepo.isTrusted(str)) {
            return this.selectors.computeIfAbsent(str, this::fromIssuer).selectJWSKeys(jWSHeader, securityContext);
        }
        throw new IllegalArgumentException("The issuer: '" + str + "' is not registered in trusted issuer repository, so cannot create JWSKeySelector.");
    }

    private JWSKeySelector<SecurityContext> fromIssuer(String str) {
        try {
            return JWSAlgorithmFamilyJWSKeySelector.fromJWKSource(new RemoteJWKSet(new URL(AadJwtDecoderProviderConfiguration.getConfigurationForOidcIssuerLocation(this.restOperations, getOidcIssuerLocation(str)).get("jwks_uri").toString()), this.resourceRetriever));
        } catch (Exception e) {
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    private String getOidcIssuerLocation(String str) {
        return this.trustedIssuerRepo.hasSpecialOidcIssuerLocation(str) ? this.trustedIssuerRepo.getSpecialOidcIssuerLocation(str) : str;
    }
}
