package io.confluent.kafka.server.plugins.auth.oauth;

import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import org.apache.kafka.test.TestUtils;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.jose4j.json.internal.json_simple.parser.JSONParser;
import org.jose4j.json.internal.json_simple.parser.ParseException;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/OAuthUtils.class */
public class OAuthUtils {
    private static final Logger log = LoggerFactory.getLogger(OAuthUtils.class);

    /* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/OAuthUtils$Builder.class */
    public static class Builder {
        private final Integer expiration;
        private final String issuer;
        private final String subject;
        private final String orgResourceID;
        private String[] audience = null;
        private Integer[] userIds = new Integer[0];
        private String jku = null;
        private Boolean withKid = false;
        private String mayAct;
        private String externalIdentityId;

        public Builder(Integer num, String str, String str2, String str3) {
            this.expiration = num;
            this.issuer = str;
            this.subject = str2;
            this.orgResourceID = str3;
        }

        public Builder audience(String str) {
            return str != null ? audience(new String[]{str}) : this;
        }

        public Builder audience(String[] strArr) {
            this.audience = strArr;
            return this;
        }

        public Builder userIds(Integer[] numArr) {
            this.userIds = numArr;
            return this;
        }

        public Builder jku(String str) {
            this.jku = str;
            return this;
        }

        public Builder withKid(Boolean bool) {
            this.withKid = bool;
            return this;
        }

        public Builder mayAct(String str) {
            this.mayAct = str;
            return this;
        }

        public Builder externalIdentityId(String str) {
            this.externalIdentityId = str;
            return this;
        }

        public JwsContainer build() throws Exception {
            KeyPair generateKeyPair = OAuthUtils.generateKeyPair();
            File tempFile = TestUtils.tempFile();
            OAuthUtils.writePemFile(tempFile, generateKeyPair.getPublic());
            String uuid = UUID.randomUUID().toString();
            String sign = OAuthUtils.sign(generateKeyPair.getPrivate(), this.expiration, this.issuer, this.subject, this.audience, this.orgResourceID, this.withKid.booleanValue() ? uuid : null, this.jku, this.mayAct, this.externalIdentityId);
            HashMap hashMap = new HashMap();
            for (Integer num : this.userIds) {
                hashMap.put(num, OAuthUtils.sign(generateKeyPair.getPrivate(), this.expiration, this.issuer, num + "", this.audience, this.orgResourceID, this.withKid.booleanValue() ? uuid : null, this.jku, this.mayAct, this.externalIdentityId));
            }
            return new JwsContainer(sign, hashMap, tempFile, generateKeyPair.getPublic(), uuid);
        }
    }

    /* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/OAuthUtils$JwsContainer.class */
    public static class JwsContainer {
        private final String jwsToken;
        private final File publicKeyFile;
        private final Map<Integer, String> userTokens;
        private PublicKey key;
        private String kid;

        public JwsContainer(String str, Map<Integer, String> map, File file) {
            this(str, map, file, null, null);
        }

        public JwsContainer(String str, Map<Integer, String> map, File file, PublicKey publicKey, String str2) {
            this.jwsToken = str;
            this.userTokens = map;
            this.publicKeyFile = file;
            this.key = publicKey;
            this.kid = str2;
        }

        public File getPublicKeyFile() {
            return this.publicKeyFile;
        }

        public String getJwsToken() {
            return this.jwsToken;
        }

        public Map<Integer, String> userTokens() {
            return this.userTokens;
        }

        public PublicKey verificationKey() {
            return this.key;
        }

        public String getKid() {
            return this.kid;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void writePemFile(File file, PublicKey publicKey) throws IOException {
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(new FileWriter(file));
        jcaPEMWriter.writeObject(publicKey);
        jcaPEMWriter.close();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyPair generateKeyPair() throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        return keyPairGenerator.genKeyPair();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String sign(PrivateKey privateKey, Integer num, String str, String str2, String[] strArr, String str3, String str4, String str5, String str6, String str7) {
        try {
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setIssuer(str);
            if (num != null) {
                NumericDate now = NumericDate.now();
                now.addSeconds(num.intValue() / 1000);
                jwtClaims.setExpirationTime(now);
            }
            jwtClaims.setGeneratedJwtId();
            jwtClaims.setIssuedAtToNow();
            jwtClaims.setNotBeforeMinutesInThePast(2.0f);
            jwtClaims.setStringClaim("orgResourceId", str3);
            if (str2 != null) {
                jwtClaims.setSubject(str2);
            }
            if (str6 != null) {
                jwtClaims.setClaim("may_act", new JSONParser().parse(str6));
            }
            if (strArr != null) {
                jwtClaims.setAudience(strArr);
            }
            if (str7 != null) {
                jwtClaims.setStringClaim("externalIdentityId", str7);
            }
            jwtClaims.setClaim("monitoring", true);
            jwtClaims.setClaim("userResourceId", "u-" + str2);
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(jwtClaims.toJson());
            jsonWebSignature.setKey(privateKey);
            jsonWebSignature.setAlgorithmHeaderValue("RS256");
            if (str4 != null) {
                jsonWebSignature.setKeyIdHeaderValue(str4);
            }
            if (str5 != null) {
                jsonWebSignature.setHeader("jku", str5);
            }
            return jsonWebSignature.getCompactSerialization();
        } catch (ParseException e) {
            throw new RuntimeException((Throwable) e);
        } catch (JoseException e2) {
            log.error("Error creating JWS for test");
            return null;
        }
    }
}
