package io.confluent.kafka.clients.plugins.auth.jwt;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.security.util.JwtUtils;
import java.io.Closeable;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/JwtAuthenticator.class */
public final class JwtAuthenticator implements Closeable {
    private final Logger log;
    private static final String DEFAULT_SCOPE_CLAIM = "scope";
    public static final String JTI_CLAIM_REQUIRED = "jtiRequired";
    public static final String IAT_CLAIM_REQUIRED = "iatRequired";
    private final JwtConsumer jwtConsumer;
    private final String issuer;
    private final CloseableVerificationKeyResolver keyResolver;

    public JwtAuthenticator(String str, CloseableVerificationKeyResolver closeableVerificationKeyResolver, List<String> list, Map<String, Boolean> map) {
        this.log = LoggerFactory.getLogger(getClass());
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Issuer must not be null or empty");
        }
        if (Objects.isNull(map)) {
            throw new IllegalArgumentException("claimOptions must not be null");
        }
        Objects.requireNonNull(closeableVerificationKeyResolver, "keyResolver is a required parameter which must not be null");
        this.issuer = str;
        this.keyResolver = closeableVerificationKeyResolver;
        JwtConsumerBuilder requireSubject = new JwtConsumerBuilder().setVerificationKeyResolver(closeableVerificationKeyResolver).setRequireExpirationTime().setRequireSubject();
        if (map.getOrDefault(JTI_CLAIM_REQUIRED, false).booleanValue()) {
            requireSubject.setRequireJwtId();
        }
        if (map.getOrDefault(IAT_CLAIM_REQUIRED, false).booleanValue()) {
            requireSubject.setRequireIssuedAt();
        }
        requireSubject.setExpectedIssuer(str);
        if (list == null || list.isEmpty()) {
            requireSubject.setSkipDefaultAudienceValidation();
        } else {
            requireSubject.setExpectedAudience((String[]) list.toArray(new String[list.size()]));
        }
        this.jwtConsumer = requireSubject.build();
    }

    public JwtAuthenticator(String str, CloseableVerificationKeyResolver closeableVerificationKeyResolver, List<String> list, boolean z) {
        this(str, closeableVerificationKeyResolver, list, (Map<String, Boolean>) Collections.emptyMap());
    }

    public JwtAuthenticator(String str, CloseableVerificationKeyResolver closeableVerificationKeyResolver) {
        this(str, closeableVerificationKeyResolver, (List<String>) null, false);
    }

    public JwtAuthenticator(JwtAuthenticatorConfig jwtAuthenticatorConfig) {
        this(jwtAuthenticatorConfig.issuer(), jwtAuthenticatorConfig.verificationKeyResolver(), jwtAuthenticatorConfig.audience(), jwtAuthenticatorConfig.audienceRequired());
    }

    public OAuthBearerToken login(String str, String str2) throws JwtVerificationException {
        try {
            JwtClaims processToClaims = this.jwtConsumer.processToClaims(str);
            return new OAuthBearerJwsToken(str, OAuthBearerJwsToken.OAUTH_ORG_RESOURCE_ID_CLAIM.equals(str2) ? new HashSet(Arrays.asList(processToClaims.getStringClaimValue(str2))) : new HashSet(processToClaims.getStringListClaimValue(str2)), processToClaims.getExpirationTime().getValueInMillis(), processToClaims.getSubject(), Long.valueOf(Objects.isNull(processToClaims.getIssuedAt()) ? 0L : processToClaims.getIssuedAt().getValueInMillis()), processToClaims.getClaimsMap(), processToClaims.getIssuer());
        } catch (InvalidJwtException | MalformedClaimException e) {
            this.log.debug("Failed to process token {}", e.getMessage());
            throw new JwtVerificationException("Failed to validate authentication token : " + JwtUtils.errorMessage(e));
        }
    }

    public OAuthBearerToken login(String str) throws JwtVerificationException {
        return login(str, DEFAULT_SCOPE_CLAIM);
    }

    public OAuthBearerToken login(OAuthBearerToken oAuthBearerToken) throws JwtVerificationException {
        return login(oAuthBearerToken.value(), DEFAULT_SCOPE_CLAIM);
    }

    public static String extractSignature(OAuthBearerToken oAuthBearerToken) {
        Objects.requireNonNull(oAuthBearerToken, "JwtBearerToken must not be null");
        try {
            return JsonWebSignature.fromCompactSerialization(oAuthBearerToken.value()).getEncodedSignature();
        } catch (Exception e) {
            throw new IllegalArgumentException("Invalid JWS", e);
        }
    }

    public String issuer() {
        return this.issuer;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        this.keyResolver.close();
    }
}
