package io.confluent.kafka.server.plugins.auth.oauth;

import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.store.data.JwtIssuerKey;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.util.SecurityContext;
import java.security.Key;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.apache.kafka.common.utils.Utils;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/KafkaVerificationKeyResolver.class */
public class KafkaVerificationKeyResolver implements VerificationKeyResolver {
    private static final Logger log = LoggerFactory.getLogger(KafkaVerificationKeyResolver.class);
    private final String name;
    private final String sessionUuid;
    private TrustCache trustCache = null;
    private final SecurityContext context;

    public KafkaVerificationKeyResolver(String str, String str2, SecurityContext securityContext) {
        this.name = str;
        this.sessionUuid = str2;
        this.context = securityContext;
    }

    private TrustCache resolveTrustCache() {
        return ((AuthStore) Objects.requireNonNull(AuthStore.getInstance(this.sessionUuid))).trustCache();
    }

    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        JsonWebKey findJsonWebKey;
        try {
            String issuer = JwtClaims.parse(jsonWebSignature.getUnverifiedPayload()).getIssuer();
            if (this.trustCache == null) {
                this.trustCache = resolveTrustCache();
            }
            String stringHeaderValue = jsonWebSignature.getHeaders().getStringHeaderValue("kid");
            if (stringHeaderValue == null) {
                log.debug("Unable to find kid field in the token with header {}. Req id: {} " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString(), Long.valueOf(getReqId()));
                throw new UnresolvableKeyException("Cannot find kid field in the token with header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
            }
            if (!((Boolean) Optional.ofNullable(this.context).map(securityContext -> {
                return securityContext.boolVal("unionOfPools", false);
            }).orElse(false)).booleanValue()) {
                String str = (String) Optional.ofNullable(this.context).map(securityContext2 -> {
                    return securityContext2.strVal("jwksEndpoint", (String) null, true);
                }).orElse("");
                if (issuer != null && !issuer.equals("Confluent") && Utils.isBlank(str)) {
                    log.warn("JwksEndpoint for issuer {} not found in context. Req id: {}", issuer, Long.valueOf(getReqId()));
                }
                String cacheKeyV2 = JwtIssuerKey.cacheKeyV2(issuer, str);
                JsonWebKeySet jsonWebKeySet = this.trustCache.jsonWebKeySet(cacheKeyV2);
                if (jsonWebKeySet == null) {
                    log.error("Unable to find key {} data entry in Auth Cache. Req id: {}", cacheKeyV2, Long.valueOf(getReqId()));
                    throw new UnresolvableKeyException("Cannot find key " + cacheKeyV2 + " data in the system.");
                }
                JsonWebKey findJsonWebKey2 = jsonWebKeySet.findJsonWebKey(stringHeaderValue, (String) null, (String) null, (String) null);
                if (findJsonWebKey2 != null) {
                    return validateKey(findJsonWebKey2.getKey(), findJsonWebKey2, jsonWebSignature);
                }
                log.error("Unable to find verification key with kid {} from key {} in Auth Cache. Req id: {}", new Object[]{stringHeaderValue, cacheKeyV2, Long.valueOf(getReqId())});
                throw new UnresolvableKeyException("Unable to find a suitable verification key for JWS w/ header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
            }
            String strVal = this.context.strVal("identityPoolId", (String) null, true);
            String strVal2 = this.context.strVal("orgId", (String) null, true);
            List arrayList = strVal == null ? new ArrayList() : Arrays.asList(strVal.split(","));
            HashSet<String> hashSet = new HashSet();
            if (arrayList.isEmpty()) {
                hashSet.addAll(this.trustCache.findIdentityProviderIds(strVal2));
            } else {
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    hashSet.add(this.trustCache.identityPool((String) it.next()).providerId());
                }
            }
            for (String str2 : hashSet) {
                JsonWebKeySet jsonWebKeySet2 = this.trustCache.jsonWebKeySet(JwtIssuerKey.cacheKeyV2(issuer, this.trustCache.identityProvider(str2).jwksEndpoint()));
                if (jsonWebKeySet2 != null && (findJsonWebKey = jsonWebKeySet2.findJsonWebKey(stringHeaderValue, (String) null, (String) null, (String) null)) != null) {
                    Key key = findJsonWebKey.getKey();
                    this.context.add("providerId", str2);
                    return validateKey(key, findJsonWebKey, jsonWebSignature);
                }
            }
            log.error("Unable to find valid verification key with kid {} for org {} in Auth Cache. Req id: {}", new Object[]{stringHeaderValue, strVal2, Long.valueOf(getReqId())});
            throw new UnresolvableKeyException("Unable to find a suitable verification key for JWS w/ header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
        } catch (MalformedClaimException | InvalidJwtException e) {
            throw new UnresolvableKeyException("Cannot get issuer payload from jws with error ", e);
        }
    }

    private Key validateKey(Key key, JsonWebKey jsonWebKey, JsonWebSignature jsonWebSignature) throws UnresolvableKeyException {
        if (key != null) {
            return key;
        }
        log.error("Unable to retrieve public key from JsonWebKey: {}. Req id: {}", jsonWebKey, Long.valueOf(getReqId()));
        throw new UnresolvableKeyException("Unable to find a suitable verification key for JWS w/ header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
    }

    private long getReqId() {
        if (this.context == null) {
            return -1L;
        }
        return this.context.getReqId();
    }
}
