package io.confluent.kafka.clients.plugins.auth.jwt;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import io.confluent.kafka.clients.plugins.auth.http.JerseyHttpTestServer;
import io.confluent.kafka.clients.plugins.auth.http.entities.ProviderMetadataResponse;
import io.confluent.kafka.clients.plugins.auth.http.entities.TokenResponse;
import io.confluent.kafka.clients.plugins.auth.http.resources.TestJwtProvider;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.glassfish.jersey.internal.inject.AbstractBinder;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/ValidationKeyResolverTest.class */
public final class ValidationKeyResolverTest {
    private static JerseyHttpTestServer server;
    private static URI providerURI;
    private static ObjectMapper objectMapper;
    private static TestJwkProvider jwks;
    private static ProviderMetadataResponse providerContext;

    @BeforeClass
    public static void setUp() throws Exception {
        objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).registerModule(new Jdk8Module());
        jwks = new TestJwkProvider();
        jwks.createJwkIfAbsent("");
        server = new JerseyHttpTestServer(resourceConfig -> {
            resourceConfig.register(TestJwtProvider.class);
            resourceConfig.register(new JacksonJaxbJsonProvider(objectMapper, JacksonJaxbJsonProvider.DEFAULT_ANNOTATIONS));
            resourceConfig.register(new AbstractBinder() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.1
                protected void configure() {
                    bind(ValidationKeyResolverTest.jwks).to(TestJwkProvider.class);
                }
            });
        });
        server.start();
        providerURI = server.getURI();
        providerContext = (ProviderMetadataResponse) getResource(newURI(providerURI, "/.well-known/openid-configuration"), ProviderMetadataResponse.class);
    }

    @AfterClass
    public static void tearDown() throws Exception {
        if (server != null) {
            server.stop();
        }
    }

    @Test
    public void testProviderDiscovery() throws IOException {
        ProviderMetadataResponse providerMetadataResponse = (ProviderMetadataResponse) getResource(newURI(providerURI, "/.well-known/openid-configuration"), ProviderMetadataResponse.class);
        ProviderMetadataResponse build = ProviderMetadataResponse.builder().issuer(providerURI).jwksURI(providerURI.resolve("/jwks.json")).build();
        Assert.assertEquals(build.issuer, providerMetadataResponse.issuer);
        Assert.assertEquals(build.jwksURI.get(), providerMetadataResponse.jwksURI.orElse(null));
    }

    @Test
    public void testVerificationKeyResolverUnknownKid() {
        jwks.deleteJwk("mysteryKID");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), true);
        Assert.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newRsaJws("mysteryKID"), Collections.emptyList());
        });
    }

    @Test
    public void testVerificationKeyResolverKnownKid() throws Exception {
        Assert.assertEquals(jwks.createJwkIfAbsent("k1").getKey(), newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), true).resolveKey(newRsaJws("k1"), Collections.emptyList()));
    }

    @Test
    public void testVerificationKeyResolverNoKidSingleJwk() throws Exception {
        Assert.assertEquals(jwks.createJwkIfAbsent("k1").getKey(), newKeyResolver(newHttpsJwks(new URI(providerContext.issuer + "/jwks/k1.json")), true).resolveKey(newRsaJws(""), Collections.emptyList()));
    }

    @Test
    public void testVerificationKeyResolverNoKidMultiJwk() throws Exception {
        jwks.createJwkIfAbsent("k1");
        jwks.createJwkIfAbsent("k2");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), true);
        Assert.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newRsaJws(""), Collections.emptyList());
        });
    }

    @Test
    public void testAmbiguousVerificationKeyNoKidKnownAlg() throws Exception {
        Assert.assertEquals(jwks.createJwkIfAbsent("").getKey(), newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), false).resolveKey(newRsaJws(""), Collections.emptyList()));
    }

    @Test
    public void testAmbiguousVerificationKeyUnknownKidKnownAlg() {
        jwks.deleteJwk("invalidKid");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), false);
        Assert.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newRsaJws("invalidKid"), Collections.emptyList());
        });
    }

    @Test
    public void testAmbiguousVerificationKeyNoKidUnknownAlg() {
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), false);
        Assert.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newEcsJws(""), Collections.emptyList());
        });
    }

    @Test
    public void testAmbiguousVerificationKeyValidKidUnknownAlg() {
        jwks.createJwkIfAbsent("k1");
        VerificationKeyResolver newKeyResolver = newKeyResolver(newHttpsJwks(providerContext.jwksURI.get()), false);
        Assert.assertThrows(UnresolvableKeyException.class, () -> {
            newKeyResolver.resolveKey(newEcsJws("k1"), Collections.emptyList());
        });
    }

    @Test
    public void testJkuVerificationKey() throws Exception {
        JsonWebKey createJwkIfAbsent = jwks.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        JkuVerificationKeyResolver jkuVerificationKeyResolver = new JkuVerificationKeyResolver(str -> {
            return newHttpsJwks;
        }, Collections.singletonList("localhost"), false, true);
        newHttpsJwks.syncRefresh();
        Assert.assertEquals(createJwkIfAbsent.getKey(), jkuVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList()));
    }

    @Test
    public void testJkuVerificationKeyRelativeDomain() {
        List singletonList = Collections.singletonList(".localhost.com");
        Assert.assertTrue(String.format("%s should be valid with domain whitelist %s", "https://test.localhost.com:8090", singletonList), JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://test.localhost.com:8090"));
        Assert.assertTrue(String.format("%s should be valid with domain whitelist %s", "https://testing.1.2.3.localhost.com:8090", singletonList), JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://testing.1.2.3.localhost.com:8090"));
        Assert.assertFalse(String.format("%s should be invalid with domain whitelist %s", "https://test.not_localhost.com:8090", singletonList), JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://test.not_localhost.com:8090"));
        Assert.assertFalse(String.format("%s should be invalid with domain whitelist %s", "https://test.localhost:8090", singletonList), JkuVerificationKeyResolver.hasValidJkuDomain(singletonList, "https", "https://test.localhost:8090"));
        Assert.assertFalse(String.format("%s should be invalid with domain whitelist %s", "https://test.localhost:8090", singletonList), JkuVerificationKeyResolver.hasValidJkuDomain(Collections.singletonList(".localhost.com"), "https", "https://test.localhost:8090"));
    }

    @Test
    public void testJkuVerificationKeyInvalidDomain() {
        jwks.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        JkuVerificationKeyResolver jkuVerificationKeyResolver = new JkuVerificationKeyResolver(str -> {
            return newHttpsJwks;
        }, Collections.singletonList("mysteryIssuer"), false, true);
        newHttpsJwks.syncRefresh();
        Assert.assertTrue(Assert.assertThrows(UnresolvableKeyException.class, () -> {
            jkuVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList());
        }).getLocalizedMessage().startsWith("Invalid jku:"));
    }

    @Test
    public void testJkuVerificationKeyEmptyDomainWhitelist() {
        jwks.createJwkIfAbsent("k1");
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        Assert.assertThrows(ConfigException.class, () -> {
            new JkuVerificationKeyResolver(str -> {
                return newHttpsJwks;
            }, Collections.emptyList(), false, true);
        });
    }

    @Test
    public void testJkuVerificationKeyShutdown() throws IOException {
        jwks.createJwkIfAbsent("k1");
        JkuVerificationKeyResolver jkuVerificationKeyResolver = new JkuVerificationKeyResolver(Collections.singletonList("localhost"), true);
        jkuVerificationKeyResolver.close();
        Assert.assertThrows(IllegalStateException.class, () -> {
            jkuVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList());
        });
    }

    @Test
    public void testAsyncHttpsJwksVerificationKeyResolverShutdown() throws IOException {
        jwks.createJwkIfAbsent("k1");
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks(providerContext.jwksURI.get()));
        asyncHttpsJwksVerificationKeyResolver.close();
        Assert.assertThrows(IllegalStateException.class, () -> {
            asyncHttpsJwksVerificationKeyResolver.resolveKey(newRsaJws("k1"), Collections.emptyList());
        });
    }

    @Test
    public void testAudVerificationValidAud() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.2
            {
                put("kid", "k1");
                put("aud", "kafka");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, hashMap.get("aud")).login(tokenResponse.idToken);
    }

    @Test
    public void testJwtAuthenticatorExtractSignature() throws IOException, JwtVerificationException {
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), new HashMap()), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        OAuthBearerToken login = new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, (String) null).login(tokenResponse.idToken);
        Assert.assertEquals(JwtAuthenticator.extractSignature(login), login.value().split("\\.")[2]);
    }

    @Test
    public void testJwtAuthenticatorExtractEmptySignature() throws IOException {
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.3
            {
                put("sigAlg", "none");
            }
        }), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        Assert.assertTrue(JwtAuthenticator.extractSignature(new UnverifiedJwtBearerToken(tokenResponse.idToken)).isEmpty());
    }

    @Test
    public void testAudVerificationMultiAudMatch() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.4
            {
                put("kid", "k1");
                put("aud", "kafka, ksql");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, "kafka").login(tokenResponse.idToken);
    }

    @Test
    public void testAudVerificationMultiAudNoMatch() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.5
            {
                put("kid", "k1");
                put("aud", "notKafka, ksql");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, "kafka");
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
    }

    @Test
    public void testAudVerificationNullAud() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.6
            {
                put("kid", "k1");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, "kafka").login(tokenResponse.idToken);
    }

    @Test
    public void testAudVerificationEmptyAud() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.7
            {
                put("kid", "k1");
                put("aud", "");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, "kafka");
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
    }

    @Test
    public void testAudVerificationInvalidAud() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.8
            {
                put("kid", "k1");
                put("aud", "notKafka");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, "kafka");
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
    }

    @Test
    public void testJwtAuthenticatorRotatedValidationKey() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.9
            {
                put("kid", "k1");
                put("aud", "kafka");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        jwks.rotateJwk(hashMap.get("kid"));
        TokenResponse tokenResponse2 = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), hashMap.get("aud"));
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
        awaitJwks(newHttpsJwks);
        jwtAuthenticator.login(tokenResponse2.idToken);
    }

    @Test
    public void testJwtAuthenticatorNewValidationKey() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.10
            {
                put("kid", "newKey");
                put("aud", "kafka");
            }
        };
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, hashMap.get("aud"));
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
        newHttpsJwks.syncRefresh();
        jwtAuthenticator.login(tokenResponse.idToken);
    }

    @Test
    public void testJwtAuthenticatorRevokedValidationKey() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.11
            {
                put("kid", "revoked");
                put("aud", "kafka");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true);
        awaitJwks(newHttpsJwks);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, asyncHttpsJwksVerificationKeyResolver, hashMap.get("aud"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        jwtAuthenticator.login(tokenResponse.idToken);
        jwks.deleteJwk(hashMap.get("kid"));
        newHttpsJwks.syncRefresh();
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
    }

    @Test
    public void testOAuthBearerValidatorCallbackHandler() throws Exception {
        HashMap<String, String> hashMap = new HashMap<String, String>() { // from class: io.confluent.kafka.clients.plugins.auth.jwt.ValidationKeyResolverTest.12
            {
                put("kid", "revoked");
                put("aud", "kafka");
            }
        };
        jwks.createJwkIfAbsent(hashMap.get("kid"));
        AsyncHttpsJwks newHttpsJwks = newHttpsJwks(providerContext.jwksURI.get());
        awaitJwks(newHttpsJwks);
        JwtAuthenticator jwtAuthenticator = new JwtAuthenticator(providerContext.issuer, new AsyncHttpsJwksVerificationKeyResolver(newHttpsJwks, true), hashMap.get("aud"));
        TokenResponse tokenResponse = (TokenResponse) getResource(newURI(providerContext.tokenURI.get(), hashMap), TokenResponse.class);
        jwtAuthenticator.login(tokenResponse.idToken);
        jwks.deleteJwk(hashMap.get("kid"));
        newHttpsJwks.syncRefresh();
        Assert.assertThrows(JwtVerificationException.class, () -> {
            jwtAuthenticator.login(tokenResponse.idToken);
        });
    }

    private static <T> T getResource(URI uri, Class<T> cls) throws IOException {
        return (T) objectMapper.readValue(uri.toURL(), cls);
    }

    private static URI newURI(URI uri, String str) {
        return newURI(uri, str, null);
    }

    private static URI newURI(URI uri, Map<String, String> map) {
        return newURI(uri, uri.getPath(), map);
    }

    private static URI newURI(URI uri, String str, Map<String, String> map) {
        String queryString;
        if (map != null) {
            try {
                queryString = toQueryString(map);
            } catch (Exception e) {
                throw new RuntimeException("Failed convert URI", e);
            }
        } else {
            queryString = null;
        }
        return new URI(uri.getScheme(), uri.getAuthority(), str, queryString, null);
    }

    private static String urlEncode(String str) {
        try {
            return URLEncoder.encode(str, StandardCharsets.UTF_8.toString());
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unable to convert map to query params", e);
        }
    }

    private static String toQueryString(Map<String, String> map) {
        return (String) map.entrySet().stream().map(entry -> {
            return ((String) entry.getKey()) + "=" + urlEncode(((String) entry.getValue()).trim());
        }).collect(Collectors.joining("&"));
    }

    private static JsonWebSignature newRsaJws(String str) {
        return newJws(str, "RS256");
    }

    private static JsonWebSignature newEcsJws(String str) {
        return newJws(str, "ES256");
    }

    private static JsonWebSignature newJws(String str, String str2) {
        Objects.requireNonNull(str);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setAlgorithmHeaderValue(str2);
        jsonWebSignature.setHeader("jku", providerContext.jwksURI.get().toString());
        if (!str.isEmpty()) {
            jsonWebSignature.setKeyIdHeaderValue(str);
        }
        return jsonWebSignature;
    }

    private static VerificationKeyResolver newKeyResolver(AsyncHttpsJwks asyncHttpsJwks, boolean z) {
        AsyncHttpsJwksVerificationKeyResolver asyncHttpsJwksVerificationKeyResolver = new AsyncHttpsJwksVerificationKeyResolver(asyncHttpsJwks, z);
        awaitJwks(asyncHttpsJwks);
        return asyncHttpsJwksVerificationKeyResolver;
    }

    private static AsyncHttpsJwks newHttpsJwks(URI uri) {
        return new AsyncHttpsJwks(uri.toString(), true, 3600000L);
    }

    private static void awaitJwks(HttpsJwks httpsJwks) {
        Instant plus = Instant.now().plus(2L, (TemporalUnit) ChronoUnit.MINUTES);
        while (httpsJwks.getJsonWebKeys().isEmpty() && !plus.isBefore(Instant.now())) {
            try {
                Thread.sleep(500L);
            } catch (Exception e) {
                throw new RuntimeException("HttpsJwks failed to become ready before timeout", e);
            }
        }
    }
}
