package io.confluent.kafka.clients.plugins.auth.jwt;

import io.confluent.kafka.security.PemKey;
import java.io.IOException;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.ConfigException;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/JwtAuthenticatorConfig.class */
public final class JwtAuthenticatorConfig extends AbstractConfig {
    public static final String CONFIG_PREFIX = "authenticator.jwt.";
    public static final String JWKS_PEMFILE = "pemfile";
    private CloseableVerificationKeyResolver keyResolver;
    private static final String MISSING_REQUIRED = "Missing required configuration %s which has no default value.";
    private static final String INVALID_VALUE = "Invalid value for %s.";
    static final String ISSUER_DEFAULT = "Confluent";
    static final String AUDIENCE_DEFAULT = "";
    static final boolean AUDIENCE_REQUIRED_DEFAULT = false;
    static final String KEY_RESOLVER_DEFAULT = "pemfile";
    protected static final String KEY_RESOLVER_DOC = "";
    static final String JKU_KEY_RESOLVER_WHITELIST_DEFAULT = "";
    static final boolean ALLOW_UNSAFE_KEY_RESOLVER_URL_DEFAULT = false;
    static final String JWKS_LOCATION_DEFAULT = "";
    static final long VERIFICATION_KEY_REFRESH_INTERVAL_MS_DEFAULT = 3600000;
    private static final ConfigDef.Validator NON_ZERO_VALIDATOR = ConfigDef.Range.atLeast(1);
    private static final ConfigDef.Validator NON_EMPTY_VALIDATOR = new ConfigDef.NonEmptyString();
    public static final String JKU_JWKS = "jku";
    public static final String HTTPS_JWKS = "https";
    private static final ConfigDef.Validator KEY_RESOLVER_VALIDATOR = ConfigDef.CaseInsensitiveValidString.in(new String[]{JKU_JWKS, HTTPS_JWKS, "pemfile"});
    public static final String ALLOW_UNSAFE_KEY_RESOLVER_URL_CONFIG = "allowUnsafeURL";
    public static final String JKU_KEY_RESOLVER_WHITELIST_CONFIG = "jkuDomainWhiteList";
    protected static final String JWKS_LOCATION_DOC = String.format("Location of JsonWebKey information, format is contingent on configured key resolver. pemFile: This may be a single pem encoded file or a directory containing multiple. https: HTTPS url, HTTP may be used for development purposes. See also %s. jku: See %s for JKU configuration details ", ALLOW_UNSAFE_KEY_RESOLVER_URL_CONFIG, JKU_KEY_RESOLVER_WHITELIST_CONFIG);
    public static final String ISSUER_CONFIG = "issuer";
    protected static final String ISSUER_DOC = "JWT Authentication token issuer.";
    public static final String AUDIENCE_CONFIG = "audience";
    protected static final String AUDIENCE_DOC = "Identifies the recipients a token is intended for. If configured, tokens with expected aud claim is acceptable If not configured, tokens with an audience claim present will be rejected.";
    public static final String AUDIENCE_REQUIRED_CONFIG = "audienceRequired";
    protected static final String AUDIENCE_REQUIRED_DOC = "If configured as true, tokens without aud claim will be rejected";
    public static final String KEY_RESOLVER_CONFIG = "verificationKeyResolver";
    public static final String JWKS_LOCATION_CONFIG = "jwksLocation";
    protected static final String JKU_KEY_RESOLVER_WHITELIST_DOC = "List of acceptable token provider domains. Domains may be absolute such as auth.myprovider.com, or relative such as .myprovider.com";
    protected static final String ALLOW_UNSAFE_KEY_RESOLVER_URL_DOC = "WARNING: This is for development purpose only and should not be used in production! Allow verification key resolver to use HTTP instead of HTTPS.";
    public static final String VERIFICATION_KEY_REFRESH_INTERVAL_MS_CONFIG = "verificationKeyRefreshInterval";
    protected static final String VERIFICATION_KEY_REFRESH_INTERVAL_MS_DOC = "Frequency with which to update the key cache. This is only applicable for the https key resolver";
    private static final ConfigDef CONFIG = new ConfigDef().define(ISSUER_CONFIG, ConfigDef.Type.STRING, "Confluent", NON_EMPTY_VALIDATOR, ConfigDef.Importance.LOW, ISSUER_DOC).define(AUDIENCE_CONFIG, ConfigDef.Type.LIST, "", ConfigDef.Importance.LOW, AUDIENCE_DOC).define(AUDIENCE_REQUIRED_CONFIG, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, AUDIENCE_REQUIRED_DOC).define(KEY_RESOLVER_CONFIG, ConfigDef.Type.STRING, "pemfile", KEY_RESOLVER_VALIDATOR, ConfigDef.Importance.LOW, "").define(JWKS_LOCATION_CONFIG, ConfigDef.Type.STRING, "", ConfigDef.Importance.LOW, JWKS_LOCATION_DOC).define(JKU_KEY_RESOLVER_WHITELIST_CONFIG, ConfigDef.Type.LIST, "", ConfigDef.Importance.LOW, JKU_KEY_RESOLVER_WHITELIST_DOC).define(ALLOW_UNSAFE_KEY_RESOLVER_URL_CONFIG, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, ALLOW_UNSAFE_KEY_RESOLVER_URL_DOC).define(VERIFICATION_KEY_REFRESH_INTERVAL_MS_CONFIG, ConfigDef.Type.LONG, 3600000L, NON_ZERO_VALIDATOR, ConfigDef.Importance.LOW, VERIFICATION_KEY_REFRESH_INTERVAL_MS_DOC);

    public JwtAuthenticatorConfig(Map<String, ?> map) {
        super(CONFIG, map);
        postValidation();
    }

    public JwtAuthenticatorConfig(String str, Map<String, ?> map) {
        this(stripPrefix(str, map));
    }

    public String issuer() {
        return getString(ISSUER_CONFIG);
    }

    public CloseableVerificationKeyResolver verificationKeyResolver() {
        return this.keyResolver;
    }

    public List<String> audience() {
        return getList(AUDIENCE_CONFIG);
    }

    public boolean audienceRequired() {
        return getBoolean(AUDIENCE_REQUIRED_CONFIG).booleanValue();
    }

    private static Map<String, ?> stripPrefix(String str, Map<String, ?> map) {
        return (Map) map.entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith(str);
        }).collect(Collectors.toMap(entry2 -> {
            return ((String) entry2.getKey()).substring(str.length());
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    private void postValidation() {
        String lowerCase = getString(KEY_RESOLVER_CONFIG).toLowerCase(Locale.ENGLISH);
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -683451756:
                if (lowerCase.equals("pemfile")) {
                    z = 2;
                    break;
                }
                break;
            case 105300:
                if (lowerCase.equals(JKU_JWKS)) {
                    z = false;
                    break;
                }
                break;
            case 99617003:
                if (lowerCase.equals(HTTPS_JWKS)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                this.keyResolver = jkuKeyResolver(this);
                return;
            case true:
                this.keyResolver = httpsKeyResolver(this);
                return;
            case true:
                this.keyResolver = pemFileKeyResolver(this);
                return;
            default:
                return;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static CloseableVerificationKeyResolver pemFileKeyResolver(JwtAuthenticatorConfig jwtAuthenticatorConfig) {
        String string = jwtAuthenticatorConfig.getString(JWKS_LOCATION_CONFIG);
        Collection emptyList = Collections.emptyList();
        if (string == null || string.isEmpty()) {
            failValidation(MISSING_REQUIRED, JWKS_LOCATION_CONFIG);
        }
        try {
            emptyList = loadPublicKeys(string);
        } catch (IOException e) {
            failValidation(e, INVALID_VALUE, JWKS_LOCATION_CONFIG, e.getMessage());
        }
        if (emptyList.isEmpty()) {
            throw new ConfigException("No files with pem extension found on path " + string);
        }
        return new PublicKeyVerificationKeyResolver(new PublicKeyJwks(emptyList));
    }

    private static CloseableVerificationKeyResolver httpsKeyResolver(JwtAuthenticatorConfig jwtAuthenticatorConfig) {
        String string = jwtAuthenticatorConfig.getString(JWKS_LOCATION_CONFIG);
        boolean booleanValue = jwtAuthenticatorConfig.getBoolean(ALLOW_UNSAFE_KEY_RESOLVER_URL_CONFIG).booleanValue();
        if (string == null || string.isEmpty()) {
            failValidation(MISSING_REQUIRED, JWKS_LOCATION_CONFIG);
        }
        return new AsyncHttpsJwksVerificationKeyResolver(new AsyncHttpsJwks(string, booleanValue, 3600000L), true);
    }

    private static CloseableVerificationKeyResolver jkuKeyResolver(JwtAuthenticatorConfig jwtAuthenticatorConfig) {
        List list = jwtAuthenticatorConfig.getList(JKU_KEY_RESOLVER_WHITELIST_CONFIG);
        boolean booleanValue = jwtAuthenticatorConfig.getBoolean(ALLOW_UNSAFE_KEY_RESOLVER_URL_CONFIG).booleanValue();
        if (list == null || list.isEmpty()) {
            failValidation(MISSING_REQUIRED, JKU_KEY_RESOLVER_WHITELIST_CONFIG);
        }
        return new JkuVerificationKeyResolver(list, booleanValue);
    }

    private static Collection<PublicKey> loadPublicKeys(String str) throws IOException {
        return (Collection) getPemPaths(Paths.get(str, new String[0])).stream().map(PemKey::readPublicKey).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).collect(Collectors.toList());
    }

    private static List<Path> getPemPaths(Path path) throws IOException {
        if (Files.isRegularFile(path, new LinkOption[0])) {
            return Collections.singletonList(path);
        }
        ArrayList arrayList = new ArrayList();
        DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(path, "*.pem");
        arrayList.getClass();
        newDirectoryStream.forEach((v1) -> {
            r1.add(v1);
        });
        return arrayList;
    }

    private static void failValidation(String str, Object... objArr) {
        throw new ConfigException(String.format(str, objArr));
    }

    private static void failValidation(Exception exc, String str, Object... objArr) {
        throw new ConfigException(String.format(str, objArr), exc);
    }
}
