package io.confluent.tokenapi.jwt;

import io.confluent.common.security.util.PemUtils;
import io.confluent.security.auth.common.TokenUtils;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigException;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/tokenapi/jwt/JwsProvider.class */
public class JwsProvider implements Configurable {
    private static final Logger log = LoggerFactory.getLogger(JwsProvider.class);
    private JsonWebSignature jws;
    private PublicKey publicKey;
    VerificationKeyResolver jwksResolver;

    /* loaded from: input_file:io/confluent/tokenapi/jwt/JwsProvider$Algorithm.class */
    public enum Algorithm {
        RS256,
        NONE
    }

    public void configure(Map<String, ?> map) {
        JwsConfig jwsConfig = new JwsConfig(map);
        String string = jwsConfig.getString(JwsConfig.KEY_PAIR_PATH_PROP);
        String string2 = jwsConfig.getString(JwsConfig.SIGNATURE_ALGORITHM_PROP);
        if (Algorithm.NONE.name().equals(string2)) {
            this.jws = newJwsSignatory(null, Algorithm.NONE);
            this.jwksResolver = new JwksVerificationKeyResolver(new ArrayList());
        } else {
            if (string.isEmpty()) {
                throw new ConfigException(String.format("Missing required configuration %s which has no default value.", JwsConfig.KEY_PAIR_PATH_PROP));
            }
            loadKeys(Paths.get(string, new String[0]), Algorithm.valueOf(string2));
        }
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    private JsonWebSignature newJwsSignatory(KeyPair keyPair, Algorithm algorithm) {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        if (algorithm.equals(Algorithm.NONE)) {
            jsonWebSignature.setAlgorithmHeaderValue("none");
            return jsonWebSignature;
        }
        PublicJsonWebKey buildPublicJsonWebKey = buildPublicJsonWebKey(keyPair);
        jsonWebSignature.setAlgorithmHeaderValue(algorithm.name());
        jsonWebSignature.setKey(buildPublicJsonWebKey.getPrivateKey());
        jsonWebSignature.setKeyIdHeaderValue(buildPublicJsonWebKey.getKeyId());
        return jsonWebSignature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized String signClaims(JwtClaims jwtClaims) throws JoseException {
        this.jws.setPayload(jwtClaims.toJson());
        return this.jws.getCompactSerialization();
    }

    private void loadKeys(Path path, Algorithm algorithm) {
        try {
            List list = (List) getKeyPairPaths(path).stream().map(JwsProvider::tryLoadKeyPair).filter((v0) -> {
                return v0.isPresent();
            }).map((v0) -> {
                return v0.get();
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                try {
                    this.publicKey = TokenUtils.loadPublicKey(new FileInputStream(path.toString()));
                    log.info(String.format("Loaded %s as a public key", path));
                } catch (Throwable th) {
                    throw new IllegalStateException(String.format("No token key file(s) could be loaded from config %s with path:%s", JwsConfig.KEY_PAIR_PATH_PROP, path));
                }
            } else {
                KeyPair keyPair = (KeyPair) list.get(0);
                this.publicKey = keyPair.getPublic();
                this.jws = newJwsSignatory(keyPair, algorithm);
                JwksVerificationKeyResolver jwksVerificationKeyResolver = new JwksVerificationKeyResolver((List) list.stream().map(JwsProvider::buildPublicJsonWebKey).collect(Collectors.toList()));
                jwksVerificationKeyResolver.setDisambiguateWithVerifySignature(true);
                this.jwksResolver = jwksVerificationKeyResolver;
            }
        } catch (IOException e) {
            String format = String.format("Unable to load token keyPair(s) from config %s with path:%s", JwsConfig.KEY_PAIR_PATH_PROP, path);
            log.error(format, e);
            throw new IllegalStateException(format, e);
        }
    }

    private List<Path> getKeyPairPaths(Path path) throws IOException {
        if (Files.isRegularFile(path, new LinkOption[0])) {
            return Collections.singletonList(path);
        }
        ArrayList arrayList = new ArrayList();
        DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(path, "*.pem");
        arrayList.getClass();
        newDirectoryStream.forEach((v1) -> {
            r1.add(v1);
        });
        return arrayList;
    }

    private static PublicJsonWebKey buildPublicJsonWebKey(KeyPair keyPair) {
        try {
            PublicJsonWebKey newPublicJwk = PublicJsonWebKey.Factory.newPublicJwk(keyPair.getPublic());
            newPublicJwk.setPrivateKey(keyPair.getPrivate());
            return newPublicJwk;
        } catch (JoseException e) {
            log.error("Unable to convert keyPair into a PublicJsonWebKey", e);
            throw new IllegalStateException("Unable to create PublicJsonWebKey key", e);
        }
    }

    private static Optional<KeyPair> tryLoadKeyPair(Path path) {
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            Throwable th = null;
            try {
                Optional<KeyPair> of = Optional.of(PemUtils.loadKeyPair(newInputStream));
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return of;
            } finally {
            }
        } catch (Exception e) {
            log.error(String.format("Unable to load token keyPair from config %s with path:%s", JwsConfig.KEY_PAIR_PATH_PROP, path), e);
            return Optional.empty();
        }
    }
}
