package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.AuthenticationConfig;
import io.confluent.security.authentication.Authenticator;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.config.YamlConfigReader;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import org.jose4j.http.Response;
import org.jose4j.http.SimpleGet;
import org.jose4j.http.SimpleResponse;
import org.jose4j.jwk.EcJwkGenerator;
import org.jose4j.jwk.EllipticCurveJsonWebKey;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.keys.EcKeyUtil;
import org.jose4j.keys.EllipticCurves;
import org.jose4j.keys.RsaKeyUtil;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwksTestFixture.class */
public class JwksTestFixture {
    public static final List<String> VALID_AUD = Collections.singletonList("mockAud");
    public static final String PEM_ISS = "Confluent";
    public static final String JWKS_ISS = "https://example.com";
    public static final String JKU_ISS = "https://example.confluent.io";
    private static final JsonWebKeySet JWKS;
    private static final JwtAuthenticationConfig AUTH_CONFIG;
    private static final JwtAuthenticationConfig AUTH_CONFIG_WITH_WILDCARD;

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwksTestFixture$FixedGet.class */
    public static class FixedGet implements SimpleGet {
        private final JsonWebKeySet jwks;

        public FixedGet(JsonWebKeySet jsonWebKeySet) {
            this.jwks = jsonWebKeySet;
        }

        public SimpleResponse get(String str) {
            return new Response(200, "OK", Collections.singletonMap("Content-Type", Collections.singletonList("application/json")), this.jwks.toJson());
        }
    }

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwksTestFixture$Kid.class */
    public enum Kid {
        RSA_PEM,
        RSA_JWKS,
        RSA_JKU,
        RSA_EXCLUDE_PEM,
        RSA_EXCLUDE_JWKS,
        RSA_EXCLUDE_JKU,
        EC_PEM,
        EC_JWKS,
        EC_JKU
    }

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwksTestFixture$StaticGet.class */
    public static class StaticGet implements SimpleGet {
        public SimpleResponse get(String str) throws IOException {
            URI create = URI.create(str);
            return new Response(200, "OK", Collections.singletonMap("Content-Type", Collections.singletonList("application/json")), JwksTestFixture.resource(String.join("", create.getHost(), create.getPath())));
        }
    }

    public static JwtAuthenticationConfig authConfig(boolean z) {
        return z ? AUTH_CONFIG_WITH_WILDCARD : AUTH_CONFIG;
    }

    public static Authenticator<BearerCredential, JwtPrincipal> authenticator() {
        return authenticator(AUTH_CONFIG);
    }

    public static Authenticator<BearerCredential, JwtPrincipal> authenticator(AuthenticationConfig<BearerCredential, JwtPrincipal> authenticationConfig) {
        return authenticationConfig.createAuthenticator();
    }

    public static BearerCredential createEncodedJws(JwtClaims jwtClaims) throws JoseException {
        return createEncodedJws(Kid.RSA_PEM, jwtClaims);
    }

    public static BearerCredential createEncodedJws(Kid kid, JwtClaims jwtClaims) throws JoseException {
        return new BearerCredential(createJws(kid, jwtClaims).getCompactSerialization());
    }

    public static JsonWebSignature createJws(JwtClaims jwtClaims) {
        return createJws(Kid.RSA_PEM, jwtClaims);
    }

    public static JsonWebSignature createJws(Kid kid, JwtClaims jwtClaims) {
        PublicJsonWebKey findJsonWebKey = JWKS.findJsonWebKey(kid.name(), (String) null, (String) null, (String) null);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(findJsonWebKey.getPrivateKey());
        if (!kid.name().endsWith("PEM")) {
            jsonWebSignature.setKeyIdHeaderValue(kid.name());
        }
        jsonWebSignature.setAlgorithmHeaderValue(findJsonWebKey.getAlgorithm());
        jsonWebSignature.setPayload(jwtClaims.toJson());
        return jsonWebSignature;
    }

    public static JwtAuthenticationConfig getStaticConfig() {
        return (JwtAuthenticationConfig) new YamlConfigReader().load(resourceUrl("configs/AuthConfig.yaml"), JwtAuthenticationConfig.class);
    }

    private static URL resourceUrl(String str) {
        return (URL) Objects.requireNonNull(JwtIssuerJwksVerificationKeyResolverTest.class.getClassLoader().getResource(str), "Failed to load resource");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String resource(String str) throws IOException {
        try {
            return new String(Files.readAllBytes(Paths.get(resourceUrl(str).toURI())));
        } catch (URISyntaxException e) {
            throw new IOException(e);
        }
    }

    static {
        try {
            final RsaJsonWebKey generateJwk = RsaJwkGenerator.generateJwk(2048);
            generateJwk.setKeyId(Kid.RSA_PEM.name());
            generateJwk.setAlgorithm("RS256");
            final RsaJsonWebKey generateJwk2 = RsaJwkGenerator.generateJwk(2048);
            generateJwk2.setKeyId(Kid.RSA_JWKS.name());
            generateJwk2.setAlgorithm("RS256");
            final RsaJsonWebKey generateJwk3 = RsaJwkGenerator.generateJwk(2048);
            generateJwk3.setKeyId(Kid.RSA_JKU.name());
            generateJwk3.setAlgorithm("RS256");
            final RsaJsonWebKey generateJwk4 = RsaJwkGenerator.generateJwk(2048);
            generateJwk4.setKeyId(Kid.RSA_EXCLUDE_PEM.name());
            generateJwk4.setAlgorithm("RS512");
            final RsaJsonWebKey generateJwk5 = RsaJwkGenerator.generateJwk(2048);
            generateJwk5.setKeyId(Kid.RSA_EXCLUDE_JWKS.name());
            generateJwk5.setAlgorithm("RS512");
            final RsaJsonWebKey generateJwk6 = RsaJwkGenerator.generateJwk(2048);
            generateJwk6.setKeyId(Kid.RSA_EXCLUDE_JKU.name());
            generateJwk6.setAlgorithm("RS512");
            final EllipticCurveJsonWebKey generateJwk7 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            generateJwk7.setKeyId(Kid.EC_PEM.name());
            generateJwk7.setAlgorithm("ES256");
            final EllipticCurveJsonWebKey generateJwk8 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            generateJwk8.setKeyId(Kid.EC_JWKS.name());
            generateJwk8.setAlgorithm("ES256");
            final EllipticCurveJsonWebKey generateJwk9 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            generateJwk9.setKeyId(Kid.EC_JKU.name());
            generateJwk9.setAlgorithm("ES256");
            HashSet hashSet = new HashSet(VALID_AUD);
            List asList = Arrays.asList(JwtIssuerStatic.builder().name(PEM_ISS).audience(hashSet).pems(Arrays.asList(RsaKeyUtil.pemEncode(generateJwk.getRsaPublicKey()), RsaKeyUtil.pemEncode(generateJwk4.getRsaPublicKey()), EcKeyUtil.pemEncode(generateJwk7.getPublicKey()))).build(), JwtIssuerJwks.builder().name(JWKS_ISS).audience(hashSet).jwksUri("https://example.com/jwks").simpleGet(new FixedGet(new JsonWebKeySet(new JsonWebKey[0]) { // from class: io.confluent.security.authentication.oauthbearer.JwksTestFixture.1
                {
                    addJsonWebKey(generateJwk2);
                    addJsonWebKey(generateJwk5);
                    addJsonWebKey(generateJwk8);
                }
            })).build(), JwtIssuerJku.builder().name(JKU_ISS).audience(hashSet).domainWhitelist(Collections.singletonList(".confluent.io")).simpleGet(new FixedGet(new JsonWebKeySet(new JsonWebKey[0]) { // from class: io.confluent.security.authentication.oauthbearer.JwksTestFixture.2
                {
                    addJsonWebKey(generateJwk3);
                    addJsonWebKey(generateJwk6);
                    addJsonWebKey(generateJwk9);
                }
            })).build(), MockJwtIssuerSpire.builder().name("test.prefix.spire.internal.confluent.cloud").audience(hashSet).build());
            JWKS = new JsonWebKeySet(new JsonWebKey[0]) { // from class: io.confluent.security.authentication.oauthbearer.JwksTestFixture.3
                {
                    addJsonWebKey(generateJwk);
                    addJsonWebKey(generateJwk4);
                    addJsonWebKey(generateJwk7);
                    addJsonWebKey(generateJwk2);
                    addJsonWebKey(generateJwk5);
                    addJsonWebKey(generateJwk8);
                    addJsonWebKey(generateJwk3);
                    addJsonWebKey(generateJwk6);
                    addJsonWebKey(generateJwk9);
                }
            };
            AUTH_CONFIG = JwtAuthenticationConfig.builder().issuers(asList).build();
            JwtIssuerStatic build = JwtIssuerStatic.builder().name("*").audience(hashSet).pems(Collections.singletonList(RsaKeyUtil.pemEncode(generateJwk.getRsaPublicKey()))).build();
            ArrayList arrayList = new ArrayList(asList);
            arrayList.add(build);
            AUTH_CONFIG_WITH_WILDCARD = JwtAuthenticationConfig.builder().issuers(arrayList).build();
        } catch (Exception e) {
            throw new RuntimeException("Failed to setup JwksTestFixture", e);
        }
    }
}
