package org.apache.cxf.rs.security.oauth2.filters;

import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Predicate;
import javax.ws.rs.core.MediaType;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jaxrs.JsonWebKeysProvider;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.4.8.jar:org/apache/cxf/rs/security/oauth2/filters/JwsJwksJwtAccessTokenValidator.class */
public class JwsJwksJwtAccessTokenValidator extends JwtAccessTokenValidator {
    final Map<String, JwkHolder> jsonWebKeys = new ConcurrentHashMap();
    private String jwksURL;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.4.8.jar:org/apache/cxf/rs/security/oauth2/filters/JwsJwksJwtAccessTokenValidator$JwkHolder.class */
    public static class JwkHolder {
        private final JsonWebKey jsonWebKey;
        private JwsSignatureVerifier jwsSignatureVerifier;

        JwkHolder(JsonWebKey jsonWebKey) {
            this.jsonWebKey = jsonWebKey;
        }

        public JwsSignatureVerifier getJwsSignatureVerifier() {
            if (null == this.jwsSignatureVerifier) {
                this.jwsSignatureVerifier = JwsUtils.getSignatureVerifier(this.jsonWebKey);
            }
            return this.jwsSignatureVerifier;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer
    public JwsSignatureVerifier getInitializedSignatureVerifier(JwsHeaders jwsHeaders) {
        Objects.requireNonNull(jwsHeaders.getKeyId());
        JwkHolder computeIfAbsent = this.jsonWebKeys.computeIfAbsent(jwsHeaders.getKeyId(), str -> {
            return updateJwk(str);
        });
        if (computeIfAbsent != null) {
            return computeIfAbsent.getJwsSignatureVerifier();
        }
        return null;
    }

    public void setJwksURL(String str) {
        this.jwksURL = str;
    }

    @Override // org.apache.cxf.rs.security.jose.common.AbstractJoseConsumer
    public void setJwsVerifier(JwsSignatureVerifier jwsSignatureVerifier) {
        throw new IllegalArgumentException("Actual JwsSignatureVerifier will be populated from the JWK Set URL");
    }

    private JwkHolder updateJwk(String str) {
        Objects.requireNonNull(this.jwksURL, "JWK Set URL must be specified");
        JwkHolder jwkHolder = null;
        HashSet hashSet = new HashSet();
        for (JsonWebKey jsonWebKey : getJsonWebKeys().getKeys()) {
            if (PublicKeyUse.ENCRYPT != jsonWebKey.getPublicKeyUse()) {
                String keyId = jsonWebKey.getKeyId();
                hashSet.add(keyId);
                JwkHolder jwkHolder2 = new JwkHolder(jsonWebKey);
                if (str.equals(keyId)) {
                    jwkHolder = jwkHolder2;
                } else {
                    this.jsonWebKeys.putIfAbsent(keyId, jwkHolder2);
                }
            }
        }
        Set<String> keySet = this.jsonWebKeys.keySet();
        hashSet.getClass();
        keySet.removeIf(not((v1) -> {
            return r1.contains(v1);
        }));
        return jwkHolder;
    }

    JsonWebKeys getJsonWebKeys() {
        return (JsonWebKeys) WebClient.create(this.jwksURL, (List<?>) Collections.singletonList(new JsonWebKeysProvider())).accept(MediaType.APPLICATION_JSON).get(JsonWebKeys.class);
    }

    static <T> Predicate<T> not(Predicate<? super T> predicate) {
        return predicate.negate();
    }
}
