package io.confluent.tokenapi.jwt;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.security.Principal;
import java.security.PublicKey;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import org.apache.kafka.common.Configurable;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/tokenapi/jwt/JwtProvider.class */
public class JwtProvider implements Configurable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JwtProvider.class);
    private JwsProvider jws;
    public String issuer;
    private long maxTokenLifetime;
    private LoadingCache<String, JwtConsumer> jwtConsumerCache;

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        JwtConfig jwtConfig = new JwtConfig(map);
        this.issuer = jwtConfig.getString(JwtConfig.TOKEN_ISSUER_PROP);
        this.maxTokenLifetime = jwtConfig.getLong(JwtConfig.MAX_LIFETIME_PROP).longValue() / 1000;
        initializeJwtConsumerCache(100L);
        this.jws = new JwsProvider();
        this.jws.configure(map);
    }

    private void initializeJwtConsumerCache(long j) {
        this.jwtConsumerCache = CacheBuilder.newBuilder().maximumSize(j).build(new CacheLoader<String, JwtConsumer>() { // from class: io.confluent.tokenapi.jwt.JwtProvider.1
            @Override // com.google.common.cache.CacheLoader
            public JwtConsumer load(String str) {
                return JwtProvider.this.newJwtConsumer(str);
            }
        });
    }

    public PublicKey getPublicKey() {
        return this.jws.getPublicKey();
    }

    private JwtClaims newJwtToken(Principal principal, String... strArr) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setGeneratedJwtId();
        jwtClaims.setIssuer(this.issuer);
        jwtClaims.setSubject(principal.getName());
        jwtClaims.setExpirationTimeMinutesInTheFuture((float) (this.maxTokenLifetime / 60));
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBeforeMinutesInThePast(1.0f);
        if (strArr.length > 0) {
            jwtClaims.setAudience(strArr);
        }
        jwtClaims.setClaim("azp", principal.getName());
        jwtClaims.setNumericDateClaim("auth_time", NumericDate.now());
        return jwtClaims;
    }

    public String newJwsToken(Principal principal, String... strArr) throws JoseException {
        return signClaims(newJwtToken(principal, strArr));
    }

    public String refreshToken(Principal principal, String str) throws JoseException {
        try {
            JwtClaims processToClaims = this.jwtConsumerCache.get(principal.getName()).processToClaims(str);
            processToClaims.setExpirationTimeMinutesInTheFuture((float) (this.maxTokenLifetime / 60));
            processToClaims.setIssuedAtToNow();
            processToClaims.setClaim("azp", principal.getName());
            return signClaims(processToClaims);
        } catch (ExecutionException | InvalidJwtException e) {
            throw new JoseException("Unable to refresh invalid token", e);
        }
    }

    public long tokenLifetime() {
        return this.maxTokenLifetime;
    }

    private String signClaims(JwtClaims jwtClaims) throws JoseException {
        return this.jws.signClaims(jwtClaims);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public JwtConsumer newJwtConsumer(String str) {
        return new JwtConsumerBuilder().setRequireJwtId().setExpectedIssuer(true, this.issuer).setSkipDefaultAudienceValidation().setRequireSubject().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setVerificationKeyResolver(this.jws.jwksResolver).build();
    }
}
