package io.confluent.kafka.clients.plugins.auth.jwt;

import java.net.MalformedURLException;
import java.net.URL;
import java.security.Key;
import java.util.Collection;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.util.URIUtil;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/jwt/JkuVerificationKeyResolver.class */
public final class JkuVerificationKeyResolver implements CloseableVerificationKeyResolver {
    private final Function<String, AsyncHttpsJwks> httpsJwksSupplier;
    private final Collection<String> domainWhitelist;
    private final boolean disambiguateKey;
    private final String requiredProtocol;
    private volatile boolean isRunning;
    private final ConcurrentHashMap<String, CloseableVerificationKeyResolver> jkuKeyResolverCache;

    public JkuVerificationKeyResolver(Collection<String> collection) {
        this(collection, false);
    }

    public JkuVerificationKeyResolver(Collection<String> collection, boolean z) {
        this(AsyncHttpsJwks::new, collection, false, z);
    }

    public JkuVerificationKeyResolver(Function<String, AsyncHttpsJwks> function, Collection<String> collection, boolean z, boolean z2) {
        this.jkuKeyResolverCache = new ConcurrentHashMap<>();
        if (collection == null || collection.isEmpty()) {
            throw new ConfigException("domainWhiteList must contain at least one entry");
        }
        this.httpsJwksSupplier = function;
        this.domainWhitelist = collection;
        this.disambiguateKey = z;
        this.requiredProtocol = z2 ? URIUtil.HTTP : "https";
        this.isRunning = true;
    }

    private AsyncHttpsJwksVerificationKeyResolver newVerificationKeyResolver(String str) {
        return new AsyncHttpsJwksVerificationKeyResolver(this.httpsJwksSupplier.apply(str), this.disambiguateKey);
    }

    @Override // org.jose4j.keys.resolvers.VerificationKeyResolver
    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        if (!this.isRunning) {
            throw new IllegalStateException("Attempt to resolve key while KeyResolver is being shut down");
        }
        String stringHeaderValue = jsonWebSignature.getHeaders().getStringHeaderValue("jku");
        if (hasValidJkuDomain(this.domainWhitelist, this.requiredProtocol, stringHeaderValue)) {
            return this.jkuKeyResolverCache.computeIfAbsent(stringHeaderValue, this::newVerificationKeyResolver).resolveKey(jsonWebSignature, list);
        }
        throw new UnresolvableKeyException("Invalid jku: " + stringHeaderValue);
    }

    public static boolean hasValidJkuDomain(Collection<String> collection, String str, String str2) {
        try {
            URL url = new URL(str2);
            String host = url.getHost();
            if (str.equals(url.getProtocol())) {
                return collection.stream().anyMatch(str3 -> {
                    return str3.startsWith(".") ? host.endsWith(str3) : str3.equals(url.getHost());
                });
            }
            return false;
        } catch (MalformedURLException e) {
            return false;
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.isRunning = false;
        this.jkuKeyResolverCache.clear();
    }
}
