package io.confluent.kafka.server.plugins.auth.oauth;

import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.store.data.JwtIssuerKeyV2;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.util.JwtUtils;
import io.confluent.security.util.SecurityContext;
import io.confluent.shaded.org.slf4j.Logger;
import io.confluent.shaded.org.slf4j.LoggerFactory;
import java.security.Key;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.apache.kafka.common.utils.Utils;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/KafkaVerificationKeyResolver.class */
public class KafkaVerificationKeyResolver implements VerificationKeyResolver {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) KafkaVerificationKeyResolver.class);
    private final String name;
    private final String sessionUuid;
    private TrustCache trustCache = null;
    private final SecurityContext context;

    public KafkaVerificationKeyResolver(String str, String str2, SecurityContext securityContext) {
        this.name = str;
        this.sessionUuid = str2;
        this.context = securityContext;
    }

    private TrustCache resolveTrustCache() {
        return ((AuthStore) Objects.requireNonNull(AuthStore.getInstance(this.sessionUuid))).trustCache();
    }

    @Override // org.jose4j.keys.resolvers.VerificationKeyResolver
    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        try {
            String issuer = JwtClaims.parse(jsonWebSignature.getUnverifiedPayload()).getIssuer();
            if (this.trustCache == null) {
                this.trustCache = resolveTrustCache();
            }
            String stringHeaderValue = jsonWebSignature.getHeaders().getStringHeaderValue("kid");
            if (stringHeaderValue == null) {
                log.debug("Unable to find kid field in the token with header {}. Req id: {} " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString(), Long.valueOf(getReqId()));
                throw new UnresolvableKeyException("Cannot find kid field in the token with header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
            }
            String str = (String) Optional.ofNullable(this.context).map(securityContext -> {
                return securityContext.strVal(JwtUtils.OAUTH_JWKS_ENDPOINT, null, true);
            }).orElse("");
            if (issuer != null && !issuer.equals("Confluent") && Utils.isBlank(str)) {
                log.warn("JwksEndpoint for issuer {} not found in context. Req id: {}", issuer, Long.valueOf(getReqId()));
            }
            String cacheKey = JwtIssuerKeyV2.cacheKey(issuer, str);
            JsonWebKeySet jsonWebKeySet = this.trustCache.jsonWebKeySet(cacheKey);
            if (jsonWebKeySet == null) {
                log.error("Unable to find key {} data entry in Auth Cache. Req id: {}", cacheKey, Long.valueOf(getReqId()));
                throw new UnresolvableKeyException("Cannot find key " + cacheKey + " data in the system.");
            }
            JsonWebKey findJsonWebKey = jsonWebKeySet.findJsonWebKey(stringHeaderValue, null, null, null);
            if (findJsonWebKey == null) {
                log.error("Unable to find verification key with kid {} from key {} in Auth Cache. Req id: {}", stringHeaderValue, cacheKey, Long.valueOf(getReqId()));
                throw new UnresolvableKeyException("Unable to find a suitable verification key for JWS w/ header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
            }
            Key key = findJsonWebKey.getKey();
            if (key != null) {
                return key;
            }
            log.error("Unable to retrieve public key from JsonWebKey: {}. Req id: {}", findJsonWebKey, Long.valueOf(getReqId()));
            throw new UnresolvableKeyException("Unable to find a suitable verification key for JWS w/ header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
        } catch (MalformedClaimException | InvalidJwtException e) {
            throw new UnresolvableKeyException("Cannot get issuer payload from jws with error ", e);
        }
    }

    private long getReqId() {
        if (this.context == null) {
            return -1L;
        }
        return this.context.getReqId();
    }
}
