package io.confluent.security.util;

import io.confluent.security.authentication.AuthenticationErrorInfo;
import io.confluent.security.authentication.AuthenticationException;
import io.confluent.security.authentication.AuthenticationExceptionReasonCodes;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwx.JsonWebStructure;

/* loaded from: input_file:io/confluent/security/util/JwtUtils.class */
public class JwtUtils {
    private static final Map<Integer, ErrorInfo> ERROR_MESSAGE_MAP = new HashMap();
    private static final Map<String, ErrorInfo> MISC_ERROR_MESSAGE_MAP = new LinkedHashMap();
    public static final String CLAIM_USER_ID = "userId";
    public static final String CLAIM_USER_RESOURCE_ID = "userResourceId";
    public static final String OAUTH_PROVIDER_ID = "providerId";
    public static final String OAUTH_POOL_ID = "identityPoolId";
    public static final String OAUTH_JWKS_ENDPOINT = "jwksEndpoint";

    /* loaded from: input_file:io/confluent/security/util/JwtUtils$Error.class */
    public static class Error {
        private final String message;
        private final List<ErrorInfo> errors;

        public Error(String str, List<ErrorInfo> list) {
            this.message = str;
            this.errors = list;
        }

        public String message() {
            return this.message;
        }

        public List<ErrorInfo> errors() {
            return this.errors;
        }

        public String toString() {
            return "Error {message: " + this.message + ",errors: " + this.errors + "}\n";
        }
    }

    /* loaded from: input_file:io/confluent/security/util/JwtUtils$ErrorInfo.class */
    public static class ErrorInfo {
        private final AuthenticationExceptionReasonCodes.ErrorTypes reasonCode;
        private final Integer joseErrorCode;
        private final String details;
        private final Map<String, Object> relatedClaims;
        private final Map<String, Object> identityInfo = new HashMap();
        private final List<MapSource> claimSuppliers;
        public static final List<MapSource> IDENTITY_SUPPLIERS = Arrays.asList(JwtUtils.getSourceSupplier(JwtUtils.OAUTH_POOL_ID), JwtUtils.getSourceSupplier(JwtUtils.OAUTH_PROVIDER_ID));

        public ErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes errorTypes, Integer num, String str, Map<String, Object> map, List<MapSource> list) {
            this.reasonCode = errorTypes;
            this.joseErrorCode = num;
            this.details = str;
            this.relatedClaims = map == null ? new HashMap<>() : map;
            this.claimSuppliers = list == null ? Collections.emptyList() : list;
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof ErrorInfo)) {
                return false;
            }
            ErrorInfo errorInfo = (ErrorInfo) obj;
            return this.reasonCode == errorInfo.reasonCode && this.joseErrorCode.equals(errorInfo.joseErrorCode) && this.details.equals(errorInfo.details) && this.relatedClaims.equals(errorInfo.relatedClaims) && this.identityInfo.equals(errorInfo.identityInfo);
        }

        public int hashCode() {
            return Objects.hash(this.reasonCode, this.joseErrorCode, this.details, this.relatedClaims, this.identityInfo);
        }

        public static ErrorInfo mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes errorTypes, Integer num, String str) {
            return mkErrorInfo(errorTypes, num, str, null, null);
        }

        public static ErrorInfo mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes errorTypes, Integer num, String str, List<MapSource> list) {
            return mkErrorInfo(errorTypes, num, str, null, list);
        }

        public static ErrorInfo mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes errorTypes, Integer num, String str, Map<String, Object> map, List<MapSource> list) {
            ArrayList arrayList = new ArrayList();
            if (list != null) {
                arrayList.addAll(list);
            }
            arrayList.add(JwtUtils.getSourceSupplier("userId"));
            arrayList.add(JwtUtils.getSourceSupplier("userResourceId"));
            return new ErrorInfo(errorTypes, num, str, map, arrayList);
        }

        public AuthenticationExceptionReasonCodes.ErrorTypes reasonCode() {
            return this.reasonCode;
        }

        public String details() {
            return this.details;
        }

        public void relatedClaims(String str, Object obj) {
            this.relatedClaims.put(str, obj);
        }

        public void relatedClaims(Map.Entry<String, Object> entry) {
            relatedClaims(entry.getKey(), entry.getValue());
        }

        public List<MapSource> claimSuppliers() {
            return Collections.unmodifiableList(this.claimSuppliers);
        }

        public void identityInfo(String str, Object obj) {
            this.identityInfo.put(str, obj);
        }

        public void identityInfo(Map.Entry<String, Object> entry) {
            identityInfo(entry.getKey(), entry.getValue());
        }

        public Map<String, Object> getIdentityInfo() {
            return Collections.unmodifiableMap(this.identityInfo);
        }

        public Map<String, Object> getRelatedClaims() {
            return Collections.unmodifiableMap(this.relatedClaims);
        }

        public String toString() {
            return "ErrorInfo {reasonCode: " + this.reasonCode + ", joseErrorCode: " + this.joseErrorCode + ", relatedClaims: " + this.relatedClaims + ", identityInfo: " + this.identityInfo + ", details: " + this.details + "}\n";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/util/JwtUtils$MapSource.class */
    public interface MapSource extends Function<Map<String, Object>, Map.Entry<String, Object>> {
    }

    private static Optional<String> mkMessage(List<ErrorInfo> list) {
        if (list == null || list.size() == 0) {
            return Optional.empty();
        }
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        Iterator<ErrorInfo> it = list.iterator();
        while (it.hasNext()) {
            sb.append(mkMessage(it.next()));
            sb.append(", ");
        }
        int length = sb.length();
        if (length <= 0) {
            return Optional.empty();
        }
        sb.delete(length - 2, length);
        sb.append("]");
        return Optional.of(sb.toString());
    }

    private static String mkMessage(ErrorInfo errorInfo) {
        return String.format("[%s - %s, relatedClaims: %s, identityInfo: %s]", errorInfo.reasonCode(), errorInfo.details(), errorInfo.getRelatedClaims(), errorInfo.getIdentityInfo());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static MapSource getSourceSupplier(String str) {
        return map -> {
            return new AbstractMap.SimpleImmutableEntry(str, map.get(str));
        };
    }

    public static List<Integer> errorCodes(Throwable th) {
        if (!(th instanceof InvalidJwtException)) {
            return Collections.emptyList();
        }
        InvalidJwtException invalidJwtException = (InvalidJwtException) th;
        return invalidJwtException.getErrorDetails() == null ? Collections.emptyList() : (List) invalidJwtException.getErrorDetails().stream().map((v0) -> {
            return v0.getErrorCode();
        }).collect(Collectors.toList());
    }

    public static String errorMessage(Throwable th) {
        return errorDetails(th, new SecurityContext()).message();
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static Error errorDetails(Throwable th, SecurityContext securityContext) {
        if (th == null) {
            return new Error("Exception is null", Collections.emptyList());
        }
        StringBuilder sb = new StringBuilder();
        sb.append(th.getClass().getSimpleName());
        List linkedList = new LinkedList();
        if (th instanceof InvalidJwtException) {
            linkedList = getInvalidJwtExceptionError((InvalidJwtException) th, sb, securityContext);
        } else if (th instanceof AuthenticationException) {
            linkedList = getAuthenticationExceptionError((AuthenticationException) th, sb, securityContext);
        } else if (th instanceof IllegalArgumentException) {
            linkedList = getIllegalArgExceptionError((IllegalArgumentException) th, sb, securityContext);
        }
        if (th.getCause() != null) {
            sb.append(String.format(" -> %s", th.getCause().getClass().getSimpleName()));
        }
        return new Error(sb.toString(), linkedList);
    }

    private static List<ErrorInfo> getInvalidJwtExceptionError(InvalidJwtException invalidJwtException, StringBuilder sb, SecurityContext securityContext) {
        LinkedList linkedList = new LinkedList();
        Iterator<Integer> it = errorCodes(invalidJwtException).iterator();
        while (it.hasNext()) {
            int intValue = it.next().intValue();
            ErrorInfo orElse = intValue == 17 ? maybeFetchMiscellaneousInfo(invalidJwtException).orElse(ERROR_MESSAGE_MAP.get(Integer.valueOf(intValue))) : ERROR_MESSAGE_MAP.getOrDefault(Integer.valueOf(intValue), ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_UNKNOWN_ERROR, Integer.valueOf(intValue), "unknown error"));
            Iterator<MapSource> it2 = orElse.claimSuppliers().iterator();
            while (it2.hasNext()) {
                orElse.relatedClaims(it2.next().apply(getClaimsMapSafely(invalidJwtException)));
            }
            if (securityContext != null) {
                Iterator<MapSource> it3 = ErrorInfo.IDENTITY_SUPPLIERS.iterator();
                while (it3.hasNext()) {
                    orElse.identityInfo(it3.next().apply(securityContext.getContextMap()));
                }
            }
            linkedList.add(orElse);
        }
        mkMessage(linkedList).ifPresent(str -> {
            sb.append(String.format(" - Headers: [%s], Additional Details: %s", getHeaders(invalidJwtException.getJwtContext().getJoseObjects()), str));
        });
        return linkedList;
    }

    private static List<ErrorInfo> getAuthenticationExceptionError(AuthenticationException authenticationException, StringBuilder sb, SecurityContext securityContext) {
        ErrorInfo mkErrorInfo = ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.AUTHENTICATION_EXCEPTION, -1, authenticationException.getMessage() + ", " + authenticationException.reasonCode().toLowerCase(Locale.getDefault()).replaceAll("_", StringUtils.SPACE));
        if (securityContext != null) {
            Iterator<MapSource> it = ErrorInfo.IDENTITY_SUPPLIERS.iterator();
            while (it.hasNext()) {
                mkErrorInfo.identityInfo(it.next().apply(securityContext.getContextMap()));
            }
        }
        String reasonCode = authenticationException.reasonCode();
        boolean z = -1;
        switch (reasonCode.hashCode()) {
            case -1846168241:
                if (reasonCode.equals(AuthenticationExceptionReasonCodes.TOKEN_ISSUER_CLAIM_UNRECOGNIZED)) {
                    z = true;
                    break;
                }
                break;
            case -1400191819:
                if (reasonCode.equals(AuthenticationExceptionReasonCodes.CLAIM_ISSUER_POOL_FILTER_MISMATCH)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                Optional<Map.Entry<String, Object>> claimFromAuthExceptionInfo = getClaimFromAuthExceptionInfo(authenticationException.errorInfo(), "iss");
                mkErrorInfo.getClass();
                claimFromAuthExceptionInfo.ifPresent(mkErrorInfo::relatedClaims);
                break;
        }
        sb.append(StringUtils.SPACE);
        sb.append(mkMessage(mkErrorInfo));
        return Collections.singletonList(mkErrorInfo);
    }

    private static List<ErrorInfo> getIllegalArgExceptionError(IllegalArgumentException illegalArgumentException, StringBuilder sb, SecurityContext securityContext) {
        ErrorInfo mkErrorInfo = ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.ILLEGAL_ARGUMENT_EXCEPTION, -1, illegalArgumentException.getMessage());
        if (securityContext != null) {
            Iterator<MapSource> it = ErrorInfo.IDENTITY_SUPPLIERS.iterator();
            while (it.hasNext()) {
                mkErrorInfo.identityInfo(it.next().apply(securityContext.getContextMap()));
            }
        }
        sb.append(StringUtils.SPACE);
        sb.append(mkMessage(mkErrorInfo));
        return Collections.singletonList(mkErrorInfo);
    }

    private static Optional<Map.Entry<String, Object>> getClaimFromAuthExceptionInfo(AuthenticationErrorInfo authenticationErrorInfo, String str) {
        if (authenticationErrorInfo instanceof AuthenticationErrorInfo.JwtClaimsInfo) {
            AuthenticationErrorInfo.JwtClaimsInfo jwtClaimsInfo = (AuthenticationErrorInfo.JwtClaimsInfo) authenticationErrorInfo;
            if (jwtClaimsInfo.hasClaims()) {
                return Optional.of(new AbstractMap.SimpleImmutableEntry(str, jwtClaimsInfo.claims().get(str)));
            }
        }
        return Optional.empty();
    }

    private static Optional<ErrorInfo> maybeFetchMiscellaneousInfo(Throwable th) {
        if (th == null) {
            return Optional.empty();
        }
        for (Map.Entry<String, ErrorInfo> entry : MISC_ERROR_MESSAGE_MAP.entrySet()) {
            if (th.getMessage().contains(entry.getKey())) {
                return Optional.of(entry.getValue());
            }
        }
        return Optional.empty();
    }

    private static String getHeaders(List<JsonWebStructure> list) {
        StringBuilder sb = new StringBuilder();
        Iterator<JsonWebStructure> it = list.iterator();
        while (it.hasNext()) {
            sb.append(it.next().getHeaders().getFullHeaderAsJsonString());
        }
        return sb.toString();
    }

    private static Map<String, Object> getClaimsMapSafely(InvalidJwtException invalidJwtException) {
        return (Map) Optional.ofNullable(invalidJwtException.getJwtContext()).map((v0) -> {
            return v0.getJwtClaims();
        }).map((v0) -> {
            return v0.getClaimsMap();
        }).orElse(Collections.emptyMap());
    }

    static {
        ERROR_MESSAGE_MAP.put(1, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_EXPIRED, 1, "The JWT Expiration Time {exp} claim identified a time in the past.", Arrays.asList(getSourceSupplier("exp"))));
        ERROR_MESSAGE_MAP.put(2, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_EXP_CLAIM_MISSING, 2, "The JWT had no Expiration Time {exp} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(3, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_IAT_CLAIM_MISSING, 3, "The JWT had no Issued At {iat} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(4, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_NBF_CLAIM_MISSING, 4, "The JWT had no Not Before {nbf} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(7, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_AUD_CLAIM_MISSING, 7, "The JWT had no Audience {aud} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(11, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_ISS_CLAIM_MISSING, 11, "The JWT had no Issuer {iss} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(13, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_JTI_CLAIM_MISSING, 13, "The JWT had no JWT Id {jti} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(14, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SUB_CLAIM_MISSING, 14, "The JWT had no Subject {sub} claim but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(5, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_EXP_CLAIM_TOO_FAR_IN_FUTURE, 5, "The JWT Expiration Time {exp} claim had a value that is too far into the future.", Arrays.asList(getSourceSupplier("exp"))));
        ERROR_MESSAGE_MAP.put(8, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_AUD_CLAIM_INVALID, 8, "The JWT Audience {aud} claim has unexpected value."));
        ERROR_MESSAGE_MAP.put(12, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_ISS_CLAIM_INVALID, 12, "The JWT Issuer {iss} claim has unexpected value.", Arrays.asList(getSourceSupplier("iss"))));
        ERROR_MESSAGE_MAP.put(15, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SUB_CLAIM_INVALID, 15, "The JWT Subject {sub} claim has unexpected value."));
        ERROR_MESSAGE_MAP.put(18, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_CLAIM_MALFORMED, 18, "A JWT claim is of the wrong type or otherwise malformed."));
        ERROR_MESSAGE_MAP.put(23, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_IAT_CLAIM_TOO_FAR_IN_FUTURE, 23, "The JWT Issued At {iat} claim has a value which is too far in the future.", Arrays.asList(getSourceSupplier("iat"))));
        ERROR_MESSAGE_MAP.put(24, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_IAT_CLAIM_TOO_FAR_IN_PAST, 24, "The JWT Issued At {iat} claim has a value which is too far in the past.", Arrays.asList(getSourceSupplier("iat"))));
        ERROR_MESSAGE_MAP.put(6, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_NBF_CLAIM_NOT_VALID_YET, 6, "The JWT Not Before claim {nbf} indicates that it is not yet valid.", Arrays.asList(getSourceSupplier("nbf"))));
        ERROR_MESSAGE_MAP.put(21, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_TYP_CLAIM_MISSING, 21, "The type {typ} header parameter is missing but it is configured to require explicit typing."));
        ERROR_MESSAGE_MAP.put(22, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_TYP_CLAIM_INVALID, 22, "The type {typ} header parameter has unexpected value."));
        ERROR_MESSAGE_MAP.put(9, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SIGNATURE_VERIFICATION_FAILED, 9, "The JWS signature could not be successfully verified with the given key."));
        ERROR_MESSAGE_MAP.put(10, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SIGNATURE_MISSING, 10, "The JWS signature is missing but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(16, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_PAYLOAD_JSON_INVALID, 16, "The payload could not be parsed as json."));
        ERROR_MESSAGE_MAP.put(17, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_PROCESSING_FAILED, 17, AuthenticationExceptionReasonCodes.ErrorTypes.JWT_PROCESSING_FAILED.toString()));
        ERROR_MESSAGE_MAP.put(19, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_ENCRYPTION_MISSING, 19, "No JWE encryption present but it is configured to be required."));
        ERROR_MESSAGE_MAP.put(20, ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_INTEGRITY_PROTECTION_MISSING, 20, "The JWT is missing integrity protection {signature/MAC JWS or symmetric JWE} but it is configured to be required."));
        MISC_ERROR_MESSAGE_MAP.put("Unable to find a suitable verification key for JWS", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_KID_LOOKUP_FAILED, 17, "The JWT header field Key Id {kid} is invalid as we could not find a suitable corresponding verification key."));
        MISC_ERROR_MESSAGE_MAP.put("Unable to validate JWS signature verification key", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_ALG_INVALID, 17, "The JWT header field Algorithm {alg} is invalid as it is not allow listed."));
        MISC_ERROR_MESSAGE_MAP.put("Invalid Signature Verification Key Algorithm", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_ALG_INVALID, 17, "The JWT header field Algorithm {alg} is invalid as it is not allow listed."));
        MISC_ERROR_MESSAGE_MAP.put("Invalid jku", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_JKU_INVALID, 17, "The JWT header field JKU {jku} is invalid."));
        MISC_ERROR_MESSAGE_MAP.put("Cannot find issuer", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_ISS_CLAIM_LOOKUP_FAILED, 17, "Cannot find issuer {iss} in the system.", Arrays.asList(getSourceSupplier("iss"))));
        MISC_ERROR_MESSAGE_MAP.put("Unable to get jwt bundle", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SUB_CLAIM_INVALID, 17, "The JWT subject {sub} is invalid"));
        MISC_ERROR_MESSAGE_MAP.put("Unable to get subject", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SUB_CLAIM_INVALID, 17, "The JWT subject {sub} is invalid"));
        MISC_ERROR_MESSAGE_MAP.put("Unable to parse the subject", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_SUB_CLAIM_INVALID, 17, "The JWT subject {sub} is invalid"));
        MISC_ERROR_MESSAGE_MAP.put("Unable to get kid", ErrorInfo.mkErrorInfo(AuthenticationExceptionReasonCodes.ErrorTypes.JWT_HEADER_KID_LOOKUP_FAILED, 17, "The JWT header field Key Id {kid} is not present"));
    }
}
