package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.credential.BearerCredential;
import io.spiffe.bundle.jwtbundle.JwtBundle;
import io.spiffe.bundle.jwtbundle.JwtBundleSet;
import io.spiffe.exception.BundleNotFoundException;
import io.spiffe.spiffeid.SpiffeId;
import io.spiffe.spiffeid.TrustDomain;
import io.spiffe.svid.jwtsvid.JwtSvid;
import io.spiffe.workloadapi.JwtSource;
import java.io.IOException;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import org.jose4j.jwk.EcJwkGenerator;
import org.jose4j.jwk.EllipticCurveJsonWebKey;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.keys.EllipticCurves;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/MockJwtSource.class */
public class MockJwtSource implements JwtSource {
    private final JwtBundleSet bundles = JWT_BUNDLE_SET;
    public static final String SPIRE_ISSUER = "test.prefix.spire.internal.confluent.cloud";
    public static final TrustDomain SPIRE_TRUST_DOMAIN_1 = TrustDomain.parse("spire.test.domain.one");
    public static final TrustDomain SPIRE_TRUST_DOMAIN_2 = TrustDomain.parse("spire.test.domain.two");
    public static final List<String> VALID_AUD = Collections.singletonList("mockAud");
    public static final JwtBundleSet JWT_BUNDLE_SET;
    public static RsaJsonWebKey rsaSpire1;
    public static RsaJsonWebKey rsaSpire2;
    public static RsaJsonWebKey rsa512Spire1;
    public static RsaJsonWebKey rsa512Spire2;
    public static EllipticCurveJsonWebKey ecSpire1;
    public static EllipticCurveJsonWebKey ecSpire2;
    private static final JsonWebKeySet JWKS;

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/MockJwtSource$Kid.class */
    public enum Kid {
        RSA_SPIRE_1,
        RSA_EXCLUDE_SPIRE_1,
        EU_SPIRE_1,
        RSA_SPIRE_2,
        RSA_EXCLUDE_SPIRE_2,
        EU_SPIRE_2,
        INVALID_KID
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // io.spiffe.bundle.BundleSource
    public JwtBundle getBundleForTrustDomain(TrustDomain trustDomain) throws BundleNotFoundException {
        return this.bundles.getBundleForTrustDomain(trustDomain);
    }

    @Override // io.spiffe.svid.jwtsvid.JwtSvidSource
    public JwtSvid fetchJwtSvid(String str, String... strArr) {
        return null;
    }

    @Override // io.spiffe.svid.jwtsvid.JwtSvidSource
    public JwtSvid fetchJwtSvid(SpiffeId spiffeId, String str, String... strArr) {
        return null;
    }

    @Override // io.spiffe.svid.jwtsvid.JwtSvidSource
    public List<JwtSvid> fetchJwtSvids(String str, String... strArr) {
        return null;
    }

    @Override // io.spiffe.svid.jwtsvid.JwtSvidSource
    public List<JwtSvid> fetchJwtSvids(SpiffeId spiffeId, String str, String... strArr) {
        return null;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
    }

    public static BearerCredential createEncodedJws(Kid kid, JwtClaims jwtClaims) throws JoseException {
        return new BearerCredential(createJws(kid, jwtClaims).getCompactSerialization());
    }

    public static JsonWebSignature createJws(Kid kid, JwtClaims jwtClaims) {
        PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) JWKS.findJsonWebKey(kid.name(), null, null, null);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(publicJsonWebKey.getPrivateKey());
        if (!kid.name().endsWith("PEM")) {
            jsonWebSignature.setKeyIdHeaderValue(kid.name());
        }
        jsonWebSignature.setAlgorithmHeaderValue(publicJsonWebKey.getAlgorithm());
        jsonWebSignature.setPayload(jwtClaims.toJson());
        return jsonWebSignature;
    }

    public static JsonWebSignature createJwsWithInvalidKid(JwtClaims jwtClaims) {
        PublicJsonWebKey publicJsonWebKey = (PublicJsonWebKey) JWKS.findJsonWebKey(Kid.RSA_SPIRE_1.name(), null, null, null);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(publicJsonWebKey.getPrivateKey());
        jsonWebSignature.setKeyIdHeaderValue(Kid.INVALID_KID.name());
        jsonWebSignature.setAlgorithmHeaderValue(publicJsonWebKey.getAlgorithm());
        jsonWebSignature.setPayload(jwtClaims.toJson());
        return jsonWebSignature;
    }

    static {
        try {
            rsaSpire1 = RsaJwkGenerator.generateJwk(2048);
            rsaSpire1.setKeyId(Kid.RSA_SPIRE_1.name());
            rsaSpire1.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA256);
            rsaSpire2 = RsaJwkGenerator.generateJwk(2048);
            rsaSpire2.setKeyId(Kid.RSA_SPIRE_2.name());
            rsaSpire2.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA256);
            rsa512Spire1 = RsaJwkGenerator.generateJwk(2048);
            rsa512Spire1.setKeyId(Kid.RSA_EXCLUDE_SPIRE_1.name());
            rsa512Spire1.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA512);
            rsa512Spire2 = RsaJwkGenerator.generateJwk(2048);
            rsa512Spire2.setKeyId(Kid.RSA_EXCLUDE_SPIRE_2.name());
            rsa512Spire2.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA512);
            ecSpire1 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            ecSpire1.setKeyId(Kid.EU_SPIRE_1.name());
            ecSpire1.setAlgorithm(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
            ecSpire2 = EcJwkGenerator.generateJwk(EllipticCurves.P256);
            ecSpire2.setKeyId(Kid.EU_SPIRE_2.name());
            ecSpire2.setAlgorithm(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
            JWT_BUNDLE_SET = JwtBundleSet.of(Arrays.asList(new JwtBundle(SPIRE_TRUST_DOMAIN_1, new HashMap<String, PublicKey>() { // from class: io.confluent.security.authentication.oauthbearer.MockJwtSource.1
                {
                    put(MockJwtSource.rsaSpire1.getKeyId(), MockJwtSource.rsaSpire1.getPublicKey());
                    put(MockJwtSource.rsa512Spire1.getKeyId(), MockJwtSource.rsa512Spire1.getPublicKey());
                    put(MockJwtSource.ecSpire1.getKeyId(), MockJwtSource.ecSpire1.getPublicKey());
                }
            }), new JwtBundle(SPIRE_TRUST_DOMAIN_2, new HashMap<String, PublicKey>() { // from class: io.confluent.security.authentication.oauthbearer.MockJwtSource.2
                {
                    put(MockJwtSource.rsaSpire2.getKeyId(), MockJwtSource.rsaSpire2.getPublicKey());
                    put(MockJwtSource.rsa512Spire2.getKeyId(), MockJwtSource.rsa512Spire2.getPublicKey());
                    put(MockJwtSource.ecSpire2.getKeyId(), MockJwtSource.ecSpire2.getPublicKey());
                }
            })));
            JWKS = new JsonWebKeySet(new JsonWebKey[0]) { // from class: io.confluent.security.authentication.oauthbearer.MockJwtSource.3
                {
                    addJsonWebKey(MockJwtSource.rsaSpire1);
                    addJsonWebKey(MockJwtSource.rsa512Spire1);
                    addJsonWebKey(MockJwtSource.ecSpire1);
                    addJsonWebKey(MockJwtSource.rsaSpire2);
                    addJsonWebKey(MockJwtSource.rsa512Spire2);
                    addJsonWebKey(MockJwtSource.ecSpire2);
                }
            };
        } catch (JoseException e) {
            throw new RuntimeException(e);
        }
    }
}
