package com.linkedin.venice.authentication.jwt;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.io.Decoders;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/linkedin/venice/authentication/jwt/JwksUriSigningKeyResolver.class */
public class JwksUriSigningKeyResolver implements SigningKeyResolver {
    private static final Logger log = LogManager.getLogger(JwksUriSigningKeyResolver.class);
    private static final ObjectMapper MAPPER = new ObjectMapper();
    private final String algorithm;
    private final Pattern hostsAllowlist;
    private final Key fallbackKey;
    private volatile Map<String, Key> keyMap = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/linkedin/venice/authentication/jwt/JwksUriSigningKeyResolver$JwkKey.class */
    public static class JwkKey {
        private final String alg;
        private final String e;
        private final String kid;
        private final String kty;
        private final String n;

        public JwkKey(String str, String str2, String str3, String str4, String str5) {
            this.alg = str;
            this.e = str2;
            this.kid = str3;
            this.kty = str4;
            this.n = str5;
        }

        public String getAlg() {
            return this.alg;
        }

        public String getE() {
            return this.e;
        }

        public String getKid() {
            return this.kid;
        }

        public String getKty() {
            return this.kty;
        }

        public String getN() {
            return this.n;
        }
    }

    /* loaded from: input_file:com/linkedin/venice/authentication/jwt/JwksUriSigningKeyResolver$JwkKeys.class */
    private static class JwkKeys {
        private final List<JwkKey> keys;

        public JwkKeys(List<JwkKey> list) {
            this.keys = list;
        }

        public List<JwkKey> getKeys() {
            return this.keys;
        }
    }

    public JwksUriSigningKeyResolver(String str, String str2, Key key) {
        this.algorithm = str;
        if (StringUtils.isBlank(str2)) {
            this.hostsAllowlist = null;
        } else {
            this.hostsAllowlist = Pattern.compile(str2);
        }
        this.fallbackKey = key;
    }

    public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
        String str = (String) claims.get("jwks_uri");
        return str == null ? this.fallbackKey : getKey(str);
    }

    public Key resolveSigningKey(JwsHeader jwsHeader, String str) {
        throw new UnsupportedOperationException();
    }

    private Key getKey(String str) {
        return this.keyMap.computeIfAbsent(str, this::fetchKey);
    }

    private Key fetchKey(String str) {
        try {
            URL url = new URL(str);
            if (this.hostsAllowlist == null || !this.hostsAllowlist.matcher(url.getHost()).matches()) {
                throw new JwtException("Untrusted hostname: '" + url.getHost() + "'");
            }
            for (JwkKey jwkKey : ((JwkKeys) MAPPER.readValue(url, JwkKeys.class)).getKeys()) {
                if (this.algorithm.equals(jwkKey.getAlg())) {
                    try {
                        return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(base64ToBigInteger(jwkKey.getN()), base64ToBigInteger(jwkKey.getE())));
                    } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                        throw new IllegalStateException("Failed to parse public key");
                    }
                }
            }
            throw new JwtException("No valid keys found from URL: " + str);
        } catch (IOException e2) {
            System.out.println(e2);
            log.error("Failed to fetch keys from URL: {}", str, e2);
            throw new JwtException("Failed to fetch keys from URL: " + str, e2);
        }
    }

    private BigInteger base64ToBigInteger(String str) {
        return new BigInteger(1, (byte[]) Decoders.BASE64URL.decode(str));
    }
}
