package com.netflix.genie.web.security.oauth2.pingfederate;

import com.netflix.genie.web.security.oauth2.pingfederate.PingFederateSecurityConditions;
import com.netflix.spectator.api.Registry;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import org.apache.commons.lang3.StringUtils;
import org.apache.xml.security.keys.content.x509.XMLX509Certificate;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.RsaKeyUtil;
import org.jose4j.lang.JoseException;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;

@Configuration
@Conditional({PingFederateSecurityConditions.PingFederateJWTEnabled.class})
/* loaded from: input_file:WEB-INF/lib/genie-web-3.3.5.jar:com/netflix/genie/web/security/oauth2/pingfederate/PingFederateJWTConfig.class */
public class PingFederateJWTConfig {
    @Bean
    public PingFederateValidator pingFederateValidator(Registry registry) {
        return new PingFederateValidator(registry);
    }

    @Bean
    public PublicKey jwtPublicKey(@Value("${genie.security.oauth2.pingfederate.jwt.keyValue}") String str) throws IOException, JoseException, InvalidKeySpecException, CertificateException {
        if (StringUtils.isEmpty(str)) {
            throw new IllegalArgumentException("No value set for security.oauth2.resource.jwt.keyValue");
        }
        if (!str.startsWith("-----BEGIN CERTIFICATE-----")) {
            if (str.startsWith("-----BEGIN PUBLIC KEY-----")) {
                return new RsaKeyUtil().fromPemEncoded(str);
            }
            throw new IllegalArgumentException("Only support X.509 pem certs or Public RSA Keys for security.oauth2.resource.jwt.keyValue");
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes("UTF-8"));
        Throwable th = null;
        try {
            try {
                PublicKey publicKey = ((X509Certificate) CertificateFactory.getInstance(XMLX509Certificate.JCA_CERT_ID).generateCertificate(byteArrayInputStream)).getPublicKey();
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                return publicKey;
            } finally {
            }
        } catch (Throwable th3) {
            if (byteArrayInputStream != null) {
                if (th != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    byteArrayInputStream.close();
                }
            }
            throw th3;
        }
    }

    @Bean
    public JwtConsumer jwtConsumer(@Qualifier("jwtPublicKey") PublicKey publicKey, PingFederateValidator pingFederateValidator) {
        return new JwtConsumerBuilder().setVerificationKey(publicKey).setRequireExpirationTime().registerValidator(pingFederateValidator).build();
    }

    @Bean
    @Primary
    public PingFederateJWTTokenServices pingFederateJWTTokenServices(JwtConsumer jwtConsumer, Registry registry) {
        return new PingFederateJWTTokenServices(jwtConsumer, registry);
    }
}
