package org.apache.kafka.common.security.oauthbearer.internals.secured;

import java.io.IOException;
import java.security.Key;
import java.util.List;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.VerificationJwkSelector;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UnresolvableKeyException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-3.4.0.jar:org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksVerificationKeyResolver.class */
public class RefreshingHttpsJwksVerificationKeyResolver implements CloseableVerificationKeyResolver {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RefreshingHttpsJwksVerificationKeyResolver.class);
    private final RefreshingHttpsJwks refreshingHttpsJwks;
    private final VerificationJwkSelector verificationJwkSelector = new VerificationJwkSelector();
    private boolean isInitialized;

    public RefreshingHttpsJwksVerificationKeyResolver(RefreshingHttpsJwks refreshingHttpsJwks) {
        this.refreshingHttpsJwks = refreshingHttpsJwks;
    }

    @Override // org.apache.kafka.common.security.oauthbearer.internals.secured.Initable
    public void init() throws IOException {
        try {
            log.debug("init started");
            this.refreshingHttpsJwks.init();
        } finally {
            this.isInitialized = true;
            log.debug("init completed");
        }
    }

    @Override // org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        try {
            log.debug("close started");
            this.refreshingHttpsJwks.close();
            log.debug("close completed");
        } catch (Throwable th) {
            log.debug("close completed");
            throw th;
        }
    }

    @Override // org.jose4j.keys.resolvers.VerificationKeyResolver
    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        if (!this.isInitialized) {
            throw new IllegalStateException("Please call init() first");
        }
        try {
            List<JsonWebKey> jsonWebKeys = this.refreshingHttpsJwks.getJsonWebKeys();
            JsonWebKey select = this.verificationJwkSelector.select(jsonWebSignature, jsonWebKeys);
            if (select != null) {
                return select.getKey();
            }
            if (this.refreshingHttpsJwks.maybeExpediteRefresh(jsonWebSignature.getKeyIdHeaderValue())) {
                log.debug("Refreshing JWKs from {} as no suitable verification key for JWS w/ header {} was found in {}", this.refreshingHttpsJwks.getLocation(), jsonWebSignature.getHeaders().getFullHeaderAsJsonString(), jsonWebKeys);
            }
            StringBuilder sb = new StringBuilder();
            sb.append("Unable to find a suitable verification key for JWS w/ header ").append(jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
            sb.append(" from JWKs ").append(jsonWebKeys).append(" obtained from ").append(this.refreshingHttpsJwks.getLocation());
            throw new UnresolvableKeyException(sb.toString());
        } catch (IOException | JoseException e) {
            StringBuilder sb2 = new StringBuilder();
            sb2.append("Unable to find a suitable verification key for JWS w/ header ").append(jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
            sb2.append(" due to an unexpected exception (").append(e).append(") while obtaining or using keys from JWKS endpoint at ").append(this.refreshingHttpsJwks.getLocation());
            throw new UnresolvableKeyException(sb2.toString(), e);
        }
    }
}
