package io.confluent.security.authentication.oauthbearer;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonSetter;
import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
import io.confluent.security.util.SecurityContext;
import io.spiffe.exception.JwtSourceException;
import io.spiffe.exception.SocketEndpointAddressException;
import io.spiffe.workloadapi.DefaultJwtSource;
import io.spiffe.workloadapi.JwtSource;
import io.spiffe.workloadapi.JwtSourceOptions;
import java.time.Duration;
import java.util.Collection;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@JsonDeserialize(builder = Builder.class)
/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtIssuerSpire.class */
public class JwtIssuerSpire extends JwtIssuer {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JwtIssuerSpire.class);
    private final String name;
    private String spireAgentSocketEndpoint;
    private final Set<String> audience;
    private JwtSourceOptions jwtSourceOptions;
    private JwtSource jwtSource;

    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtIssuerSpire$Builder.class */
    public static class Builder {
        private String name;
        private Set<String> audience;

        private Builder() {
        }

        @JsonSetter("name")
        public Builder name(String str) {
            this.name = str;
            return this;
        }

        @JsonSetter("audience")
        public Builder audience(Set<String> set) {
            this.audience = set;
            return this;
        }

        public JwtIssuerSpire build() throws SocketEndpointAddressException, JwtSourceException {
            return new JwtIssuerSpire(this.name, this.audience == null ? Collections.emptySet() : this.audience);
        }
    }

    public JwtIssuerSpire(String str, Set<String> set) {
        this.name = str;
        this.audience = set;
    }

    public void configureJwtSource(String str) {
        Objects.requireNonNull(str, "spireAgentSocketEndpoint must be non null");
        this.spireAgentSocketEndpoint = str;
        this.jwtSourceOptions = JwtSourceOptions.builder().spiffeSocketPath(this.spireAgentSocketEndpoint).initTimeout(Duration.ofSeconds(1L)).build();
        initializeJwtSource();
    }

    private void initializeJwtSource() {
        try {
            this.jwtSource = DefaultJwtSource.newSource(this.jwtSourceOptions);
        } catch (JwtSourceException | SocketEndpointAddressException e) {
            log.error(e.getMessage(), (Throwable) e);
            this.jwtSource = null;
        }
    }

    @Override // io.confluent.security.authentication.oauthbearer.JwtIssuer
    @JsonProperty("name")
    public String name() {
        return this.name;
    }

    @Override // io.confluent.security.authentication.oauthbearer.JwtIssuer
    @JsonProperty("audience")
    public Set<String> audience() {
        return this.audience;
    }

    @JsonProperty("spireAgentSocketEndpoint")
    public String spireAgentSocketEndpoint() {
        return this.spireAgentSocketEndpoint;
    }

    @Override // io.confluent.security.authentication.oauthbearer.JwtIssuer
    public ConstrainedVerificationKeyResolver keyResolver(Collection<Constraint> collection, SecurityContext securityContext) {
        if (this.jwtSource == null) {
            initializeJwtSource();
        }
        return new ConstrainedVerificationKeyResolver(new SpireVerificationKeyResolver(this.jwtSource), collection);
    }

    public static Builder builder() {
        return new Builder();
    }
}
