package io.confluent.security.authentication.oauthbearer;

import io.spiffe.bundle.jwtbundle.JwtBundle;
import io.spiffe.exception.AuthorityNotFoundException;
import io.spiffe.exception.BundleNotFoundException;
import io.spiffe.exception.InvalidSpiffeIdException;
import io.spiffe.spiffeid.SpiffeId;
import io.spiffe.workloadapi.JwtSource;
import java.security.Key;
import java.util.List;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/SpireVerificationKeyResolver.class */
public class SpireVerificationKeyResolver implements VerificationKeyResolver {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SpireVerificationKeyResolver.class);
    private final JwtSource jwtSource;
    private final String spireIssuerSuffix;

    public SpireVerificationKeyResolver(JwtSource jwtSource, String str) {
        this.jwtSource = jwtSource;
        this.spireIssuerSuffix = str;
    }

    public String getSpireIssuerSuffix() {
        return this.spireIssuerSuffix;
    }

    @Override // org.jose4j.keys.resolvers.VerificationKeyResolver
    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        try {
            JwtClaims parse = JwtClaims.parse(jsonWebSignature.getUnverifiedPayload());
            String checkIssuerClaim = checkIssuerClaim(parse);
            if (!checkIssuerClaim.contains(this.spireIssuerSuffix)) {
                throw new UnresolvableKeyException("Token issuer: " + checkIssuerClaim + " is not SPIRE");
            }
            try {
                String subject = parse.getSubject();
                if (subject == null || subject.isEmpty()) {
                    throw new MalformedClaimException("Unable to find subject field in the token with header");
                }
                JwtBundle trustBundleFromTrustDomain = getTrustBundleFromTrustDomain(subject);
                String stringHeaderValue = jsonWebSignature.getHeaders().getStringHeaderValue("kid");
                if (stringHeaderValue == null || stringHeaderValue.isEmpty()) {
                    log.debug("Unable to find kid field in the token with header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
                    throw new UnresolvableKeyException("Unable to get kid in the JWS with header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
                }
                try {
                    return trustBundleFromTrustDomain.findJwtAuthority(stringHeaderValue);
                } catch (AuthorityNotFoundException e) {
                    log.error("Unable to retrieve public key from SPIRE trust bundle");
                    throw new UnresolvableKeyException("Unable to find a suitable verification key for JWS with header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
                }
            } catch (MalformedClaimException e2) {
                log.debug("Unable to find subject field in the token with header " + jsonWebSignature.getHeaders().getFullHeaderAsJsonString());
                throw new UnresolvableKeyException("Unable to get subject payload from jws with error", e2);
            }
        } catch (InvalidJwtException e3) {
            throw new UnresolvableKeyException("Cannot parse the JWS payload with error", e3);
        }
    }

    private String checkIssuerClaim(JwtClaims jwtClaims) throws UnresolvableKeyException {
        try {
            String issuer = jwtClaims.getIssuer();
            if (issuer == null || issuer.isEmpty()) {
                throw new MalformedClaimException("Token missing issuer claim or empty issuer claim");
            }
            return issuer;
        } catch (MalformedClaimException e) {
            throw new UnresolvableKeyException("Cannot find issuer payload from jws with error", e);
        }
    }

    private JwtBundle getTrustBundleFromTrustDomain(String str) throws UnresolvableKeyException {
        try {
            if (this.jwtSource == null) {
                throw new UnresolvableKeyException("Jwt source not initialized. Unable to get jwt bundle for subject " + SpiffeId.parse(str));
            }
            return this.jwtSource.getBundleForTrustDomain(SpiffeId.parse(str).getTrustDomain());
        } catch (BundleNotFoundException e) {
            log.debug("Unable to get jwt bundle from jwt source for subject " + SpiffeId.parse(str));
            throw new UnresolvableKeyException("Unable to get jwt bundle from jwt source for subject " + SpiffeId.parse(str), e);
        } catch (InvalidSpiffeIdException e2) {
            log.debug("Unable to parse the subject " + str + " as SPIFFE ID");
            throw new UnresolvableKeyException("Unable to parse the subject " + str + " as SPIFFE ID", e2);
        }
    }
}
