package io.confluent.common.security.jetty;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.common.security.util.PemUtils;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/JwtLoginService.class */
public class JwtLoginService extends AbstractLifeCycle implements LoginService {
    private static final Logger log = LoggerFactory.getLogger(JwtLoginService.class);
    private final String realmName;
    private final String jwtIssuer;
    private final Path publicKeyPath;
    private final String rolesClaim;
    private transient JwtConsumer jwtConsumer;
    private transient IdentityService identityService;

    public JwtLoginService(String str, String str2, String str3, String str4) {
        Objects.requireNonNull(str3, "public key must not be null");
        this.realmName = str;
        this.jwtIssuer = str2;
        this.publicKeyPath = Paths.get(str3, new String[0]);
        this.rolesClaim = str4;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isJwtUser(UserIdentity userIdentity) {
        return !userIdentity.getSubject().getPrincipals(JwtPrincipal.class).isEmpty();
    }

    protected void doStart() throws Exception {
        super.doStart();
        if (this.identityService == null) {
            this.identityService = new DefaultIdentityService();
        }
        loadKeys();
    }

    public String getName() {
        return this.realmName;
    }

    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        String str2 = (String) obj;
        try {
            JwtClaims processToClaims = this.jwtConsumer.processToClaims(str2);
            Subject subject = new Subject();
            JwtPrincipal jwtPrincipal = new JwtPrincipal(processToClaims, str2);
            subject.getPrincipals().add(jwtPrincipal);
            return this.identityService.newUserIdentity(subject, jwtPrincipal, (String[]) processToClaims.getStringListClaimValue(this.rolesClaim).toArray(new String[0]));
        } catch (MalformedClaimException e) {
            log.debug("Malformed JWT", e);
            return null;
        } catch (InvalidJwtException e2) {
            log.debug("Invalid JWT", e2);
            return null;
        }
    }

    public boolean validate(UserIdentity userIdentity) {
        return true;
    }

    public IdentityService getIdentityService() {
        return this.identityService;
    }

    public void setIdentityService(IdentityService identityService) {
        this.identityService = identityService;
    }

    public void logout(UserIdentity userIdentity) {
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        JwtLoginService jwtLoginService = (JwtLoginService) obj;
        return Objects.equals(this.realmName, jwtLoginService.realmName) && Objects.equals(this.jwtIssuer, jwtLoginService.jwtIssuer) && Objects.equals(this.publicKeyPath, jwtLoginService.publicKeyPath) && Objects.equals(this.rolesClaim, jwtLoginService.rolesClaim);
    }

    public int hashCode() {
        return Objects.hash(this.realmName, this.jwtIssuer, this.publicKeyPath, this.rolesClaim);
    }

    private void loadKeys() {
        try {
            List list = (List) getPublicKeyPaths().stream().map(JwtLoginService::tryLoadKey).filter((v0) -> {
                return v0.isPresent();
            }).map((v0) -> {
                return v0.get();
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                if (this.jwtConsumer == null) {
                    throw new IllegalStateException("No public key files could be loaded. path: " + this.publicKeyPath);
                }
            } else {
                JwksVerificationKeyResolver jwksVerificationKeyResolver = new JwksVerificationKeyResolver(list);
                jwksVerificationKeyResolver.setDisambiguateWithVerifySignature(true);
                this.jwtConsumer = new JwtConsumerBuilder().setExpectedIssuer(this.jwtIssuer).setVerificationKeyResolver(jwksVerificationKeyResolver).setRequireExpirationTime().setRequireJwtId().setRequireSubject().build();
            }
        } catch (IOException e) {
            log.error("Unable to load JWT public key(s). path:" + this.publicKeyPath, e);
        }
    }

    private List<Path> getPublicKeyPaths() throws IOException {
        if (Files.isRegularFile(this.publicKeyPath, new LinkOption[0])) {
            return Collections.singletonList(this.publicKeyPath);
        }
        ArrayList arrayList = new ArrayList();
        DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(this.publicKeyPath, "*.pem");
        arrayList.getClass();
        newDirectoryStream.forEach((v1) -> {
            r1.add(v1);
        });
        return arrayList;
    }

    private static Optional<JsonWebKey> tryLoadKey(Path path) {
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    Optional<JsonWebKey> of = Optional.of(JsonWebKey.Factory.newJwk(PemUtils.loadPublicKey(newInputStream)));
                    if (newInputStream != null) {
                        if (0 != 0) {
                            try {
                                newInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newInputStream.close();
                        }
                    }
                    return of;
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Unable to load JWT public key. path:" + path, e);
            return Optional.empty();
        }
    }
}
