package io.smallrye.jwt.auth.principal;

import io.smallrye.jwt.auth.principal.AbstractKeyLocationResolver;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
import java.io.IOException;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import org.jose4j.http.Get;
import org.jose4j.http.SimpleGet;
import org.jose4j.http.SimpleResponse;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/smallrye/jwt/auth/principal/AwsAlbKeyResolver.class */
public class AwsAlbKeyResolver implements VerificationKeyResolver {
    private JWTAuthContextInfo authContextInfo;
    private long cacheTimeToLive;
    private Map<String, CacheEntry> keys = new HashMap();
    private AtomicInteger size = new AtomicInteger();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/smallrye/jwt/auth/principal/AwsAlbKeyResolver$CacheEntry.class */
    public static class CacheEntry {
        volatile Key key;
        long createdTime = System.currentTimeMillis();

        public CacheEntry(Key key) {
            this.key = key;
        }
    }

    public AwsAlbKeyResolver(JWTAuthContextInfo jWTAuthContextInfo) throws UnresolvableKeyException {
        AwsAlbKeyConfigurationValidator.validateKeyConfiguration(jWTAuthContextInfo);
        AwsAlbKeyConfigurationValidator.validatePublicKeyAlgorithmConfiguration(jWTAuthContextInfo);
        AwsAlbKeyConfigurationValidator.validateTokenHeaderConfiguration(jWTAuthContextInfo);
        this.authContextInfo = jWTAuthContextInfo;
        this.cacheTimeToLive = Duration.ofMinutes(jWTAuthContextInfo.getKeyCacheTimeToLive()).toMillis();
    }

    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        String stringHeaderValue = jsonWebSignature.getHeaders().getStringHeaderValue("kid");
        verifyKid(stringHeaderValue);
        CacheEntry findValidCacheEntry = findValidCacheEntry(stringHeaderValue);
        if (findValidCacheEntry != null) {
            return findValidCacheEntry.key;
        }
        if (!prepareSpaceForNewCacheEntry()) {
            return retrieveKey(stringHeaderValue);
        }
        CacheEntry cacheEntry = new CacheEntry(retrieveKey(stringHeaderValue));
        this.keys.put(stringHeaderValue, cacheEntry);
        return cacheEntry.key;
    }

    protected Key retrieveKey(String str) throws UnresolvableKeyException {
        String str2 = this.authContextInfo.getPublicKeyLocation() + "/" + str;
        AwsAlbKeyResolverLogging.log.publicKeyPath(str2);
        SimpleResponse simpleResponse = null;
        try {
            simpleResponse = getHttpGet().get(str2);
        } catch (IOException e) {
            AbstractKeyLocationResolver.reportLoadKeyException(null, str2, e);
        }
        String body = simpleResponse.getBody();
        try {
            return KeyUtils.decodePublicKey(body, this.authContextInfo.getSignatureAlgorithm().iterator().next());
        } catch (Exception e2) {
            AbstractKeyLocationResolver.reportUnresolvableKeyException(body, str2);
            return null;
        }
    }

    protected SimpleGet getHttpGet() throws UnresolvableKeyException {
        Get get = new Get();
        if (this.authContextInfo.isTlsTrustAll()) {
            get.setHostnameVerifier(new AbstractKeyLocationResolver.TrustAllHostnameVerifier());
        } else if (this.authContextInfo.getTlsTrustedHosts() != null) {
            get.setHostnameVerifier(new AbstractKeyLocationResolver.TrustedHostsHostnameVerifier(this.authContextInfo.getTlsTrustedHosts()));
        }
        if (this.authContextInfo.getTlsCertificate() != null) {
            get.setTrustedCertificates(new X509Certificate[]{AbstractKeyLocationResolver.loadPEMCertificate(this.authContextInfo.getTlsCertificate())});
        } else if (this.authContextInfo.getTlsCertificatePath() != null) {
            get.setTrustedCertificates(new X509Certificate[]{AbstractKeyLocationResolver.loadPEMCertificate(readKeyContent(this.authContextInfo.getTlsCertificatePath()))});
        }
        return get;
    }

    protected String readKeyContent(String str) throws UnresolvableKeyException {
        try {
            String readResource = ResourceUtils.readResource(str);
            if (readResource == null) {
                throw PrincipalMessages.msg.resourceNotFound(str);
            }
            return readResource;
        } catch (IOException e) {
            AbstractKeyLocationResolver.reportLoadKeyException(null, str, e);
            return null;
        }
    }

    private void verifyKid(String str) throws UnresolvableKeyException {
        if (str == null) {
            throw PrincipalMessages.msg.nullKeyIdentifier();
        }
        String tokenKeyId = this.authContextInfo.getTokenKeyId();
        if (tokenKeyId == null || str.equals(tokenKeyId)) {
            return;
        }
        PrincipalLogging.log.invalidTokenKidHeader(str, tokenKeyId);
        throw PrincipalMessages.msg.invalidTokenKid();
    }

    private void removeInvalidEntries() {
        long now = now();
        Iterator<Map.Entry<String, CacheEntry>> it = this.keys.entrySet().iterator();
        while (it.hasNext()) {
            if (isEntryExpired(it.next().getValue(), now)) {
                it.remove();
                this.size.decrementAndGet();
            }
        }
    }

    private boolean prepareSpaceForNewCacheEntry() {
        int i;
        do {
            i = this.size.get();
            if (i == this.authContextInfo.getKeyCacheSize()) {
                removeInvalidEntries();
                if (i == this.authContextInfo.getKeyCacheSize()) {
                    return false;
                }
            }
        } while (!this.size.compareAndSet(i, i + 1));
        return true;
    }

    private CacheEntry findValidCacheEntry(String str) {
        CacheEntry cacheEntry = this.keys.get(str);
        if (cacheEntry != null && isEntryExpired(cacheEntry, now())) {
            cacheEntry = null;
            this.keys.remove(str);
            this.size.decrementAndGet();
        }
        return cacheEntry;
    }

    private boolean isEntryExpired(CacheEntry cacheEntry, long j) {
        return cacheEntry.createdTime + this.cacheTimeToLive < j;
    }

    private static long now() {
        return System.currentTimeMillis();
    }
}
