package io.quarkus.oidc.runtime;

import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.OidcRequestContextProperties;
import io.quarkus.runtime.ShutdownEvent;
import io.quarkus.security.credential.TokenCredential;
import io.smallrye.mutiny.Uni;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonObject;
import jakarta.enterprise.event.Observes;
import java.security.Key;
import java.util.List;
import java.util.Map;
import java.util.function.Function;
import org.jboss.logging.Logger;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/quarkus/oidc/runtime/DynamicVerificationKeyResolver.class */
public class DynamicVerificationKeyResolver {
    private static final Logger LOG = Logger.getLogger(DynamicVerificationKeyResolver.class);
    private final OidcProviderClient client;
    private final MemoryCache<Key> cache;
    final CertChainPublicKeyResolver chainResolverFallback;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/DynamicVerificationKeyResolver$SingleKeyVerificationKeyResolver.class */
    public static class SingleKeyVerificationKeyResolver implements VerificationKeyResolver {
        private Key key;

        SingleKeyVerificationKeyResolver(Key key) {
            this.key = key;
        }

        public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
            return this.key;
        }
    }

    public DynamicVerificationKeyResolver(OidcProviderClient oidcProviderClient, OidcTenantConfig oidcTenantConfig) {
        this.client = oidcProviderClient;
        this.cache = new MemoryCache<>(oidcProviderClient.getVertx(), oidcTenantConfig.jwks.cleanUpTimerInterval, oidcTenantConfig.jwks.cacheTimeToLive, oidcTenantConfig.jwks.cacheSize);
        if (oidcTenantConfig.certificateChain.trustStoreFile.isPresent()) {
            this.chainResolverFallback = new CertChainPublicKeyResolver(oidcTenantConfig.certificateChain);
        } else {
            this.chainResolverFallback = null;
        }
    }

    public Uni<VerificationKeyResolver> resolve(TokenCredential tokenCredential) {
        final JsonObject decodeJwtHeaders = OidcUtils.decodeJwtHeaders(tokenCredential.getToken());
        Key findKeyInTheCache = findKeyInTheCache(decodeJwtHeaders);
        return findKeyInTheCache != null ? Uni.createFrom().item(new SingleKeyVerificationKeyResolver(findKeyInTheCache)) : this.client.getJsonWebKeySet(new OidcRequestContextProperties(Map.of(OidcRequestContextProperties.TOKEN, tokenCredential.getToken(), OidcRequestContextProperties.TOKEN_CREDENTIAL, tokenCredential))).onItem().transformToUni(new Function<JsonWebKeySet, Uni<? extends VerificationKeyResolver>>() { // from class: io.quarkus.oidc.runtime.DynamicVerificationKeyResolver.1
            @Override // java.util.function.Function
            public Uni<? extends VerificationKeyResolver> apply(JsonWebKeySet jsonWebKeySet) {
                Key key = null;
                String string = decodeJwtHeaders.getString("kid");
                if (string != null) {
                    key = DynamicVerificationKeyResolver.getKeyWithId(jsonWebKeySet, string);
                    if (key == null) {
                        return Uni.createFrom().failure(new UnresolvableKeyException(String.format("JWK with kid '%s' is not available", string)));
                    }
                    DynamicVerificationKeyResolver.this.cache.add(string, key);
                }
                String str = null;
                if (key == null) {
                    str = decodeJwtHeaders.getString("x5t#S256");
                    if (str != null) {
                        key = DynamicVerificationKeyResolver.this.getKeyWithS256Thumbprint(jsonWebKeySet, str);
                        if (key == null) {
                            return Uni.createFrom().failure(new UnresolvableKeyException(String.format("JWK with the SHA256 certificate thumbprint '%s' is not available", str)));
                        }
                        DynamicVerificationKeyResolver.this.cache.add(str, key);
                    }
                }
                if (key == null) {
                    str = decodeJwtHeaders.getString("x5t");
                    if (str != null) {
                        key = DynamicVerificationKeyResolver.this.getKeyWithThumbprint(jsonWebKeySet, str);
                        if (key == null) {
                            return Uni.createFrom().failure(new UnresolvableKeyException(String.format("JWK with the certificate thumbprint '%s' is not available", str)));
                        }
                        DynamicVerificationKeyResolver.this.cache.add(str, key);
                    }
                }
                if (key == null && string == null && str == null) {
                    key = jsonWebKeySet.getKeyWithoutKeyIdAndThumbprint("RSA");
                }
                if (key != null || DynamicVerificationKeyResolver.this.chainResolverFallback == null) {
                    return key == null ? Uni.createFrom().failure(new UnresolvableKeyException("JWK is not available, neither 'kid' nor 'x5t#S256' nor 'x5t' token headers are set")) : Uni.createFrom().item(new SingleKeyVerificationKeyResolver(key));
                }
                DynamicVerificationKeyResolver.LOG.debug("JWK is not available, neither 'kid' nor 'x5t#S256' nor 'x5t' token headers are set, falling back to the certificate chain resolver");
                return Uni.createFrom().item(DynamicVerificationKeyResolver.this.chainResolverFallback);
            }
        });
    }

    private static Key getKeyWithId(JsonWebKeySet jsonWebKeySet, String str) {
        if (str != null) {
            return jsonWebKeySet.getKeyWithId(str);
        }
        LOG.debug("Token 'kid' header is not set");
        return null;
    }

    private Key getKeyWithThumbprint(JsonWebKeySet jsonWebKeySet, String str) {
        if (str != null) {
            return jsonWebKeySet.getKeyWithThumbprint(str);
        }
        LOG.debug("Token 'x5t' header is not set");
        return null;
    }

    private Key getKeyWithS256Thumbprint(JsonWebKeySet jsonWebKeySet, String str) {
        if (str != null) {
            return jsonWebKeySet.getKeyWithS256Thumbprint(str);
        }
        LOG.debug("Token 'x5tS256' header is not set");
        return null;
    }

    private Key findKeyInTheCache(JsonObject jsonObject) {
        String string = jsonObject.getString("kid");
        if (string != null && this.cache.containsKey(string)) {
            return this.cache.get(string);
        }
        String string2 = jsonObject.getString("x5t#S256");
        if (string2 != null && this.cache.containsKey(string2)) {
            return this.cache.get(string2);
        }
        String string3 = jsonObject.getString("x5t");
        if (string3 == null || !this.cache.containsKey(string3)) {
            return null;
        }
        return this.cache.get(string3);
    }

    void shutdown(@Observes ShutdownEvent shutdownEvent, Vertx vertx) {
        this.cache.stopTimer(vertx);
    }
}
