package io.trino.server.security.jwt;

import com.google.common.base.CharMatcher;
import com.google.common.io.Files;
import com.google.inject.Inject;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.Header;
import io.jsonwebtoken.JweHeader;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.Locator;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.MacAlgorithm;
import io.jsonwebtoken.security.SecureDigestAlgorithm;
import io.jsonwebtoken.security.SecurityException;
import java.io.File;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.SwitchBootstraps;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.PublicKey;
import java.util.Base64;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.crypto.SecretKey;

/* loaded from: input_file:io/trino/server/security/jwt/FileSigningKeyLocator.class */
public class FileSigningKeyLocator implements Locator<Key> {
    private static final String DEFAULT_KEY = "default-key";
    private static final CharMatcher INVALID_KID_CHARS = CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('A', 'Z')).or(CharMatcher.inRange('0', '9')).or(CharMatcher.anyOf("_-")).negate();
    private static final String KEY_ID_VARIABLE = "${KID}";
    private final String keyFile;
    private final LoadedKey staticKey;
    private final ConcurrentMap<String, LoadedKey> keys;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/jwt/FileSigningKeyLocator$LoadedKey.class */
    public static class LoadedKey {
        private final PublicKey publicKey;
        private final SecretKey secretKey;

        public LoadedKey(PublicKey publicKey) {
            this.publicKey = (PublicKey) Objects.requireNonNull(publicKey, "publicKey is null");
            this.secretKey = null;
        }

        public LoadedKey(SecretKey secretKey) {
            this.secretKey = (SecretKey) Objects.requireNonNull(secretKey, "secretKey is null");
            this.publicKey = null;
        }

        public Key getKey(SecureDigestAlgorithm<?, ?> secureDigestAlgorithm) {
            if (secureDigestAlgorithm instanceof MacAlgorithm) {
                if (this.secretKey == null) {
                    throw new UnsupportedJwtException(String.format("JWT is signed with %s, but no HMAC key is configured", secureDigestAlgorithm));
                }
                return this.secretKey;
            }
            if (this.publicKey == null) {
                throw new UnsupportedJwtException(String.format("JWT is signed with %s, but no key is configured", secureDigestAlgorithm));
            }
            return this.publicKey;
        }
    }

    @Inject
    public FileSigningKeyLocator(JwtAuthenticatorConfig jwtAuthenticatorConfig) {
        this(jwtAuthenticatorConfig.getKeyFile());
    }

    public FileSigningKeyLocator(String str) {
        this.keys = new ConcurrentHashMap();
        this.keyFile = (String) Objects.requireNonNull(str, "keyFile is null");
        if (str.contains(KEY_ID_VARIABLE)) {
            this.staticKey = null;
        } else {
            this.staticKey = loadKeyFile(new File(str));
        }
    }

    /* renamed from: locate, reason: merged with bridge method [inline-methods] */
    public Key m616locate(Header header) {
        Objects.requireNonNull(header);
        switch ((int) SwitchBootstraps.typeSwitch(MethodHandles.lookup(), "typeSwitch", MethodType.methodType(Integer.TYPE, Object.class, Integer.TYPE), JwsHeader.class, JweHeader.class).dynamicInvoker().invoke(header, 0) /* invoke-custom */) {
            case 0:
                JwsHeader jwsHeader = (JwsHeader) header;
                return getKey(jwsHeader.getKeyId(), jwsHeader.getAlgorithm());
            case 1:
                JweHeader jweHeader = (JweHeader) header;
                return getKey(jweHeader.getKeyId(), jweHeader.getAlgorithm());
            default:
                throw new UnsupportedJwtException("Cannot locate key for header: %s".formatted(header.getType()));
        }
    }

    private Key getKey(String str, String str2) {
        SecureDigestAlgorithm<?, ?> secureDigestAlgorithm = (SecureDigestAlgorithm) Jwts.SIG.get().forKey(str2);
        return this.staticKey != null ? this.staticKey.getKey(secureDigestAlgorithm) : this.keys.computeIfAbsent(getKeyId(str), this::loadKey).getKey(secureDigestAlgorithm);
    }

    private static String getKeyId(String str) {
        return str == null ? DEFAULT_KEY : INVALID_KID_CHARS.replaceFrom(str, '_');
    }

    private LoadedKey loadKey(String str) {
        return loadKeyFile(new File(this.keyFile.replace(KEY_ID_VARIABLE, str)));
    }

    private static LoadedKey loadKeyFile(File file) {
        if (!file.canRead()) {
            throw new SecurityException("Unknown signing key ID");
        }
        try {
            String read = Files.asCharSource(file, StandardCharsets.US_ASCII).read();
            if (PemReader.isPem(read)) {
                try {
                    return new LoadedKey(PemReader.loadPublicKey(read));
                } catch (RuntimeException | GeneralSecurityException e) {
                    throw new SecurityException("Unable to decode PEM signing key id", e);
                }
            }
            try {
                return new LoadedKey(Keys.hmacShaKeyFor(Base64.getMimeDecoder().decode(read.getBytes(StandardCharsets.US_ASCII))));
            } catch (RuntimeException e2) {
                throw new SecurityException("Unable to decode HMAC signing key", e2);
            }
        } catch (IOException e3) {
            throw new SecurityException("Unable to read signing key", e3);
        }
    }
}
