package org.apache.solr.security.jwt;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.security.Key;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLHandshakeException;
import org.apache.solr.common.SolrException;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.VerificationJwkSelector;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UnresolvableKeyException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/solr/security/jwt/JWTVerificationkeyResolver.class */
public class JWTVerificationkeyResolver implements VerificationKeyResolver {
    private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    private final VerificationJwkSelector verificationJwkSelector = new VerificationJwkSelector();
    private final Map<String, JWTIssuerConfig> issuerConfigs = new HashMap();
    private final boolean requireIssuer;

    public JWTVerificationkeyResolver(Collection<JWTIssuerConfig> collection, boolean z) {
        this.requireIssuer = z;
        collection.forEach(jWTIssuerConfig -> {
            this.issuerConfigs.put(jWTIssuerConfig.getIss(), jWTIssuerConfig);
        });
    }

    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        JWTIssuerConfig jWTIssuerConfig;
        ArrayList arrayList = new ArrayList();
        String str = "N/A";
        try {
            String issuer = JwtClaims.parse(jsonWebSignature.getUnverifiedPayload()).getIssuer();
            if (issuer != null) {
                jWTIssuerConfig = this.issuerConfigs.get(issuer);
                if (jWTIssuerConfig == null) {
                    if (this.issuerConfigs.size() > 1) {
                        throw new UnresolvableKeyException("No issuers configured for iss='" + issuer + "', cannot validate signature");
                    }
                    if (this.issuerConfigs.size() != 1) {
                        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Signature verification failed due to no configured issuer with id " + issuer);
                    }
                    jWTIssuerConfig = this.issuerConfigs.values().iterator().next();
                    log.debug("No issuer matching token's iss claim, but exactly one configured, selecting that one");
                }
            } else {
                if (this.requireIssuer) {
                    throw new UnresolvableKeyException("Token does not contain required issuer claim");
                }
                if (this.issuerConfigs.size() != 1) {
                    throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Signature verification not supported for multiple issuers without 'iss' claim in token.");
                }
                jWTIssuerConfig = this.issuerConfigs.values().iterator().next();
            }
            if (jWTIssuerConfig.usesHttpsJwk()) {
                str = "[" + String.join(", ", jWTIssuerConfig.getJwksUrls()) + "]";
                for (HttpsJwks httpsJwks : jWTIssuerConfig.getHttpsJwks()) {
                    try {
                        arrayList.addAll(httpsJwks.getJsonWebKeys());
                    } catch (SSLHandshakeException e) {
                        throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, "Failed to connect with " + httpsJwks.getLocation() + ", do you have the correct SSL certificate configured?", e);
                    }
                }
            } else {
                str = "static list of keys in security.json";
                arrayList.addAll(jWTIssuerConfig.getJsonWebKeySet().getJsonWebKeys());
            }
            JsonWebKey select = this.verificationJwkSelector.select(jsonWebSignature, arrayList);
            if (select == null && jWTIssuerConfig.usesHttpsJwk()) {
                if (log.isDebugEnabled()) {
                    log.debug("Refreshing JWKs from all {} locations, as no suitable verification key for JWS w/ header {} was found in {}", new Object[]{Integer.valueOf(jWTIssuerConfig.getHttpsJwks().size()), jsonWebSignature.getHeaders().getFullHeaderAsJsonString(), arrayList});
                }
                arrayList.clear();
                for (HttpsJwks httpsJwks2 : jWTIssuerConfig.getHttpsJwks()) {
                    httpsJwks2.refresh();
                    arrayList.addAll(httpsJwks2.getJsonWebKeys());
                }
                select = this.verificationJwkSelector.select(jsonWebSignature, arrayList);
            }
            if (select == null) {
                throw new UnresolvableKeyException(String.format(Locale.ROOT, "Unable to find a suitable verification key for JWS w/ header %s from %d keys from source %s", jsonWebSignature.getHeaders().getFullHeaderAsJsonString(), Integer.valueOf(arrayList.size()), str));
            }
            return select.getKey();
        } catch (JoseException | IOException | InvalidJwtException | MalformedClaimException e2) {
            throw new UnresolvableKeyException(String.format(Locale.ROOT, "Unable to find a suitable verification key for JWS w/ header %s due to an unexpected exception (%s) while obtaining or using keys from source %s", jsonWebSignature.getHeaders().getFullHeaderAsJsonString(), e2, str), e2);
        }
    }

    Set<JWTIssuerConfig> getIssuerConfigs() {
        return new HashSet(this.issuerConfigs.values());
    }
}
