package io.trino.server.security.jwt;

import com.google.common.base.CharMatcher;
import com.google.common.io.Files;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.UnsupportedJwtException;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.util.Base64;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.crypto.spec.SecretKeySpec;
import javax.inject.Inject;

/* loaded from: input_file:io/trino/server/security/jwt/FileSigningKeyResolver.class */
public class FileSigningKeyResolver implements SigningKeyResolver {
    private static final String DEFAULT_KEY = "default-key";
    private static final CharMatcher INVALID_KID_CHARS = CharMatcher.inRange('a', 'z').or(CharMatcher.inRange('A', 'Z')).or(CharMatcher.inRange('0', '9')).or(CharMatcher.anyOf("_-")).negate();
    private static final String KEY_ID_VARIABLE = "${KID}";
    private final String keyFile;
    private final LoadedKey staticKey;
    private final ConcurrentMap<String, LoadedKey> keys;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/trino/server/security/jwt/FileSigningKeyResolver$LoadedKey.class */
    public static class LoadedKey {
        private final Key publicKey;
        private final byte[] hmacKey;

        public LoadedKey(Key key) {
            this.publicKey = (Key) Objects.requireNonNull(key, "publicKey is null");
            this.hmacKey = null;
        }

        public LoadedKey(byte[] bArr) {
            this.hmacKey = (byte[]) Objects.requireNonNull(bArr, "hmacKey is null");
            this.publicKey = null;
        }

        public Key getKey(SignatureAlgorithm signatureAlgorithm) {
            if (signatureAlgorithm.isHmac()) {
                if (this.hmacKey == null) {
                    throw new UnsupportedJwtException(String.format("JWT is signed with %s, but no HMAC key is configured", signatureAlgorithm));
                }
                return new SecretKeySpec(this.hmacKey, signatureAlgorithm.getJcaName());
            }
            if (this.publicKey == null) {
                throw new UnsupportedJwtException(String.format("JWT is signed with %s, but no key is configured", signatureAlgorithm));
            }
            return this.publicKey;
        }
    }

    @Inject
    public FileSigningKeyResolver(JwtAuthenticatorConfig jwtAuthenticatorConfig) {
        this(jwtAuthenticatorConfig.getKeyFile());
    }

    public FileSigningKeyResolver(String str) {
        this.keys = new ConcurrentHashMap();
        this.keyFile = (String) Objects.requireNonNull(str, "keyFile is null");
        if (str.contains(KEY_ID_VARIABLE)) {
            this.staticKey = null;
        } else {
            this.staticKey = loadKeyFile(new File(str));
        }
    }

    public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
        return getKey(jwsHeader);
    }

    public Key resolveSigningKey(JwsHeader jwsHeader, String str) {
        return getKey(jwsHeader);
    }

    private Key getKey(JwsHeader<?> jwsHeader) {
        SignatureAlgorithm forName = SignatureAlgorithm.forName(jwsHeader.getAlgorithm());
        if (this.staticKey != null) {
            return this.staticKey.getKey(forName);
        }
        return this.keys.computeIfAbsent(getKeyId(jwsHeader), this::loadKey).getKey(forName);
    }

    private static String getKeyId(JwsHeader<?> jwsHeader) {
        String keyId = jwsHeader.getKeyId();
        return keyId == null ? DEFAULT_KEY : INVALID_KID_CHARS.replaceFrom(keyId, '_');
    }

    private LoadedKey loadKey(String str) {
        return loadKeyFile(new File(this.keyFile.replace(KEY_ID_VARIABLE, str)));
    }

    public static LoadedKey loadKeyFile(File file) {
        if (!file.canRead()) {
            throw new SignatureException("Unknown signing key ID");
        }
        try {
            String read = Files.asCharSource(file, StandardCharsets.US_ASCII).read();
            if (PemReader.isPem(read)) {
                try {
                    return new LoadedKey(PemReader.loadPublicKey(read));
                } catch (RuntimeException | GeneralSecurityException e) {
                    throw new SignatureException("Unable to decode PEM signing key id", e);
                }
            }
            try {
                return new LoadedKey(Base64.getMimeDecoder().decode(read.getBytes(StandardCharsets.US_ASCII)));
            } catch (RuntimeException e2) {
                throw new SignatureException("Unable to decode HMAC signing key", e2);
            }
        } catch (IOException e3) {
            throw new SignatureException("Unable to read signing key", e3);
        }
    }
}
