package io.trino.proxy;

import com.google.common.base.Preconditions;
import io.airlift.security.pem.PemReader;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.Keys;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import javax.crypto.SecretKey;
import javax.inject.Inject;

/* loaded from: input_file:io/trino/proxy/JsonWebTokenHandler.class */
public class JsonWebTokenHandler {
    private final Optional<Consumer<JwtBuilder>> jwtSigner;
    private final Optional<String> jwtKeyId;
    private final Optional<String> jwtIssuer;
    private final Optional<String> jwtAudience;

    @Inject
    public JsonWebTokenHandler(JwtHandlerConfig jwtHandlerConfig) {
        this.jwtSigner = setupJwtSigner(jwtHandlerConfig.getJwtKeyFile(), jwtHandlerConfig.getJwtKeyFilePassword());
        this.jwtKeyId = Optional.ofNullable(jwtHandlerConfig.getJwtKeyId());
        this.jwtIssuer = Optional.ofNullable(jwtHandlerConfig.getJwtIssuer());
        this.jwtAudience = Optional.ofNullable(jwtHandlerConfig.getJwtAudience());
    }

    public boolean isConfigured() {
        return this.jwtSigner.isPresent();
    }

    public String getBearerToken(String str) {
        Preconditions.checkState(this.jwtSigner.isPresent(), "not configured");
        JwtBuilder expiration = Jwts.builder().setSubject(str).setExpiration(Date.from(ZonedDateTime.now().plusMinutes(5L).toInstant()));
        this.jwtSigner.get().accept(expiration);
        this.jwtKeyId.ifPresent(str2 -> {
            expiration.setHeaderParam("kid", str2);
        });
        Optional<String> optional = this.jwtIssuer;
        Objects.requireNonNull(expiration);
        optional.ifPresent(expiration::setIssuer);
        Optional<String> optional2 = this.jwtAudience;
        Objects.requireNonNull(expiration);
        optional2.ifPresent(expiration::setAudience);
        return expiration.compact();
    }

    private static Optional<Consumer<JwtBuilder>> setupJwtSigner(File file, String str) {
        if (file == null) {
            return Optional.empty();
        }
        try {
            PrivateKey loadPrivateKey = PemReader.loadPrivateKey(file, Optional.ofNullable(str));
            if (loadPrivateKey instanceof RSAPrivateKey) {
                return Optional.of(jwtBuilder -> {
                    jwtBuilder.signWith(loadPrivateKey);
                });
            }
            throw new IOException("Only RSA private keys are supported");
        } catch (IOException e) {
            throw new RuntimeException("Failed to load key file: " + file, e);
        } catch (GeneralSecurityException e2) {
            try {
                SecretKey hmacShaKeyFor = Keys.hmacShaKeyFor(Base64.getMimeDecoder().decode(Files.readAllBytes(file.toPath())));
                return Optional.of(jwtBuilder2 -> {
                    jwtBuilder2.signWith(hmacShaKeyFor);
                });
            } catch (IOException | IllegalArgumentException e3) {
                throw new RuntimeException("Failed to load key file: " + file, e3);
            }
        }
    }
}
