package org.apache.kafka.common.security.oauthbearer.internals.secured;

import java.util.Collection;
import java.util.Collections;
import java.util.Set;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-3.6.1.jar:org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidator.class */
public class ValidatorAccessTokenValidator implements AccessTokenValidator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ValidatorAccessTokenValidator.class);
    private final JwtConsumer jwtConsumer;
    private final String scopeClaimName;
    private final String subClaimName;

    /* loaded from: input_file:BOOT-INF/lib/kafka-clients-3.6.1.jar:org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidator$ClaimSupplier.class */
    public interface ClaimSupplier<T> {
        T get() throws MalformedClaimException;
    }

    public ValidatorAccessTokenValidator(Integer num, Set<String> set, String str, VerificationKeyResolver verificationKeyResolver, String str2, String str3) {
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        if (num != null) {
            jwtConsumerBuilder.setAllowedClockSkewInSeconds(num.intValue());
        }
        if (set != null && !set.isEmpty()) {
            jwtConsumerBuilder.setExpectedAudience((String[]) set.toArray(new String[0]));
        }
        if (str != null) {
            jwtConsumerBuilder.setExpectedIssuer(str);
        }
        this.jwtConsumer = jwtConsumerBuilder.setJwsAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE).setRequireExpirationTime().setRequireIssuedAt().setVerificationKeyResolver(verificationKeyResolver).build();
        this.scopeClaimName = str2;
        this.subClaimName = str3;
    }

    @Override // org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator
    public OAuthBearerToken validate(String str) throws ValidateException {
        try {
            JwtClaims jwtClaims = this.jwtConsumer.process(new SerializedJwt(str).getToken()).getJwtClaims();
            Object claim = getClaim(() -> {
                return jwtClaims.getClaimValue(this.scopeClaimName);
            }, this.scopeClaimName);
            Collection singletonList = claim instanceof String ? Collections.singletonList((String) claim) : claim instanceof Collection ? (Collection) claim : Collections.emptySet();
            jwtClaims.getClass();
            NumericDate numericDate = (NumericDate) getClaim(jwtClaims::getExpirationTime, LoginAccessTokenValidator.EXPIRATION_CLAIM_NAME);
            String str2 = (String) getClaim(() -> {
                return jwtClaims.getStringClaimValue(this.subClaimName);
            }, this.subClaimName);
            jwtClaims.getClass();
            NumericDate numericDate2 = (NumericDate) getClaim(jwtClaims::getIssuedAt, LoginAccessTokenValidator.ISSUED_AT_CLAIM_NAME);
            return new BasicOAuthBearerToken(str, ClaimValidationUtils.validateScopes(this.scopeClaimName, singletonList), ClaimValidationUtils.validateExpiration(LoginAccessTokenValidator.EXPIRATION_CLAIM_NAME, numericDate != null ? Long.valueOf(numericDate.getValueInMillis()) : null), ClaimValidationUtils.validateSubject(this.subClaimName, str2), ClaimValidationUtils.validateIssuedAt(LoginAccessTokenValidator.ISSUED_AT_CLAIM_NAME, numericDate2 != null ? Long.valueOf(numericDate2.getValueInMillis()) : null));
        } catch (InvalidJwtException e) {
            throw new ValidateException(String.format("Could not validate the access token: %s", e.getMessage()), e);
        }
    }

    private <T> T getClaim(ClaimSupplier<T> claimSupplier, String str) throws ValidateException {
        try {
            T t = claimSupplier.get();
            log.debug("getClaim - {}: {}", str, t);
            return t;
        } catch (MalformedClaimException e) {
            throw new ValidateException(String.format("Could not extract the '%s' claim from the access token", str), e);
        }
    }
}
