package org.apache.pulsar.broker.authentication.oidc;

import com.auth0.jwk.Jwk;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;
import com.github.benmanes.caffeine.cache.AsyncLoadingCache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.kubernetes.client.openapi.ApiCallback;
import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.openapi.ApiException;
import io.kubernetes.client.openapi.apis.OpenidApi;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import javax.naming.AuthenticationException;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.asynchttpclient.AsyncHttpClient;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/oidc/JwksCache.class */
public class JwksCache {
    private final AsyncLoadingCache<Optional<String>, List<Jwk>> cache;
    private final long keyIdCacheMissRefreshNanos;
    private final AsyncHttpClient httpClient;
    private final OpenidApi openidApi;
    private final ConcurrentHashMap<Optional<String>, Long> jwksLastRefreshTime = new ConcurrentHashMap<>();
    private final ObjectReader reader = new ObjectMapper().readerFor(HashMap.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwksCache(ServiceConfiguration serviceConfiguration, AsyncHttpClient asyncHttpClient, ApiClient apiClient) throws IOException {
        this.httpClient = asyncHttpClient;
        this.openidApi = apiClient != null ? new OpenidApi(apiClient) : null;
        this.keyIdCacheMissRefreshNanos = TimeUnit.SECONDS.toNanos(ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDKeyIdCacheMissRefreshSeconds", 300));
        this.cache = Caffeine.newBuilder().maximumSize(ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDCacheSize", 5)).refreshAfterWrite(ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDCacheRefreshAfterWriteSeconds", 64800), TimeUnit.SECONDS).expireAfterWrite(ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDCacheExpirationSeconds", 86400), TimeUnit.SECONDS).buildAsync((optional, executor) -> {
            this.jwksLastRefreshTime.put(optional, Long.valueOf(System.nanoTime()));
            return optional.isPresent() ? getJwksFromJwksUri((String) optional.get()) : getJwksFromKubernetesApiServer();
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletableFuture<Jwk> getJwk(String str, String str2) {
        if (str != null) {
            return getJwkAndMaybeReload(Optional.of(str), str2, false);
        }
        AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
        return CompletableFuture.failedFuture(new IllegalArgumentException("jwksUri must not be null."));
    }

    private CompletableFuture<Jwk> getJwkAndMaybeReload(Optional<String> optional, String str, boolean z) {
        return this.cache.get(optional).thenCompose(list -> {
            try {
                return CompletableFuture.completedFuture(getJwkForKID(optional, list, str));
            } catch (IllegalArgumentException e) {
                if (z) {
                    throw e;
                }
                Long l = this.jwksLastRefreshTime.get(optional);
                if (l == null || System.nanoTime() - l.longValue() > this.keyIdCacheMissRefreshNanos) {
                    this.cache.synchronous().invalidate(optional);
                }
                return getJwkAndMaybeReload(optional, str, true);
            }
        });
    }

    private CompletableFuture<List<Jwk>> getJwksFromJwksUri(String str) {
        return this.httpClient.prepareGet(str).execute().toCompletableFuture().thenCompose(response -> {
            CompletableFuture completableFuture = new CompletableFuture();
            try {
                completableFuture.complete(convertToJwks(str, (HashMap) this.reader.readValue(response.getResponseBodyAsBytes())));
            } catch (Exception e) {
                AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
                completableFuture.completeExceptionally(new AuthenticationException("Error retrieving public key at " + str + ": " + e.getMessage()));
            } catch (AuthenticationException e2) {
                AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
                completableFuture.completeExceptionally(e2);
            }
            return completableFuture;
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletableFuture<Jwk> getJwkFromKubernetesApiServer(String str) {
        if (this.openidApi != null) {
            return getJwkAndMaybeReload(Optional.empty(), str, false);
        }
        AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
        return CompletableFuture.failedFuture(new AuthenticationException("Failed to retrieve public key from Kubernetes API server: Kubernetes fallback is not enabled."));
    }

    private CompletableFuture<List<Jwk>> getJwksFromKubernetesApiServer() {
        final CompletableFuture<List<Jwk>> completableFuture = new CompletableFuture<>();
        try {
            this.openidApi.getServiceAccountIssuerOpenIDKeysetAsync(new ApiCallback<String>() { // from class: org.apache.pulsar.broker.authentication.oidc.JwksCache.1
                public void onFailure(ApiException apiException, int i, Map<String, List<String>> map) {
                    AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
                    completableFuture.completeExceptionally(new AuthenticationException("Failed to retrieve public key from Kubernetes API server. Message: " + apiException.getMessage() + " Response body: " + apiException.getResponseBody()));
                }

                public void onSuccess(String str, int i, Map<String, List<String>> map) {
                    try {
                        completableFuture.complete(JwksCache.this.convertToJwks("Kubernetes API server", (HashMap) JwksCache.this.reader.readValue(str)));
                    } catch (Exception e) {
                        AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
                        completableFuture.completeExceptionally(new AuthenticationException("Error retrieving public key at Kubernetes API server: " + e.getMessage()));
                    } catch (AuthenticationException e2) {
                        AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
                        completableFuture.completeExceptionally(e2);
                    }
                }

                public void onUploadProgress(long j, long j2, boolean z) {
                }

                public void onDownloadProgress(long j, long j2, boolean z) {
                }

                public /* bridge */ /* synthetic */ void onSuccess(Object obj, int i, Map map) {
                    onSuccess((String) obj, i, (Map<String, List<String>>) map);
                }
            });
        } catch (ApiException e) {
            AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
            completableFuture.completeExceptionally(new AuthenticationException("Failed to retrieve public key from Kubernetes API server: " + e.getMessage()));
        }
        return completableFuture;
    }

    private Jwk getJwkForKID(Optional<String> optional, List<Jwk> list, String str) {
        for (Jwk jwk : list) {
            if (jwk.getId().equals(str)) {
                return jwk;
            }
        }
        AuthenticationProviderOpenID.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PUBLIC_KEY);
        throw new IllegalArgumentException("No JWK found for Key ID " + str);
    }

    private List<Jwk> convertToJwks(String str, Map<String, Object> map) throws AuthenticationException {
        try {
            List list = (List) map.get("keys");
            ArrayList arrayList = new ArrayList();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(Jwk.fromValues((Map) it.next()));
            }
            return arrayList;
        } catch (ClassCastException e) {
            throw new AuthenticationException("Malformed JWKS returned by: " + str);
        }
    }
}
