package space.crickets.jwtverifier.core;

import com.google.gson.Gson;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import java.io.IOException;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;
import space.crickets.jwtverifier.exceptions.UnauthorizedException;
import space.crickets.jwtverifier.models.JsonWebKeys;
import space.crickets.jwtverifier.models.JwksEndpoints;

@Component
/* loaded from: input_file:space/crickets/jwtverifier/core/HttpSigningKeyResolver.class */
public class HttpSigningKeyResolver extends SigningKeyResolverAdapter {
    private static final Logger log = LogManager.getLogger(HttpSigningKeyResolver.class);
    private final JwksEndpoints jwksEndpoints;
    private final OkHttpClient okHttpClient;
    private final Map<String, Key> keyMap = new HashMap();
    private final Gson gson = new Gson();

    public HttpSigningKeyResolver(JwksEndpoints jwksEndpoints, @Qualifier("jwtVerifierHttpClient") OkHttpClient okHttpClient) {
        this.jwksEndpoints = jwksEndpoints;
        this.okHttpClient = okHttpClient;
    }

    public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
        synchronized (this) {
            Key key = this.keyMap.get(jwsHeader.getKeyId());
            if (key != null) {
                return key;
            }
            log.info(String.format("Encountered unknown keyId '%s', issuer '%s'.", jwsHeader.getKeyId(), claims.getIssuer()));
            updateKeys();
            Key key2 = this.keyMap.get(jwsHeader.getKeyId());
            if (key2 != null) {
                return key2;
            }
            throw new UnauthorizedException(String.format("Even after refreshing keys, this keyId '%s', issuer '%s' remains unknown.", jwsHeader.getKeyId(), claims.getIssuer()));
        }
    }

    private void updateKeys() {
        this.keyMap.clear();
        for (String str : this.jwksEndpoints.getUrls()) {
            try {
                Response execute = this.okHttpClient.newCall(new Request.Builder().url(str).addHeader("Accept", "application/json").get().build()).execute();
                try {
                    if (!execute.isSuccessful()) {
                        throw new RuntimeException(String.format("Failed to call \"%s\" to get updated public keys. Got response code %d.", str, Integer.valueOf(execute.code())));
                    }
                    ((JsonWebKeys) this.gson.fromJson(execute.body().string(), JsonWebKeys.class)).getKeys().forEach(jsonWebKey -> {
                        if (jsonWebKey.getKeyType().equalsIgnoreCase("RSA") && jsonWebKey.getPublicKeyUse().equalsIgnoreCase("sig")) {
                            try {
                                this.keyMap.put(jsonWebKey.getKeyId(), KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.getUrlDecoder().decode(jsonWebKey.getModulus())), new BigInteger(1, Base64.getUrlDecoder().decode(jsonWebKey.getExponent())))));
                            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                                throw new RuntimeException("Failed to obtain public key for kid=" + jsonWebKey.getKeyId(), e);
                            }
                        }
                    });
                    if (execute != null) {
                        execute.close();
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new RuntimeException(String.format("Failed to call '%s' to get updated public keys.", str), e);
            }
        }
    }
}
