package io.unitycatalog.server.utils;

import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.linecorp.armeria.client.WebClient;
import com.linecorp.armeria.common.AggregatedHttpResponse;
import io.unitycatalog.server.exception.ErrorCode;
import io.unitycatalog.server.exception.OAuthInvalidClientException;
import io.unitycatalog.server.exception.OAuthInvalidRequestException;
import io.unitycatalog.server.security.SecurityContext;
import java.net.URL;
import java.nio.file.Path;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;

/* loaded from: input_file:io/unitycatalog/server/utils/JwksOperations.class */
public class JwksOperations {
    private final WebClient webClient = WebClient.builder().build();
    private static final ObjectMapper mapper = new ObjectMapper();

    public JWTVerifier verifierForIssuerAndKey(String str, String str2) {
        Jwk jwk = loadJwkProvider(str).get(str2);
        if ("RSA".equalsIgnoreCase(jwk.getPublicKey().getAlgorithm())) {
            return JWT.require(algorithmForJwk(jwk)).withIssuer(str).build();
        }
        throw new OAuthInvalidRequestException(ErrorCode.ABORTED, String.format("Invalid algorithm '%s' for issuer '%s'", jwk.getPublicKey().getAlgorithm(), str));
    }

    private Algorithm algorithmForJwk(Jwk jwk) {
        String algorithm = jwk.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 78251122:
                if (algorithm.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (algorithm.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (algorithm.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), (RSAPrivateKey) null);
            case true:
                return Algorithm.RSA384((RSAPublicKey) jwk.getPublicKey(), (RSAPrivateKey) null);
            case true:
                return Algorithm.RSA512((RSAPublicKey) jwk.getPublicKey(), (RSAPrivateKey) null);
            default:
                throw new OAuthInvalidClientException(ErrorCode.ABORTED, String.format("Unsupported algorithm: %s", jwk.getAlgorithm()));
        }
    }

    public JwkProvider loadJwkProvider(String str) {
        if (str.equals(SecurityContext.Issuers.INTERNAL)) {
            return new JwkProviderBuilder(Path.of("etc/conf/certs.json", new String[0]).toUri().toURL()).cached(false).build();
        }
        if (!str.startsWith("https://")) {
            str = "https://" + str;
        }
        String str2 = str;
        if (!str2.endsWith("/")) {
            str2 = str2 + "/";
        }
        Map map = (Map) mapper.readValue(((AggregatedHttpResponse) this.webClient.get(str2 + ".well-known/openid-configuration").aggregate().join()).contentUtf8(), new TypeReference<Map<String, Object>>() { // from class: io.unitycatalog.server.utils.JwksOperations.1
        });
        if (map == null || map.isEmpty()) {
            throw new OAuthInvalidRequestException(ErrorCode.ABORTED, "Could not get issuer configuration");
        }
        String str3 = (String) map.get("issuer");
        String str4 = (String) map.get("jwks_uri");
        if (!str3.equals(str)) {
            throw new OAuthInvalidRequestException(ErrorCode.ABORTED, "Issuer doesn't match configuration");
        }
        if (str4 == null) {
            throw new OAuthInvalidRequestException(ErrorCode.ABORTED, "JWKS configuration missing");
        }
        return new JwkProviderBuilder(new URL(str4)).cached(false).build();
    }
}
