package org.keycloak.sdjwt.consumer;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.JsonNode;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.sdjwt.IssuerSignedJWT;
import org.keycloak.sdjwt.JwkParsingUtils;
import org.keycloak.sdjwt.SdJwtUtils;

/* loaded from: input_file:org/keycloak/sdjwt/consumer/JwtVcMetadataTrustedSdJwtIssuer.class */
public class JwtVcMetadataTrustedSdJwtIssuer implements TrustedSdJwtIssuer {
    private static final String JWT_VC_ISSUER_END_POINT = "/.well-known/jwt-vc-issuer";
    private final Pattern issuerUriPattern;
    private final HttpDataFetcher httpDataFetcher;

    public JwtVcMetadataTrustedSdJwtIssuer(String str, HttpDataFetcher httpDataFetcher) {
        try {
            validateHttpsIssuerUri(str);
            this.issuerUriPattern = Pattern.compile(Pattern.quote(str));
            this.httpDataFetcher = httpDataFetcher;
        } catch (VerificationException e) {
            throw new IllegalArgumentException((Throwable) e);
        }
    }

    public JwtVcMetadataTrustedSdJwtIssuer(Pattern pattern, HttpDataFetcher httpDataFetcher) {
        this.issuerUriPattern = pattern;
        this.httpDataFetcher = httpDataFetcher;
    }

    @Override // org.keycloak.sdjwt.consumer.TrustedSdJwtIssuer
    public List<SignatureVerifierContext> resolveIssuerVerifyingKeys(IssuerSignedJWT issuerSignedJWT) throws VerificationException {
        String str = (String) Optional.ofNullable(issuerSignedJWT.getPayload().get("iss")).map((v0) -> {
            return v0.asText();
        }).orElse("");
        String keyId = issuerSignedJWT.getHeader().getKeyId();
        if (!this.issuerUriPattern.matcher(str).matches()) {
            throw new VerificationException(String.format("Unexpected Issuer URI claim. Expected=/%s/, Got=%s", this.issuerUriPattern.pattern(), str));
        }
        validateHttpsIssuerUri(str);
        List<JWK> fetchIssuerMetadataJwks = fetchIssuerMetadataJwks(str);
        if (fetchIssuerMetadataJwks.isEmpty()) {
            throw new VerificationException(String.format("Issuer JWKs were unexpectedly resolved to an empty list. Issuer URI: %s", str));
        }
        if (keyId != null) {
            List list = (List) fetchIssuerMetadataJwks.stream().filter(jwk -> {
                String keyId2 = jwk.getKeyId();
                return keyId2 != null && keyId2.equals(keyId);
            }).collect(Collectors.toList());
            if (list.isEmpty()) {
                throw new VerificationException(String.format("No published JWK was found to match kid: %s", keyId));
            }
            if (list.size() > 1) {
                throw new VerificationException(String.format("Cannot choose between multiple exposed JWKs with same kid: %s", keyId));
            }
            fetchIssuerMetadataJwks = Collections.singletonList((JWK) list.get(0));
        }
        ArrayList arrayList = new ArrayList();
        Iterator<JWK> it = fetchIssuerMetadataJwks.iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(JwkParsingUtils.convertJwkToVerifierContext(it.next()));
            } catch (Exception e) {
                throw new VerificationException("A potential JWK was retrieved but found invalid", e);
            }
        }
        return arrayList;
    }

    private void validateHttpsIssuerUri(String str) throws VerificationException {
        if (!str.startsWith("https://")) {
            throw new VerificationException("HTTPS URI required to retrieve JWT VC Issuer Metadata");
        }
    }

    private List<JWK> fetchIssuerMetadataJwks(String str) throws VerificationException {
        String normalizeUri = normalizeUri(str);
        try {
            JwtVcMetadata jwtVcMetadata = (JwtVcMetadata) SdJwtUtils.mapper.treeToValue(fetchData(normalizeUri.concat(JWT_VC_ISSUER_END_POINT)), JwtVcMetadata.class);
            String normalizeUri2 = normalizeUri(jwtVcMetadata.getIssuer());
            if (!normalizeUri.equals(normalizeUri2)) {
                throw new VerificationException(String.format("Unexpected metadata's issuer. Expected=%s, Got=%s", normalizeUri, normalizeUri2));
            }
            String jwksUri = jwtVcMetadata.getJwksUri();
            JSONWebKeySet jwks = jwtVcMetadata.getJwks();
            if (jwks == null && jwksUri != null) {
                try {
                    jwks = (JSONWebKeySet) SdJwtUtils.mapper.treeToValue(fetchData(jwksUri), JSONWebKeySet.class);
                } catch (JsonProcessingException e) {
                    throw new VerificationException("Failed to parse exposed JWKS", e);
                }
            }
            if (jwks == null || jwks.getKeys() == null) {
                throw new VerificationException(String.format("Could not resolve issuer JWKs with URI: %s", normalizeUri));
            }
            return Arrays.asList(jwks.getKeys());
        } catch (JsonProcessingException e2) {
            throw new VerificationException("Failed to parse exposed JWT VC Metadata", e2);
        }
    }

    private JsonNode fetchData(String str) throws VerificationException {
        try {
            return (JsonNode) Objects.requireNonNull(this.httpDataFetcher.fetchJsonData(str));
        } catch (Exception e) {
            throw new VerificationException(String.format("Could not fetch data from URI: %s", str), e);
        }
    }

    private String normalizeUri(String str) {
        return str.replaceAll("/$", "");
    }
}
