package io.confluent.ksql.api.auth;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.ksql.api.server.Server;
import io.confluent.ksql.rest.server.KsqlRestConfig;
import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Promise;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.AbstractUser;
import io.vertx.ext.auth.AuthProvider;
import io.vertx.ext.auth.User;
import java.security.Principal;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.collections4.CollectionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/api/auth/JaasAuthProvider.class */
public class JaasAuthProvider implements AuthProvider {
    private static final Logger log = LoggerFactory.getLogger(JaasAuthProvider.class);
    private final Server server;
    private final KsqlRestConfig config;
    private final LoginContextSupplier loginContextSupplier;
    private final List<String> allowedRoles;
    private final String contextName;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/ksql/api/auth/JaasAuthProvider$JaasUser.class */
    public static class JaasUser extends AbstractUser implements ApiUser {
        private final Principal principal;
        private boolean authorized;

        JaasUser(String str, boolean z) {
            this.principal = new JaasPrincipal((String) Objects.requireNonNull(str));
            this.authorized = z;
        }

        public void doIsPermitted(String str, Handler<AsyncResult<Boolean>> handler) {
            handler.handle(Future.succeededFuture(Boolean.valueOf(this.authorized)));
        }

        public JsonObject principal() {
            throw new UnsupportedOperationException();
        }

        public void setAuthProvider(AuthProvider authProvider) {
        }

        @Override // io.confluent.ksql.api.auth.ApiUser
        public Principal getPrincipal() {
            return this.principal;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    @FunctionalInterface
    /* loaded from: input_file:io/confluent/ksql/api/auth/JaasAuthProvider$LoginContextSupplier.class */
    public interface LoginContextSupplier {
        LoginContext get(String str, CallbackHandler callbackHandler) throws LoginException;
    }

    public JaasAuthProvider(Server server, KsqlRestConfig ksqlRestConfig) {
        this(server, ksqlRestConfig, LoginContext::new);
    }

    @VisibleForTesting
    JaasAuthProvider(Server server, KsqlRestConfig ksqlRestConfig, LoginContextSupplier loginContextSupplier) {
        this.server = (Server) Objects.requireNonNull(server, "server");
        this.config = (KsqlRestConfig) Objects.requireNonNull(ksqlRestConfig, "config");
        this.loginContextSupplier = (LoginContextSupplier) Objects.requireNonNull(loginContextSupplier, "loginContextSupplier");
        this.allowedRoles = (List) ksqlRestConfig.getList(KsqlRestConfig.AUTHENTICATION_ROLES_CONFIG).stream().filter(str -> {
            return !"*".equals(str);
        }).map(str2 -> {
            return "**".equals(str2) ? "*" : str2;
        }).collect(Collectors.toList());
        this.contextName = ksqlRestConfig.getString(KsqlRestConfig.AUTHENTICATION_REALM_CONFIG);
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        String string = jsonObject.getString("username");
        if (string == null) {
            handler.handle(Future.failedFuture("authInfo missing 'username' field"));
            return;
        }
        String string2 = jsonObject.getString("password");
        if (string2 == null) {
            handler.handle(Future.failedFuture("authInfo missing 'password' field"));
        } else {
            this.server.getWorkerExecutor().executeBlocking(promise -> {
                getUser(this.contextName, string, string2, this.allowedRoles, promise);
            }, handler);
        }
    }

    private void getUser(String str, String str2, String str3, List<String> list, Promise<User> promise) {
        try {
            LoginContext loginContext = this.loginContextSupplier.get(str, new BasicCallbackHandler(str2, str3));
            try {
                loginContext.login();
                promise.complete(new JaasUser(str2, validateRoles(loginContext, list)));
            } catch (LoginException e) {
                log.error("Failed to log in. " + e.getMessage());
                promise.fail("Failed to log in: Invalid username/password.");
            }
        } catch (SecurityException | LoginException e2) {
            log.error("Failed to create LoginContext. " + e2.getMessage());
            promise.fail("Failed to create LoginContext.");
        }
    }

    private static boolean validateRoles(LoginContext loginContext, List<String> list) {
        return list.contains("*") || !CollectionUtils.intersection((Set) loginContext.getSubject().getPrincipals().stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()), list).isEmpty();
    }
}
