package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.jetty.CertificateAuthenticator;
import io.confluent.common.security.jetty.CertificateLoginService;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
import org.eclipse.jetty.ee10.servlet.security.ConstraintMapping;
import org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;

/* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallCertificateSecurityHandler.class */
public class InstallCertificateSecurityHandler implements Consumer<ServletContextHandler>, Configurable {
    private SecurityHandlerConfig config;

    /* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallCertificateSecurityHandler$SecurityHandlerConfig.class */
    public static class SecurityHandlerConfig extends RestConfig {
        public static final String SSL_PRINCIPAL_MAPPING_RULES_PROP = "auth.ssl.principal.mapping.rules";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_DEFAULT = "DEFAULT";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_DOC = "Rules to execute the conversion from the certificate SN into principal name";
        private static final ConfigDef CONFIG = baseConfigDef().define("auth.ssl.principal.mapping.rules", ConfigDef.Type.STRING, "DEFAULT", ConfigDef.Importance.MEDIUM, "Rules to execute the conversion from the certificate SN into principal name");

        String sslPrincipalMappingRules() {
            return getString("auth.ssl.principal.mapping.rules");
        }

        String realm() {
            return getString("authentication.realm");
        }

        public SecurityHandlerConfig(Map<String, ?> map) {
            super(CONFIG, map);
        }
    }

    public void configure(Map<String, ?> map) {
        map.put("authentication.roles", "**");
        this.config = new SecurityHandlerConfig(map);
    }

    @Override // java.util.function.Consumer
    public void accept(ServletContextHandler servletContextHandler) {
        servletContextHandler.setSecurityHandler(createSecurityHandler());
    }

    protected ConstraintSecurityHandler createSecurityHandler() {
        String realm = this.config.realm();
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.addConstraintMapping(createGlobalAuthConstraint());
        constraintSecurityHandler.setAuthenticator(createAuthenticator());
        constraintSecurityHandler.setLoginService(createLoginService());
        constraintSecurityHandler.setIdentityService(createIdentityService());
        constraintSecurityHandler.setRealmName(realm);
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        Objects.requireNonNull(constraintSecurityHandler);
        createUnsecuredConstraints.forEach(constraintSecurityHandler::addConstraintMapping);
        return constraintSecurityHandler;
    }

    protected ConstraintMapping createGlobalAuthConstraint() {
        return AuthUtil.createGlobalAuthConstraint(this.config);
    }

    protected LoginAuthenticator createAuthenticator() {
        return new CertificateAuthenticator();
    }

    protected LoginService createLoginService() {
        SslPrincipalMapper fromRules = SslPrincipalMapper.fromRules(this.config.sslPrincipalMappingRules());
        CertificateLoginService certificateLoginService = new CertificateLoginService();
        certificateLoginService.setSslPrincipalMapper(fromRules);
        return certificateLoginService;
    }

    protected IdentityService createIdentityService() {
        return new DefaultIdentityService();
    }
}
