package io.confluent.common.security.jetty;

import java.util.Objects;
import java.util.function.Function;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Session;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/MultiJwtLoginService.class */
public class MultiJwtLoginService extends AbstractLifeCycle implements LoginService {
    private static final Logger log = LoggerFactory.getLogger(MultiJwtLoginService.class);
    private final JwtLoginService confluentJwtLoginService;
    private final JwtLoginService idpJwtLoginService;
    private final String name;
    private final JwtConsumer jwtConsumer;
    private IdentityService identityService;

    public MultiJwtLoginService(JwtLoginService jwtLoginService, JwtLoginService jwtLoginService2) {
        if (!Objects.equals(jwtLoginService.getName(), jwtLoginService2.getName())) {
            throw new IllegalArgumentException("login service realm names must match");
        }
        this.confluentJwtLoginService = jwtLoginService;
        this.idpJwtLoginService = jwtLoginService2;
        this.name = jwtLoginService.getName();
        this.jwtConsumer = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().build();
    }

    public String getName() {
        return this.name;
    }

    public UserIdentity login(String str, Object obj, Request request, Function<Boolean, Session> function) {
        log.debug("Processing new Jwt login request to MultiJwtLoginService.");
        try {
            String issuer = this.jwtConsumer.processToClaims((String) obj).getIssuer();
            log.debug("Issuer in request: {}, Confluent issuer: {}, IdP issuer: {}", new Object[]{issuer, this.confluentJwtLoginService.getIssuer(), this.idpJwtLoginService.getIssuer()});
            if (Objects.equals(this.confluentJwtLoginService.getIssuer(), issuer)) {
                return this.confluentJwtLoginService.login(str, obj, request, function);
            }
            if (Objects.equals(this.idpJwtLoginService.getIssuer(), issuer)) {
                return this.idpJwtLoginService.login(str, obj, request, function);
            }
            log.debug("Unknown issuer: {}", issuer);
            return null;
        } catch (Exception e) {
            log.debug("Exception", e);
            return null;
        }
    }

    public boolean validate(UserIdentity userIdentity) {
        return true;
    }

    public IdentityService getIdentityService() {
        return this.identityService;
    }

    public void setIdentityService(IdentityService identityService) {
        this.identityService = identityService;
        this.confluentJwtLoginService.setIdentityService(identityService);
        this.idpJwtLoginService.setIdentityService(identityService);
    }

    public void logout(UserIdentity userIdentity) {
    }

    protected void doStart() throws Exception {
        this.confluentJwtLoginService.start();
        this.idpJwtLoginService.start();
        super.doStart();
    }

    protected void doStop() throws Exception {
        this.confluentJwtLoginService.stop();
        this.idpJwtLoginService.stop();
        super.doStop();
    }
}
