package io.confluent.common.security.auth.schemaregistry;

import io.confluent.kafka.schemaregistry.client.SchemaRegistryClientConfig;
import io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider;
import io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.CachedOauthTokenRetriever;
import io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.OauthTokenCache;
import io.confluent.kafka.schemaregistry.client.ssl.HostSslSocketFactory;
import io.confluent.kafka.security.oauthbearer.HttpRequestFormatter;
import io.confluent.kafka.security.oauthbearer.HttpRequestFormatterFactory;
import java.io.IOException;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpAccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator;

/* loaded from: input_file:io/confluent/common/security/auth/schemaregistry/OAuthClientAssertionCredentialProvider.class */
public class OAuthClientAssertionCredentialProvider implements BearerAuthCredentialProvider {
    private CachedOauthTokenRetriever cachedOauthTokenRetriever;
    private AccessTokenRetriever accessTokenRetriever;
    Map<String, ?> config;

    public String alias() {
        return "OAUTHBEARER_CLIENTASSERTION";
    }

    public String getBearerToken(URL url) {
        return this.cachedOauthTokenRetriever.getToken();
    }

    public void configure(Map<String, ?> map) {
        this.config = map;
        ConfigurationUtils configurationUtils = new ConfigurationUtils(map);
        this.cachedOauthTokenRetriever = new CachedOauthTokenRetriever();
        this.accessTokenRetriever = getTokenRetriever(configurationUtils);
        this.cachedOauthTokenRetriever.configure(this.accessTokenRetriever, getTokenValidator(map), getOauthTokenCache(map));
    }

    private OauthTokenCache getOauthTokenCache(Map<String, ?> map) {
        return new OauthTokenCache(SchemaRegistryClientConfig.getBearerAuthCacheExpiryBufferSeconds(map));
    }

    private AccessTokenRetriever getTokenRetriever(ConfigurationUtils configurationUtils) {
        String validateString = configurationUtils.validateString("bearer.auth.client.id", false);
        String validateString2 = configurationUtils.validateString("bearer.auth.scope", false);
        String str = (String) configurationUtils.get(SchemaRegistryClientAssertionConfig.BEARER_CLIENTASSERTION_ISSUER);
        if (((String) configurationUtils.get(SchemaRegistryClientAssertionConfig.BEARER_CLIENTASSERTION_LOCATION)) == null && str == null) {
            throw new ConfigException("Either bearer.assertion.claim.iss or bearer.assertion.file must be set");
        }
        HttpRequestFormatter httpRequestFormatter = getHttpRequestFormatter(validateString);
        Long l = 100L;
        Long l2 = 10000L;
        JaasOptionsUtils jaasOptionsUtils = new JaasOptionsUtils(SchemaRegistryClientConfig.getClientSslConfig(this.config));
        HostSslSocketFactory hostSslSocketFactory = null;
        URL validateUrl = configurationUtils.validateUrl("bearer.auth.issuer.endpoint.url");
        if (jaasOptionsUtils.shouldCreateSSLSocketFactory(validateUrl)) {
            hostSslSocketFactory = new HostSslSocketFactory(jaasOptionsUtils.createSSLSocketFactory(), validateUrl.getHost());
        }
        return new HttpAccessTokenRetriever(httpRequestFormatter, validateString2, hostSslSocketFactory, validateUrl.toString(), l.longValue(), l2.longValue(), (Integer) null, (Integer) null);
    }

    private HttpRequestFormatter getHttpRequestFormatter(String str) {
        ConfigurationUtils configurationUtils = new ConfigurationUtils(new SchemaRegistryClientAssertionConfig(this.config).saslClientConfigs());
        HashMap hashMap = new HashMap();
        hashMap.put("clientId", str);
        try {
            return HttpRequestFormatterFactory.create(configurationUtils, new JaasOptionsUtils(hashMap));
        } catch (ConfigException e) {
            throw new ConfigException(e.getMessage().replaceFirst("sasl\\.oauth", ""));
        }
    }

    private AccessTokenValidator getTokenValidator(Map<String, ?> map) {
        return new LoginAccessTokenValidator(SchemaRegistryClientConfig.getBearerAuthScopeClaimName(map), SchemaRegistryClientConfig.getBearerAuthSubClaimName(map));
    }

    public void close() throws IOException {
        if (this.accessTokenRetriever != null) {
            this.accessTokenRetriever.close();
        }
    }
}
