package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.auth.AlwaysForwardToLeader;
import io.confluent.common.security.auth.ImpersonationTokenProvider;
import io.confluent.common.security.auth.MtlsLeaderProxyFilter;
import io.confluent.common.security.metrics.MetricsContainer;
import io.confluent.common.security.util.AuthUtils;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import io.confluent.security.auth.client.rest.RestClient;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Consumer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.ee10.servlet.FilterHolder;
import org.eclipse.jetty.ee10.servlet.ServletContextHandler;
import org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/initializer/AuthenticationHandler.class */
public class AuthenticationHandler implements Consumer<ServletContextHandler>, Configurable {
    private SecurityHandlerConfig config;
    private RestClient restClient;
    private MetricsContainer metricsContainer;
    private static final Logger log = LoggerFactory.getLogger(AuthenticationHandler.class);

    /* loaded from: input_file:io/confluent/common/security/jetty/initializer/AuthenticationHandler$SecurityHandlerConfig.class */
    public static class SecurityHandlerConfig extends RestConfig {
        public static final String TOKEN_ISSUER_PROP = "token.issuer";
        public static final String TOKEN_ISSUER_DEFAULT = "Confluent";
        public static final String TOKEN_ISSUER_DOC = "An identifier for the token issuer.";
        public static final String TOKEN_PUBLIC_KEY_PATH_PROP = "public.key.path";
        public static final String TOKEN_PUBLIC_KEY_PATH_DOC = "Location of the PEM encoded public key to be used  by a loginService to verify Authentication Tokens. Since the token service only supports RS256 signatures  key pairs must be generated using the RSA algorithm.";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_PROP = "auth.ssl.principal.mapping.rules";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_DEFAULT = "DEFAULT";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_DOC = "Rules to execute the conversion from the certificate SN into principal name";
        public static final String ALLOW_ANONYMOUS_USER_PROP = "auth.allow.anonymous.user";
        public static final boolean ALLOW_ANONYMOUS_USER_DEFAULT = false;
        public static final String ALLOW_ANONYMOUS_USER_DOC = "Decide what to do when no credentials are provided. The default behaviour (false) is to request BASIC authorization.";
        public static final boolean EXPOSE_INTERNAL_CONNECT_ENDPOINTS_DEFAULT = false;
        private static final String OAUTHBEARER_CONFIG_PREFIX = "oauthbearer";
        public static final boolean AUTH_JMX_ENABLED_DEFAULT = false;
        public static final boolean TOKEN_IMPERSONATION_VALIDATION_DEFAULT = true;
        public static final String EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG = "expose.internal.connect.endpoints";
        public static final String OAUTHBEARER_JWKS_ENDPOINT_URL = "oauthbearer.jwks.endpoint.url";
        public static final String OAUTHBEARER_JWKS_ENDPOINT_URL_DOC = "The OAuth/OIDC provider URL from which the provider's <a href=\"https://datatracker.ietf.org/doc/html/rfc7517#section-5\">JWKS (JSON Web Key Set)</a> can be retrieved. The URL can be HTTP(S)-based. The fetched keys, will be cached on for incoming requests. If an authentication request is received for a JWT that includes a \"kid\" header claim value that isn't yet in the cache, the JWKS endpoint will be queried again on demand.";
        public static final String OAUTHBEARER_EXPECTED_ISSUER = "oauthbearer.expected.issuer";
        public static final String OAUTHBEARER_EXPECTED_ISSUER_DOC = "This is required to assure that the JWT was created by the expected issuer. The JWT will be inspected for the standard OAuth \"iss\" claim and if this value is set, Server will match it exactly against what is in the JWT's \"iss\" claim. If there's no match, the broker will reject the JWT and authentication will fail.";
        public static final String OAUTHBEARER_EXPECTED_AUDIENCE = "oauthbearer.expected.audience";
        public static final String OAUTHBEARER_EXPECTED_AUDIENCE_DOC = "The (optional) comma-delimited setting for to use to verify that the JWT was issued for one of the expected audiences. The JWT will be inspected for the standard OAuth \"aud\" claim and if this value is set, the broker will match the value from JWT's \"aud\" claim to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail.";
        public static final String OAUTHBEARER_SUB_CLAIM_NAME = "oauthbearer.sub.claim.name";
        public static final String OAUTHBEARER_SUB_CLAIM_NAME_DOC = "The OAuth claim for the subject is often named `sub` but this is optional. This optional setting can provide a different name to use for the subject included in the JWT payload's claims if the OAuth/OIDC provider uses a different name for sub claim.";
        public static final String OAUTHBEARER_GROUPS_CLAIM_NAME = "oauthbearer.groups.claim.name";
        public static final String OAUTHBEARER_GROUPS_CLAIM_NAME_DOC = "This optional setting provides the name of claim to use for the groups in the JWT payload. If setting is not provided, groups of principal will be empty.";
        public static final String OAUTHBEARER_JTI_VALIDATION_ENABLED = "oauthbearer.jti.validation.enabled";
        public static final String OAUTHBEARER_JTI_VALIDATION_ENABLED_DOC = "Setting this flag true, would mandate the presence of `jti` (JWT ID) claim in the token.However, there is no validation on the value of this field";
        public static final String OAUTHBEARER_IAT_VALIDATION_ENABLED = "oauthbearer.iat.validation.enabled";
        public static final String OAUTHBEARER_IAT_VALIDATION_ENABLED_DOC = "Setting this flag true, would mandate the presence of `iat` (Issued At) claim in the token. However, there is no validation on the value of this field";
        public static final String AUTH_JMX_ENABLED = "rest.auth.jmx.enabled";
        public static final String AUTH_JMX_ENABLED_DOC = "This property enables authentication metricsfor configured authentication mechanism in AuthenticationHandler class. This includesBasic, Oauth, mTLS and Kerberos";
        public static final String TOKEN_IMPERSONATION_VALIDATION = "token.impersonation.validation";
        public static final String TOKEN_IMPERSONATION_VALIDATION_DOC = "Indicates whether impersonation token validation should be enabled or not. If enabled, the handler will validate the incoming certificate subject with the cp_proxy claim in impersonation token.";
        private static final ConfigDef CONFIG = baseConfigDef().define("public.key.path", ConfigDef.Type.STRING, (Object) null, ConfigDef.Importance.HIGH, "Location of the PEM encoded public key to be used  by a loginService to verify Authentication Tokens. Since the token service only supports RS256 signatures  key pairs must be generated using the RSA algorithm.").define("token.issuer", ConfigDef.Type.STRING, "Confluent", ConfigDef.Importance.HIGH, "An identifier for the token issuer.").define("auth.ssl.principal.mapping.rules", ConfigDef.Type.STRING, "DEFAULT", ConfigDef.Importance.MEDIUM, "Rules to execute the conversion from the certificate SN into principal name").define("auth.allow.anonymous.user", ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.MEDIUM, "Decide what to do when no credentials are provided. The default behaviour (false) is to request BASIC authorization.").defineInternal(EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW).define(OAUTHBEARER_JWKS_ENDPOINT_URL, ConfigDef.Type.STRING, (Object) null, ConfigDef.Importance.LOW, OAUTHBEARER_JWKS_ENDPOINT_URL_DOC).define(OAUTHBEARER_EXPECTED_ISSUER, ConfigDef.Type.STRING, (Object) null, ConfigDef.Importance.LOW, OAUTHBEARER_EXPECTED_ISSUER_DOC).define(OAUTHBEARER_EXPECTED_AUDIENCE, ConfigDef.Type.LIST, (Object) null, ConfigDef.Importance.LOW, OAUTHBEARER_EXPECTED_AUDIENCE_DOC).define(OAUTHBEARER_SUB_CLAIM_NAME, ConfigDef.Type.STRING, "sub", ConfigDef.Importance.LOW, OAUTHBEARER_SUB_CLAIM_NAME_DOC).define(OAUTHBEARER_GROUPS_CLAIM_NAME, ConfigDef.Type.STRING, (Object) null, ConfigDef.Importance.LOW, OAUTHBEARER_GROUPS_CLAIM_NAME_DOC).define(OAUTHBEARER_JTI_VALIDATION_ENABLED, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, OAUTHBEARER_JTI_VALIDATION_ENABLED_DOC).define(OAUTHBEARER_IAT_VALIDATION_ENABLED, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, OAUTHBEARER_IAT_VALIDATION_ENABLED_DOC).define(AUTH_JMX_ENABLED, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW, AUTH_JMX_ENABLED_DOC).define(TOKEN_IMPERSONATION_VALIDATION, ConfigDef.Type.BOOLEAN, true, ConfigDef.Importance.LOW, TOKEN_IMPERSONATION_VALIDATION_DOC);

        public boolean allowAnonymousUser() {
            return getBoolean("auth.allow.anonymous.user").booleanValue();
        }

        public boolean exposeInternalConnectEndpoints() {
            return getBoolean(EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG).booleanValue();
        }

        public SecurityHandlerConfig(Map<String, ?> map) {
            super(CONFIG, map);
        }
    }

    public void configure(Map<String, ?> map) {
        map.put("authentication.roles", "**");
        this.config = new SecurityHandlerConfig(map);
        this.restClient = createRestClient(map);
    }

    @Override // java.util.function.Consumer
    public void accept(ServletContextHandler servletContextHandler) {
        servletContextHandler.setSecurityHandler(createSecurityHandler());
        maybeAddMtlsProxyFilter(servletContextHandler);
    }

    private void maybeAddMtlsProxyFilter(ServletContextHandler servletContextHandler) {
        if (this.restClient == null) {
            log.debug("MtlsProxyFilter configuration skipped, as no metadata service url found");
        } else {
            log.debug("Adding MtlsProxyFilter for adding Authorization Header");
            servletContextHandler.addFilter(new FilterHolder(new MtlsLeaderProxyFilter(new AlwaysForwardToLeader(), new ImpersonationTokenProvider(this.restClient))), "/*", (EnumSet) null);
        }
    }

    protected ConstraintSecurityHandler createSecurityHandler() {
        if (this.config.getBoolean(SecurityHandlerConfig.AUTH_JMX_ENABLED).booleanValue()) {
            this.metricsContainer = new MetricsContainer(this.config);
        }
        ConstraintSecurityHandler oAuthSecurityHandler = AuthUtils.getOAuthSecurityHandler(this.config);
        oAuthSecurityHandler.setAuthenticator(AuthUtils.createCompositeAuthenticator(this.config));
        oAuthSecurityHandler.setLoginService(AuthUtils.getCompositeLoginService(this.config, this.metricsContainer, log));
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        Objects.requireNonNull(oAuthSecurityHandler);
        createUnsecuredConstraints.forEach(oAuthSecurityHandler::addConstraintMapping);
        return oAuthSecurityHandler;
    }

    protected RestClient createRestClient(Map<String, ?> map) {
        try {
            return new RestClient(map);
        } catch (ConfigException e) {
            log.debug("Not configuring RestClient", e);
            return null;
        }
    }

    public SecurityHandlerConfig getConfig() {
        return this.config;
    }

    public MetricsContainer getMetricsContainer() {
        return this.metricsContainer;
    }
}
