package io.confluent.common.security.jetty;

import io.confluent.common.security.auth.CertificatePrincipal;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import java.util.function.BiPredicate;
import java.util.function.Function;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang3.StringUtils;
import org.eclipse.jetty.security.AbstractLoginService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.RolePrincipal;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.security.UserPrincipal;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Session;
import org.eclipse.jetty.util.component.LifeCycle;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/CompositeLoginService.class */
public class CompositeLoginService extends AbstractLoginService {
    private static final Logger log = LoggerFactory.getLogger(CompositeLoginService.class);
    private final LoginService http;
    private final LoginService x509;
    private final JwtConsumer jwtConsumer;
    private boolean isClientAuthRequired;
    private boolean isImpersonationTokenValidationEnabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/common/security/jetty/CompositeLoginService$Matcher.class */
    public static class Matcher {
        private final BiPredicate<X509Certificate, String> isCertificateValid = (x509Certificate, str) -> {
            String name = x509Certificate.getSubjectX500Principal().getName();
            if (!StringUtils.isNotEmpty(name) || !name.equals(str)) {
                return false;
            }
            CompositeLoginService.log.debug("Impersonation token validated successfully using the certificate");
            return true;
        };

        private Matcher() {
        }
    }

    public CompositeLoginService(LoginService loginService, LoginService loginService2) {
        this.isClientAuthRequired = false;
        this.isImpersonationTokenValidationEnabled = false;
        this.http = loginService;
        this.x509 = loginService2;
        this.jwtConsumer = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().build();
        super.setIdentityService((IdentityService) null);
    }

    public CompositeLoginService(LoginService loginService, LoginService loginService2, boolean z, boolean z2) {
        this(loginService, loginService2);
        this.isClientAuthRequired = z;
        this.isImpersonationTokenValidationEnabled = z2;
        if (!this.isImpersonationTokenValidationEnabled) {
            log.warn("Skipping impersonation identity validation as impersonation token validation is disabled. Configure 'token.impersonation.validation' to 'true' to enable it.");
        } else {
            if (this.isClientAuthRequired) {
                return;
            }
            log.warn("Skipping impersonation identity validation as client auth is not set. Configure 'ssl.client.authentication' to enhance security.");
        }
    }

    public UserIdentity login(String str, Object obj, Request request, Function<Boolean, Session> function) {
        JwtClaims parseJwtToken;
        if (obj instanceof X509Certificate) {
            log.debug("Credentials provided as X509 certificate, processing to the certificate authorization");
            return this.x509.login(str, obj, request, function);
        }
        log.debug("Processing to the HTTP authorization");
        if (isOAuthRequest(request) && (parseJwtToken = parseJwtToken(obj)) != null && parseJwtToken.hasClaim("cp_proxy")) {
            String str2 = (String) parseJwtToken.getClaimValue("cp_proxy");
            log.debug("Impersonation token detected, trying to validate it for proxy : {}", str2);
            if (this.isImpersonationTokenValidationEnabled && this.isClientAuthRequired) {
                try {
                    validateImpersonationIdentity(str2, request);
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            }
        }
        return this.http.login(str, obj, request, function);
    }

    private boolean isOAuthRequest(Request request) {
        Object attribute = request.getAttribute(OAuthOrBasicAuthenticator.USE_JWT_LOGIN_SERVICE);
        return (attribute instanceof Boolean) && ((Boolean) attribute).booleanValue();
    }

    private JwtClaims parseJwtToken(Object obj) {
        JwtClaims jwtClaims = null;
        try {
            jwtClaims = this.jwtConsumer.processToClaims((String) obj);
        } catch (Exception e) {
            log.error("Found an invalid JWT token, letting the underlying login service handle it.");
        }
        return jwtClaims;
    }

    public void validateImpersonationIdentity(String str, Request request) throws Exception {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) request.getAttribute("jakarta.servlet.request.X509Certificate");
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            log.warn("Certificate(s) couldn't be found to validate impersonation token");
            return;
        }
        Matcher matcher = new Matcher();
        Optional findFirst = Arrays.stream(x509CertificateArr).filter(x509Certificate -> {
            return matcher.isCertificateValid.test(x509Certificate, str);
        }).findFirst();
        if (!findFirst.isPresent()) {
            throw new LoginException("Impersonation token validation failed. None of the certificate principal matches the proxy principal : " + str);
        }
        log.debug("Impersonation token validation successful. Certificate principal : {}, matches the proxy principal : {}", ((X509Certificate) findFirst.get()).getSubjectX500Principal().getName(), str);
    }

    public boolean validate(UserIdentity userIdentity) {
        if (userIdentity.getSubject().getPrincipals(CertificatePrincipal.class).isEmpty()) {
            log.debug("Processing to the HTTP validation");
            return this.http.validate(userIdentity);
        }
        log.debug("Claimed identity contains certificate principal, processing to the certificate validation");
        return this.x509.validate(userIdentity);
    }

    public void logout(UserIdentity userIdentity) {
        if (userIdentity.getSubject().getPrincipals(CertificatePrincipal.class).isEmpty()) {
            this.http.logout(userIdentity);
        } else {
            this.x509.logout(userIdentity);
        }
    }

    public void setIdentityService(IdentityService identityService) {
        this.x509.setIdentityService(identityService);
        this.http.setIdentityService(identityService);
        super.setIdentityService(identityService);
    }

    protected UserPrincipal loadUserInfo(String str) {
        throw new UnsupportedOperationException("loadUserInfo");
    }

    protected List<RolePrincipal> loadRoleInfo(UserPrincipal userPrincipal) {
        throw new UnsupportedOperationException("loadRoleInfo");
    }

    protected void doStart() throws Exception {
        if (this.http instanceof LifeCycle) {
            this.http.start();
        }
        if (this.x509 instanceof LifeCycle) {
            this.x509.start();
        }
        super.doStart();
    }

    protected void doStop() throws Exception {
        if (this.x509 instanceof LifeCycle) {
            this.x509.stop();
        }
        if (this.http instanceof LifeCycle) {
            this.http.stop();
        }
        super.doStop();
    }
}
