package io.confluent.common.security.util;

import io.confluent.common.security.jetty.CertificateAuthenticator;
import io.confluent.common.security.jetty.CertificateLoginService;
import io.confluent.common.security.jetty.CompositeAuthenticator;
import io.confluent.common.security.jetty.CompositeLoginService;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.MdsBasicLoginService;
import io.confluent.common.security.jetty.MultiJwtLoginService;
import io.confluent.common.security.jetty.MultiJwtWithFallbackLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.common.security.jetty.initializer.AuthenticationHandler;
import io.confluent.common.security.jetty.initializer.ConnectConstraintSecurityHandler;
import io.confluent.common.security.metrics.MetricsContainer;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.rest.SslFactory;
import io.confluent.rest.auth.AuthUtil;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.eclipse.jetty.ee10.servlet.security.ConstraintMapping;
import org.eclipse.jetty.ee10.servlet.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/util/AuthUtils.class */
public class AuthUtils {
    private static final Logger log = LoggerFactory.getLogger(AuthUtils.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/common/security/util/AuthUtils$MdsBasicLoginServiceProxy.class */
    public static class MdsBasicLoginServiceProxy {
        MdsBasicLoginServiceProxy() {
        }

        public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
            return getMdsBasicLoginService(securityHandlerConfig, null);
        }

        public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
            return new MdsBasicLoginService(securityHandlerConfig.originals(), securityHandlerConfig.getString("authentication.realm")).withMetricsContainer(metricsContainer);
        }
    }

    public static LoginAuthenticator createCompositeAuthenticator(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return new CompositeAuthenticator(new OAuthOrBasicAuthenticator(), new CertificateAuthenticator(), securityHandlerConfig.allowAnonymousUser());
    }

    public static LoginAuthenticator createCompositeAuthenticator(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, BasicAuthenticator basicAuthenticator) {
        return new CompositeAuthenticator(new OAuthOrBasicAuthenticator(basicAuthenticator), new CertificateAuthenticator(), securityHandlerConfig.allowAnonymousUser());
    }

    public static ConstraintSecurityHandler getOAuthSecurityHandler(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        String string = securityHandlerConfig.getString("authentication.realm");
        ConstraintSecurityHandler conditionalConstraintSecurityHandler = conditionalConstraintSecurityHandler(securityHandlerConfig);
        conditionalConstraintSecurityHandler.setRealmName(string);
        ConstraintMapping createGlobalAuthConstraint = AuthUtil.createGlobalAuthConstraint(securityHandlerConfig);
        log.debug("Configured Jetty authentication roles: {}", String.join(",", createGlobalAuthConstraint.getConstraint().getRoles()));
        conditionalConstraintSecurityHandler.addConstraintMapping(createGlobalAuthConstraint);
        conditionalConstraintSecurityHandler.setIdentityService(new DefaultIdentityService());
        return conditionalConstraintSecurityHandler;
    }

    private static ConstraintSecurityHandler conditionalConstraintSecurityHandler(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return securityHandlerConfig.exposeInternalConnectEndpoints() ? new ConnectConstraintSecurityHandler() : new ConstraintSecurityHandler();
    }

    public static LoginService createX509LoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return createX509LoginService(securityHandlerConfig, null);
    }

    public static LoginService createX509LoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
        SslPrincipalMapper createSslPrincipalMapper = createSslPrincipalMapper(securityHandlerConfig);
        CertificateLoginService certificateLoginService = new CertificateLoginService();
        certificateLoginService.setSslPrincipalMapper(createSslPrincipalMapper);
        if (Objects.nonNull(metricsContainer)) {
            certificateLoginService.withMetricsContainer(metricsContainer);
        }
        return certificateLoginService;
    }

    public static SslPrincipalMapper createSslPrincipalMapper(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return SslPrincipalMapper.fromRules(securityHandlerConfig.getString("auth.ssl.principal.mapping.rules"));
    }

    public static boolean isClientAuthEnabled(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return !securityHandlerConfig.getString("ssl.client.authentication").equals("NONE");
    }

    public static boolean impersonationTokenValidation(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return securityHandlerConfig.getBoolean(AuthenticationHandler.SecurityHandlerConfig.TOKEN_IMPERSONATION_VALIDATION).booleanValue();
    }

    public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return MdsBasicLoginServiceProxy.getMdsBasicLoginService(securityHandlerConfig);
    }

    public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
        return MdsBasicLoginServiceProxy.getMdsBasicLoginService(securityHandlerConfig, metricsContainer);
    }

    public static JwtLoginService getConfluentJwtLoginService(String str, String str2, String str3, MetricsContainer metricsContainer) {
        return new JwtLoginService(str, str2, str3, "").withMetricsContainer(metricsContainer, str2);
    }

    public static JwtLoginService getIdpJwtLoginService(String str, String str2, List<String> list, String str3, String str4, AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
        return new JwtLoginService(str, new JwtAuthenticator(str2, JwtUtils.getJwtKeyResolver(Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_JWKS_ENDPOINT_URL, securityHandlerConfig), Utils.getBaseString("ssl.endpoint.identification.algorithm", securityHandlerConfig), StringUtils.isAllBlank(new CharSequence[]{securityHandlerConfig.getBaseSslConfig().getTrustStorePath()}) ? null : SslFactory.createSslContextFactory(securityHandlerConfig.getBaseSslConfig())), list, getClaimOptions(securityHandlerConfig)), str3, str4).withMetricsContainer(metricsContainer);
    }

    public static BasicAuthenticator getBasicAuthenticatorForNonJettyUsage() {
        return new BasicAuthenticator() { // from class: io.confluent.common.security.util.AuthUtils.1
            public UserIdentity login(String str, Object obj, Request request, Response response) {
                LoginService loginService = this._loginService;
                Objects.requireNonNull(request);
                return loginService.login(str, obj, request, (v1) -> {
                    return r4.getSession(v1);
                });
            }
        };
    }

    public static LoginService getCompositeLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer, Logger logger) {
        LoginService createHttpLoginService = createHttpLoginService(securityHandlerConfig, metricsContainer, logger);
        LoginService createX509LoginService = createX509LoginService(securityHandlerConfig, metricsContainer);
        if (createHttpLoginService != null) {
            return new CompositeLoginService(createHttpLoginService, createX509LoginService, isClientAuthEnabled(securityHandlerConfig), impersonationTokenValidation(securityHandlerConfig));
        }
        logger.warn("Http login service not configured, defaulting to x509 login service");
        return createX509LoginService;
    }

    public static void configureAuthenticatorForNonJettyUsage(final Authenticator authenticator, final String str, final LoginService loginService) {
        loginService.setIdentityService(new DefaultIdentityService());
        if (loginService instanceof AbstractLifeCycle) {
            try {
                ((AbstractLifeCycle) loginService).start();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        authenticator.setConfiguration(new Authenticator.Configuration() { // from class: io.confluent.common.security.util.AuthUtils.2
            public String getAuthenticationType() {
                return authenticator.getAuthenticationType();
            }

            public String getRealmName() {
                return str;
            }

            public String getParameter(String str2) {
                throw new UnsupportedOperationException();
            }

            public Set<String> getParameterNames() {
                throw new UnsupportedOperationException();
            }

            public LoginService getLoginService() {
                return loginService;
            }

            public IdentityService getIdentityService() {
                return loginService.getIdentityService();
            }

            public boolean isSessionRenewedOnAuthentication() {
                return false;
            }

            public int getSessionMaxInactiveIntervalOnAuthentication() {
                return 0;
            }
        });
    }

    public static LoginService createHttpLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer, Logger logger) {
        String string = securityHandlerConfig.getString("authentication.realm");
        String string2 = securityHandlerConfig.getString("public.key.path");
        String string3 = securityHandlerConfig.getString("token.issuer");
        String baseString = Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_EXPECTED_ISSUER, securityHandlerConfig);
        String baseString2 = Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_SUB_CLAIM_NAME, securityHandlerConfig);
        String baseString3 = Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_GROUPS_CLAIM_NAME, securityHandlerConfig);
        List<String> baseList = Utils.getBaseList(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_EXPECTED_AUDIENCE, securityHandlerConfig);
        boolean isConfluentOAuthEnabled = isConfluentOAuthEnabled(securityHandlerConfig, logger);
        boolean isIdpOAuthEnabled = isIdpOAuthEnabled(securityHandlerConfig, logger);
        logger.debug("Confluent OAuth enabled: {}, IDP Oauth is enabled: {}", Boolean.valueOf(isConfluentOAuthEnabled), Boolean.valueOf(isIdpOAuthEnabled));
        if (isConfluentOAuthEnabled || isIdpOAuthEnabled) {
            return (!isConfluentOAuthEnabled || isIdpOAuthEnabled) ? !isConfluentOAuthEnabled ? getIdpJwtLoginService(string, baseString, baseList, baseString2, baseString3, securityHandlerConfig, metricsContainer) : new MultiJwtWithFallbackLoginService(new MultiJwtLoginService(getConfluentJwtLoginService(string, string3, string2, metricsContainer), getIdpJwtLoginService(string, baseString, baseList, baseString2, baseString3, securityHandlerConfig, metricsContainer)), getMdsBasicLoginService(securityHandlerConfig, metricsContainer)) : new JwtWithFallbackLoginService(getConfluentJwtLoginService(string, string3, string2, metricsContainer), getMdsBasicLoginService(securityHandlerConfig, metricsContainer));
        }
        logger.error("Neither Confluent OAuth nor IDP OAuth is enabled. Please check your configuration.");
        return null;
    }

    private static boolean isConfluentOAuthEnabled(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, Logger logger) {
        String string = securityHandlerConfig.getString("public.key.path");
        logger.debug("Configured public key path for token validation: {}", string);
        return StringUtils.isNotEmpty(string);
    }

    private static boolean isIdpOAuthEnabled(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, Logger logger) {
        String baseString = Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_EXPECTED_ISSUER, securityHandlerConfig);
        String baseString2 = Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_JWKS_ENDPOINT_URL, securityHandlerConfig);
        logger.debug("Configured IDP issuer: {}, IDP key url: {}", baseString, baseString2);
        return StringUtils.isNotEmpty(baseString) && StringUtils.isNotEmpty(baseString2);
    }

    private static Map<String, Boolean> getClaimOptions(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        HashMap hashMap = new HashMap();
        hashMap.put("jtiRequired", securityHandlerConfig.getBoolean(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_JTI_VALIDATION_ENABLED));
        hashMap.put("iatRequired", securityHandlerConfig.getBoolean(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_IAT_VALIDATION_ENABLED));
        return hashMap;
    }
}
