package org.apache.kafka.tools;

import io.confluent.security.audit.router.AuditLogRouterUtils;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import java.util.concurrent.ExecutionException;
import java.util.stream.Stream;
import joptsimple.OptionSpec;
import kafka.tier.tools.TierTopicMaterializationToolConfig;
import org.apache.kafka.clients.admin.Admin;
import org.apache.kafka.clients.admin.CreateDelegationTokenOptions;
import org.apache.kafka.clients.admin.DescribeDelegationTokenOptions;
import org.apache.kafka.clients.admin.ExpireDelegationTokenOptions;
import org.apache.kafka.clients.admin.RenewDelegationTokenOptions;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.token.delegation.DelegationToken;
import org.apache.kafka.common.security.token.delegation.TokenInformation;
import org.apache.kafka.common.utils.Exit;
import org.apache.kafka.common.utils.SecurityUtils;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.util.CommandDefaultOptions;
import org.apache.kafka.server.util.CommandLineUtils;
import org.apache.zookeeper.audit.AuditConstants;
import org.jose4j.keys.HmacKey;

/* loaded from: input_file:org/apache/kafka/tools/DelegationTokenCommand.class */
public class DelegationTokenCommand {

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kafka/tools/DelegationTokenCommand$DelegationTokenCommandOptions.class */
    public static class DelegationTokenCommandOptions extends CommandDefaultOptions {
        public final OptionSpec<String> bootstrapServerOpt;
        public final OptionSpec<String> commandConfigOpt;
        public final OptionSpec<Void> createOpt;
        public final OptionSpec<Void> renewOpt;
        public final OptionSpec<Void> expiryOpt;
        public final OptionSpec<Void> describeOpt;
        public final OptionSpec<String> ownerPrincipalsOpt;
        public final OptionSpec<String> renewPrincipalsOpt;
        public final OptionSpec<Long> maxLifeTimeOpt;
        public final OptionSpec<Long> renewTimePeriodOpt;
        public final OptionSpec<Long> expiryTimePeriodOpt;
        public final OptionSpec<String> hmacOpt;

        public DelegationTokenCommandOptions(String[] strArr) {
            super(strArr);
            this.bootstrapServerOpt = this.parser.accepts(TierTopicMaterializationToolConfig.BOOTSTRAP_SERVER_CONFIG, "REQUIRED: server(s) to use for bootstrapping.").withRequiredArg().ofType(String.class);
            this.commandConfigOpt = this.parser.accepts("command-config", "REQUIRED: A property file containing configs to be passed to Admin Client. Token management operations are allowed in secure mode only. This config file is used to pass security related configs.").withRequiredArg().ofType(String.class);
            this.createOpt = this.parser.accepts(AuditConstants.OP_CREATE, "Create a new delegation token. Use --renewer-principal option to pass renewer principals.");
            this.renewOpt = this.parser.accepts("renew", "Renew delegation token. Use --renew-time-period option to set renew time period.");
            this.expiryOpt = this.parser.accepts("expire", "Expire delegation token. Use --expiry-time-period option to expire the token.");
            this.describeOpt = this.parser.accepts(AuditLogRouterUtils.DESCRIBE_CATEGORY, "Describe delegation tokens for the given principals. Use --owner-principal to pass owner/renewer principals. If --owner-principal option is not supplied, all the user-owned tokens and tokens where the user has Describe permissions will be returned.");
            this.ownerPrincipalsOpt = this.parser.accepts("owner-principal", "owner is a Kafka principal. They should be in principalType:name format.").withOptionalArg().ofType(String.class);
            this.renewPrincipalsOpt = this.parser.accepts("renewer-principal", "renewer is a Kafka principal. They should be in principalType:name format.").withOptionalArg().ofType(String.class);
            this.maxLifeTimeOpt = this.parser.accepts("max-life-time-period", "Max life period for the token in milliseconds. If the value is -1, then token max life time will default to the server side config value of (delegation.token.max.lifetime.ms).").withOptionalArg().ofType(Long.class);
            this.renewTimePeriodOpt = this.parser.accepts("renew-time-period", "Renew time period in milliseconds. If the value is -1, then the renew time period will default to the server side config value of (delegation.token.expiry.time.ms).").withOptionalArg().ofType(Long.class);
            this.expiryTimePeriodOpt = this.parser.accepts("expiry-time-period", "Expiry time period in milliseconds. If the value is -1, then the token will get invalidated immediately.").withOptionalArg().ofType(Long.class);
            this.hmacOpt = this.parser.accepts("hmac", "HMAC of the delegation token").withOptionalArg().ofType(String.class);
            this.options = this.parser.parse(strArr);
        }

        public boolean hasCreateOpt() {
            return this.options.has(this.createOpt);
        }

        public boolean hasRenewOpt() {
            return this.options.has(this.renewOpt);
        }

        public boolean hasExpireOpt() {
            return this.options.has(this.expiryOpt);
        }

        public boolean hasDescribeOpt() {
            return this.options.has(this.describeOpt);
        }

        public long maxLifeTime() {
            return ((Long) this.options.valueOf(this.maxLifeTimeOpt)).longValue();
        }

        public long renewTimePeriod() {
            return ((Long) this.options.valueOf(this.renewTimePeriodOpt)).longValue();
        }

        public long expiryTimePeriod() {
            return ((Long) this.options.valueOf(this.expiryTimePeriodOpt)).longValue();
        }

        public String hmac() {
            return (String) this.options.valueOf(this.hmacOpt);
        }

        public void checkArgs() {
            CommandLineUtils.checkRequiredArgs(this.parser, this.options, this.bootstrapServerOpt, this.commandConfigOpt);
            if (this.options.has(this.createOpt)) {
                CommandLineUtils.checkRequiredArgs(this.parser, this.options, this.maxLifeTimeOpt);
            }
            if (this.options.has(this.renewOpt)) {
                CommandLineUtils.checkRequiredArgs(this.parser, this.options, this.hmacOpt, this.renewTimePeriodOpt);
            }
            if (this.options.has(this.expiryOpt)) {
                CommandLineUtils.checkRequiredArgs(this.parser, this.options, this.hmacOpt, this.expiryTimePeriodOpt);
            }
            CommandLineUtils.checkInvalidArgs(this.parser, this.options, this.createOpt, new HashSet(Arrays.asList(this.hmacOpt, this.renewTimePeriodOpt, this.expiryTimePeriodOpt)));
            CommandLineUtils.checkInvalidArgs(this.parser, this.options, this.renewOpt, new HashSet(Arrays.asList(this.renewPrincipalsOpt, this.maxLifeTimeOpt, this.expiryTimePeriodOpt, this.ownerPrincipalsOpt)));
            CommandLineUtils.checkInvalidArgs(this.parser, this.options, this.expiryOpt, new HashSet(Arrays.asList(this.renewOpt, this.maxLifeTimeOpt, this.renewTimePeriodOpt, this.ownerPrincipalsOpt)));
            CommandLineUtils.checkInvalidArgs(this.parser, this.options, this.describeOpt, new HashSet(Arrays.asList(this.renewTimePeriodOpt, this.maxLifeTimeOpt, this.hmacOpt, this.renewTimePeriodOpt, this.expiryTimePeriodOpt)));
        }
    }

    public static void main(String... strArr) {
        Exit.exit(mainNoExit(strArr));
    }

    static int mainNoExit(String... strArr) {
        try {
            execute(strArr);
            return 0;
        } catch (TerseException e) {
            System.err.println(e.getMessage());
            return 1;
        } catch (Throwable th) {
            System.err.println(th.getMessage());
            System.err.println(Utils.stackTrace(th));
            return 1;
        }
    }

    static void execute(String... strArr) throws Exception {
        DelegationTokenCommandOptions delegationTokenCommandOptions = new DelegationTokenCommandOptions(strArr);
        CommandLineUtils.maybePrintHelpOrVersion(delegationTokenCommandOptions, "This tool helps to create, renew, expire, or describe delegation tokens.");
        if (Stream.of((Object[]) new Boolean[]{Boolean.valueOf(delegationTokenCommandOptions.hasCreateOpt()), Boolean.valueOf(delegationTokenCommandOptions.hasRenewOpt()), Boolean.valueOf(delegationTokenCommandOptions.hasExpireOpt()), Boolean.valueOf(delegationTokenCommandOptions.hasDescribeOpt())}).filter(bool -> {
            return bool.booleanValue();
        }).count() != 1) {
            CommandLineUtils.printUsageAndExit(delegationTokenCommandOptions.parser, "Command must include exactly one action: --create, --renew, --expire or --describe");
        }
        delegationTokenCommandOptions.checkArgs();
        Admin createAdminClient = createAdminClient(delegationTokenCommandOptions);
        Throwable th = null;
        try {
            if (delegationTokenCommandOptions.hasCreateOpt()) {
                createToken(createAdminClient, delegationTokenCommandOptions);
            } else if (delegationTokenCommandOptions.hasRenewOpt()) {
                renewToken(createAdminClient, delegationTokenCommandOptions);
            } else if (delegationTokenCommandOptions.hasExpireOpt()) {
                expireToken(createAdminClient, delegationTokenCommandOptions);
            } else if (delegationTokenCommandOptions.hasDescribeOpt()) {
                describeToken(createAdminClient, delegationTokenCommandOptions);
            }
            if (createAdminClient != null) {
                if (0 == 0) {
                    createAdminClient.close();
                    return;
                }
                try {
                    createAdminClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (createAdminClient != null) {
                if (0 != 0) {
                    try {
                        createAdminClient.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createAdminClient.close();
                }
            }
            throw th3;
        }
    }

    public static DelegationToken createToken(Admin admin, DelegationTokenCommandOptions delegationTokenCommandOptions) throws ExecutionException, InterruptedException {
        List<KafkaPrincipal> principals = getPrincipals(delegationTokenCommandOptions, delegationTokenCommandOptions.renewPrincipalsOpt);
        Long valueOf = Long.valueOf(delegationTokenCommandOptions.maxLifeTime());
        System.out.println("Calling create token operation with renewers :" + principals + " , max-life-time-period :" + valueOf);
        CreateDelegationTokenOptions renewers = new CreateDelegationTokenOptions().maxlifeTimeMs(valueOf.longValue()).renewers(principals);
        List<KafkaPrincipal> principals2 = getPrincipals(delegationTokenCommandOptions, delegationTokenCommandOptions.ownerPrincipalsOpt);
        if (!principals2.isEmpty()) {
            renewers.owner(principals2.get(0));
        }
        DelegationToken delegationToken = admin.createDelegationToken(renewers).delegationToken().get();
        System.out.println("Created delegation token with tokenId : " + delegationToken.tokenInfo().tokenId());
        printToken(Collections.singletonList(delegationToken));
        return delegationToken;
    }

    private static void printToken(List<DelegationToken> list) {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm");
        System.out.printf("%n%-15s %-30s %-15s %-15s %-25s %-15s %-15s %-15s%n", "TOKENID", HmacKey.ALGORITHM, "OWNER", "REQUESTER", "RENEWERS", "ISSUEDATE", "EXPIRYDATE", "MAXDATE");
        for (DelegationToken delegationToken : list) {
            TokenInformation tokenInformation = delegationToken.tokenInfo();
            System.out.printf("%n%-15s %-30s %-15s %-15s %-25s %-15s %-15s %-15s%n", tokenInformation.tokenId(), delegationToken.hmacAsBase64String(), tokenInformation.owner(), tokenInformation.tokenRequester(), tokenInformation.renewersAsString(), simpleDateFormat.format(Long.valueOf(tokenInformation.issueTimestamp())), simpleDateFormat.format(Long.valueOf(tokenInformation.expiryTimestamp())), simpleDateFormat.format(Long.valueOf(tokenInformation.maxTimestamp())));
        }
    }

    private static List<KafkaPrincipal> getPrincipals(DelegationTokenCommandOptions delegationTokenCommandOptions, OptionSpec<String> optionSpec) {
        ArrayList arrayList = new ArrayList();
        if (delegationTokenCommandOptions.options.has(optionSpec)) {
            Iterator it = delegationTokenCommandOptions.options.valuesOf(optionSpec).iterator();
            while (it.hasNext()) {
                arrayList.add(SecurityUtils.parseKafkaPrincipal(((String) it.next()).trim()));
            }
        }
        return arrayList;
    }

    public static Long renewToken(Admin admin, DelegationTokenCommandOptions delegationTokenCommandOptions) throws ExecutionException, InterruptedException {
        String hmac = delegationTokenCommandOptions.hmac();
        Long valueOf = Long.valueOf(delegationTokenCommandOptions.renewTimePeriod());
        System.out.println("Calling renew token operation with hmac :" + hmac + " , renew-time-period :" + valueOf);
        Long l = admin.renewDelegationToken(Base64.getDecoder().decode(hmac), new RenewDelegationTokenOptions().renewTimePeriodMs(valueOf.longValue())).expiryTimestamp().get();
        System.out.printf("Completed renew operation. New expiry date : %s", new SimpleDateFormat("yyyy-MM-dd'T'HH:mm").format(l));
        return l;
    }

    public static void expireToken(Admin admin, DelegationTokenCommandOptions delegationTokenCommandOptions) throws ExecutionException, InterruptedException {
        String hmac = delegationTokenCommandOptions.hmac();
        Long valueOf = Long.valueOf(delegationTokenCommandOptions.expiryTimePeriod());
        System.out.println("Calling expire token operation with hmac :" + hmac + " , expire-time-period :" + valueOf);
        System.out.printf("Completed expire operation. New expiry date : %s", new SimpleDateFormat("yyyy-MM-dd'T'HH:mm").format(admin.expireDelegationToken(Base64.getDecoder().decode(hmac), new ExpireDelegationTokenOptions().expiryTimePeriodMs(valueOf.longValue())).expiryTimestamp().get()));
    }

    public static List<DelegationToken> describeToken(Admin admin, DelegationTokenCommandOptions delegationTokenCommandOptions) throws ExecutionException, InterruptedException {
        List<KafkaPrincipal> principals = getPrincipals(delegationTokenCommandOptions, delegationTokenCommandOptions.ownerPrincipalsOpt);
        if (principals.isEmpty()) {
            System.out.println("Calling describe token operation for current user.");
        } else {
            System.out.printf("Calling describe token operation for owners: %s%n", principals);
        }
        List<DelegationToken> list = admin.describeDelegationToken(new DescribeDelegationTokenOptions().owners(principals)).delegationTokens().get();
        System.out.printf("Total number of tokens : %d", Integer.valueOf(list.size()));
        printToken(list);
        return list;
    }

    private static Admin createAdminClient(DelegationTokenCommandOptions delegationTokenCommandOptions) throws IOException {
        Properties loadProps = Utils.loadProps((String) delegationTokenCommandOptions.options.valueOf(delegationTokenCommandOptions.commandConfigOpt));
        loadProps.put("bootstrap.servers", delegationTokenCommandOptions.options.valueOf(delegationTokenCommandOptions.bootstrapServerOpt));
        return Admin.create(loadProps);
    }
}
