package io.confluent.kafka.clients.plugins.auth.oauth;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/OAuthBearerLoginCallbackHandler.class */
public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHandler {
    private String authToken;
    private String logicalCluster;
    private final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerLoginCallbackHandler.class);
    private boolean configured = false;

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        Map unmodifiableMap = Collections.unmodifiableMap(list.get(0).getOptions());
        this.authToken = (String) unmodifiableMap.get("token");
        if (this.authToken == null || this.authToken.isEmpty()) {
            this.log.error("No authentication token was provided in the JAAS config!");
            throw new ConfigException("Authentication token must be provided in the JAAS config.");
        }
        this.logicalCluster = (String) unmodifiableMap.get("cluster");
        if (this.logicalCluster == null || this.logicalCluster.isEmpty()) {
            this.log.error("No cluster extensions for the auth token was provided in the JAAS config!");
            throw new ConfigException("Cluster for token must be set in the JAAS config.");
        }
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (!this.configured) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerTokenCallback) {
                attachAuthToken((OAuthBearerTokenCallback) callback);
            } else {
                if (!(callback instanceof SaslExtensionsCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                attachTenantLogicalCluster((SaslExtensionsCallback) callback);
            }
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
    }

    private void attachTenantLogicalCluster(SaslExtensionsCallback saslExtensionsCallback) throws ConfigException {
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, this.logicalCluster);
        saslExtensionsCallback.extensions(new SaslExtensions(hashMap));
    }

    private void attachAuthToken(OAuthBearerTokenCallback oAuthBearerTokenCallback) {
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had a token already");
        }
        oAuthBearerTokenCallback.token(new OAuthBearerJwsToken(this.authToken, Collections.emptySet(), -1L, "", -1L));
    }
}
