package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.credential.HttpBearerCredential;
import io.confluent.security.authentication.credential.HttpCredential;
import io.confluent.security.authentication.http.ConfluentSecurityContext;
import io.confluent.security.authentication.http.HttpAuthenticatorJwt;
import io.confluent.security.trustservice.entities.v1.AssumePrincipalData;
import io.confluent.security.trustservice.entities.v1.AssumePrincipalRequest;
import jakarta.annotation.Priority;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/TrustServiceBearerServerAuthFilter.class */
public class TrustServiceBearerServerAuthFilter implements ContainerRequestFilter {
    public static final String MDS_POOL_ID_KEY = "Confluent-Pool-Id";
    private static final Logger log = LoggerFactory.getLogger(TrustServiceBearerServerAuthFilter.class);
    private final TrustServiceClient client;
    private final HttpAuthenticatorJwt authenticator;

    public TrustServiceBearerServerAuthFilter(TrustServiceClient trustServiceClient, HttpAuthenticatorJwt httpAuthenticatorJwt) {
        this.client = trustServiceClient;
        this.authenticator = httpAuthenticatorJwt;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        try {
            HttpCredential read = HttpCredential.read((String) containerRequestContext.getHeaders().getFirst("Authorization"));
            String str = (String) containerRequestContext.getHeaders().getFirst(MDS_POOL_ID_KEY);
            if (str == null) {
                str = "";
            }
            if (!(read instanceof HttpBearerCredential)) {
                log.debug("HttpCredential should use Bearer scheme");
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
                return;
            }
            AssumePrincipalData value = this.client.validateToken(AssumePrincipalRequest.builder().token(read.authParams()).identityPool(str).build()).value();
            if (value.expiresIn() <= 0) {
                log.debug("Confluent token is expired, unable to authenticate request");
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
            } else {
                containerRequestContext.setSecurityContext(new ConfluentSecurityContext(read.scheme(), this.authenticator.authenticate((HttpCredential) new HttpBearerCredential(value.token())), containerRequestContext.getUriInfo().getRequestUri().toString().startsWith("https")));
            }
        } catch (Throwable th) {
            log.debug("Unable to authenticate request");
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
        }
    }
}
