package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.BasePhysicalClusterMetadata;
import io.confluent.kafka.multitenant.utils.AuthUtils;
import io.confluent.kafka.server.plugins.auth.DefaultDataPolicyContext;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.network.CCloudTrafficType;
import org.apache.kafka.server.multitenant.LogicalClusterMetadata;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutesStore;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/TopicBasedPlainSaslAuthenticator.class */
public class TopicBasedPlainSaslAuthenticator extends PlainSaslAuthenticator {
    private final BaseMultiTenantSaslSecretsStore secretsLoader;
    protected final String brokerSessionUuid;
    protected TrafficNetworkIdValidationMode networkIdValidationMode;
    protected DefaultDataPolicyValidationMode defaultDataPolicyValidationMode;
    protected final CCloudTrafficType trafficType;
    private final List<String> defaultDataPolicyDenyOrgIds;

    public TopicBasedPlainSaslAuthenticator(Map<String, ?> map) {
        this(BaseMultiTenantSaslSecretsStore.getInstance(AuthUtils.getBrokerSessionUuid(map)), AuthUtils.getBrokerSessionUuid(map), (CCloudTrafficType) map.get("__confluent_ccloud_traffic_type"), (List) map.get("confluent.cluster.link.intranet.connectivity.denied.org.ids"));
    }

    public TopicBasedPlainSaslAuthenticator(BaseMultiTenantSaslSecretsStore baseMultiTenantSaslSecretsStore, String str, CCloudTrafficType cCloudTrafficType, List<String> list) {
        super(SUCCESSFUL_AUTH_CACHE, FAILED_AUTH_CACHE);
        this.secretsLoader = baseMultiTenantSaslSecretsStore;
        this.brokerSessionUuid = str;
        this.trafficType = cCloudTrafficType;
        this.defaultDataPolicyDenyOrgIds = list;
    }

    @Override // io.confluent.kafka.server.plugins.auth.SaslAuthenticator
    public void initialize(List<AppConfigurationEntry> list) {
        this.mode = SniValidationMode.fromString(configEntryOption(list, SniValidationMode.SNI_HOST_NAME_VALIDATION_MODE_KEY, TopicBasedLoginModule.class.getName()));
        this.networkIdValidationMode = TrafficNetworkIdValidationMode.fromConfigs(this.trafficType, () -> {
            return configEntryOption(list, TrafficNetworkIdValidationMode.TRAFFIC_NETWORK_ID_VALIDATION_MODE_KEY, TopicBasedLoginModule.class.getName());
        });
        this.defaultDataPolicyValidationMode = DefaultDataPolicyValidationMode.fromConfigs(() -> {
            return configEntryOption(list, DefaultDataPolicyValidationMode.DEFAULT_DATA_POLICY_VALIDATION_MODE_KEY, TopicBasedLoginModule.class.getName());
        });
        this.log.debug("TopicBasedPlainSaslAuthenticator initialized with mode: {}, networkIdValidationMode:{}, defaultDataPolicyValidationMode:{}", new Object[]{this.mode.getText(), this.networkIdValidationMode.name(), this.defaultDataPolicyValidationMode.name()});
    }

    boolean verifyNetworkId(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, Optional<String> optional) {
        return new TrafficNetworkIdAuthenticator(TrafficNetworkIdRoutesStore.getRoutes(this.brokerSessionUuid), this.networkIdValidationMode, str2 -> {
            throwAuthException(multiTenantSaslConfigEntry, str, str2 + " for user name: " + str);
        }).authenticate(optional, multiTenantSaslConfigEntry.logicalClusterId);
    }

    boolean verifyDefaultDataPolicy(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, DefaultDataPolicyContext defaultDataPolicyContext) {
        if (this.defaultDataPolicyValidationMode == DefaultDataPolicyValidationMode.NONE) {
            return true;
        }
        BasePhysicalClusterMetadata basePhysicalClusterMetadata = BasePhysicalClusterMetadata.getInstance(this.brokerSessionUuid);
        if (basePhysicalClusterMetadata == null) {
            throwAuthException(multiTenantSaslConfigEntry, str, "cluster metadata not found for user name: " + str);
        }
        LogicalClusterMetadata metadata = basePhysicalClusterMetadata.metadata(multiTenantSaslConfigEntry.logicalClusterId);
        if (metadata == null) {
            throwAuthException(multiTenantSaslConfigEntry, str, "logical cluster metadata not found for user name: " + str);
        }
        return new DefaultDataPolicyAuthenticator(this.defaultDataPolicyValidationMode, this.defaultDataPolicyDenyOrgIds != null && this.defaultDataPolicyDenyOrgIds.contains(metadata.organizationId()), metadata, str2 -> {
            throwAuthException(multiTenantSaslConfigEntry, str, str2 + " for user name: " + str);
        }).authenticate(defaultDataPolicyContext);
    }

    @Override // io.confluent.kafka.server.plugins.auth.PlainSaslAuthenticator
    protected void pluginAuthenticate(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, PlainSaslCredentials plainSaslCredentials) {
        verifyNetworkId(multiTenantSaslConfigEntry, plainSaslCredentials.username, plainSaslCredentials.networkId);
        verifyDefaultDataPolicy(multiTenantSaslConfigEntry, plainSaslCredentials.username, new DefaultDataPolicyContext.Builder(plainSaslCredentials.organizationId, plainSaslCredentials.networkType, plainSaslCredentials.hasSslPeerCertificate).build());
    }

    @Override // io.confluent.kafka.server.plugins.auth.PlainSaslAuthenticator
    protected MultiTenantSaslSecrets loadSecrets() {
        return this.secretsLoader.load();
    }
}
