package io.confluent.security.auth.provider.oauth;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.BasePhysicalClusterMetadata;
import io.confluent.kafka.multitenant.KafkaLogicalClusterMetadata;
import io.confluent.kafka.multitenant.PhysicalClusterMetadata;
import io.confluent.kafka.server.plugins.auth.DefaultDataPolicyAuthenticator;
import io.confluent.kafka.server.plugins.auth.DefaultDataPolicyContext;
import io.confluent.kafka.server.plugins.auth.DefaultDataPolicyValidationMode;
import io.confluent.kafka.server.plugins.auth.SniValidationMode;
import io.confluent.kafka.server.plugins.auth.TrafficNetworkIdAuthenticator;
import io.confluent.kafka.server.plugins.auth.TrafficNetworkIdValidationMode;
import io.confluent.kafka.server.plugins.auth.oauth.JwtAuthenticatorConfig;
import io.confluent.kafka.util.ClientContext;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authentication.AdmissionController;
import io.confluent.security.authentication.AuthenticationException;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.oauthbearer.Claims;
import io.confluent.security.authentication.oauthbearer.JwtAuthenticator;
import io.confluent.security.config.ConfigurationException;
import io.confluent.security.policyapi.engine.TrustPolicyEngine;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.trustservice.store.data.IdentityPool;
import io.confluent.security.util.SecurityContext;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicLong;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.network.CCloudTrafficType;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.apache.kafka.common.security.authenticator.SaslInternalConfigs;
import org.apache.kafka.common.security.oauthbearer.CommonExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.Contextable;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.PreTokenValidationExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutesStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/provider/oauth/EnhancedOAuthBearerValidatorCallbackHandler.class */
public class EnhancedOAuthBearerValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private static final String AUTH_ERROR_MESSAGE = "Authentication failed";
    private AdmissionController admissionController;
    private BasePhysicalClusterMetadata<KafkaLogicalClusterMetadata> clusterMetadata;
    private SniValidationMode mode;
    private String networkIdValidationModeJaasConfigEntry;
    private DefaultDataPolicyValidationMode defaultDataPolicyValidationMode;
    private List<String> defaultDataPolicyDenyOrgIds;
    private String sessionUuid;
    private boolean enableFlatNetworkingVerification;
    private boolean requireCallingResourceIdentityForConfluentIssuer;
    private static final String OAUTH_IDENTITY_PROVIDER_ID_PROPERTY_KEY = "providerId";
    private static final String OAUTH_IDENTITY_PROPERTY_KEY = "identity";
    private static final String OAUTH_ORGANIZATION_ID_PROPERTY_KEY = "organizationId";
    public static final String CALLING_RESOURCE_IDENTITY_CLAIM_KEY = "calling_resource_identity";
    private boolean configured = false;
    private boolean enableOrgIdCheck = true;
    private static final AtomicLong REQ_COUNTER;
    private static final Logger log = LoggerFactory.getLogger(EnhancedOAuthBearerValidatorCallbackHandler.class);
    private static final Map<String, String> DEFAULT_DATA_POLICY_INVALID_EXTENSIONS = new HashMap();

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        JaasOptionsUtils.validateOAuthMechanismAndNonNullJaasConfig(str, list);
        HashMap hashMap = new HashMap(list.get(0).getOptions());
        JwtAuthenticator generateConfig = JwtAuthenticatorConfig.newInstance(hashMap).generateConfig(map);
        Object obj = map.get("broker.session.uuid");
        if (obj == null || obj.toString().isEmpty()) {
            throw new ConfigurationException("Broker session UUID must be set in the Kafka config!");
        }
        this.sessionUuid = obj.toString();
        this.clusterMetadata = BasePhysicalClusterMetadata.getInstance(this.sessionUuid);
        if (this.clusterMetadata == null) {
            throw new ConfigurationException("Could not get a ClusterMetadata instance with broker session UUID " + obj);
        }
        if (this.clusterMetadata instanceof PhysicalClusterMetadata) {
            this.enableOrgIdCheck = false;
        }
        this.mode = SniValidationMode.fromString((String) hashMap.get(SniValidationMode.SNI_HOST_NAME_VALIDATION_MODE_KEY));
        this.networkIdValidationModeJaasConfigEntry = (String) hashMap.get(TrafficNetworkIdValidationMode.TRAFFIC_NETWORK_ID_VALIDATION_MODE_KEY);
        String str2 = (String) hashMap.get(DefaultDataPolicyValidationMode.DEFAULT_DATA_POLICY_VALIDATION_MODE_KEY);
        this.defaultDataPolicyValidationMode = DefaultDataPolicyValidationMode.fromConfigs(() -> {
            return str2;
        });
        this.defaultDataPolicyDenyOrgIds = (List) map.get("confluent.cluster.link.intranet.connectivity.denied.org.ids");
        this.admissionController = new AdmissionController(generateConfig, () -> {
            return ((AuthStore) Objects.requireNonNull(AuthStore.getInstance(this.sessionUuid))).trustCache();
        }, new TrustPolicyEngine());
        this.enableFlatNetworkingVerification = map.get("confluent.oauth.flat.networking.verification.enable") != null ? Boolean.parseBoolean(String.valueOf(map.get("confluent.oauth.flat.networking.verification.enable"))) : false;
        if (map.get("confluent.require.confluent.issuer") != null ? Boolean.parseBoolean(String.valueOf(map.get("confluent.require.confluent.issuer"))) : false) {
            this.enableFlatNetworkingVerification = true;
        }
        this.requireCallingResourceIdentityForConfluentIssuer = map.get("confluent.require.calling.resource.identity") != null ? Boolean.parseBoolean(String.valueOf(map.get("confluent.require.calling.resource.identity"))) : false;
        this.configured = true;
    }

    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        if (!this.configured) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerValidatorCallback) {
                handleValidatorCallback((OAuthBearerValidatorCallback) callback);
            } else if (callback instanceof PreTokenValidationExtensionsValidatorCallback) {
                handlePreTokenValidationCallback((PreTokenValidationExtensionsValidatorCallback) callback);
            } else {
                if (!(callback instanceof OAuthBearerExtensionsValidatorCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                handleExtensionsCallback((OAuthBearerExtensionsValidatorCallback) callback);
            }
        }
    }

    public void close() {
    }

    private void handlePreTokenValidationCallback(PreTokenValidationExtensionsValidatorCallback preTokenValidationExtensionsValidatorCallback) {
        long andIncrement = REQ_COUNTER.getAndIncrement();
        String str = (String) preTokenValidationExtensionsValidatorCallback.inputExtensions().map().get("logicalCluster");
        String str2 = (String) preTokenValidationExtensionsValidatorCallback.inputExtensions().map().get("identityPoolId");
        log.info("Negotiated properties - cluster: {}, poolId: {}. Req id: {}", new Object[]{str, str2, Long.valueOf(andIncrement)});
        if (doesClusterExtensionExist(preTokenValidationExtensionsValidatorCallback, str) && str2 != null) {
            IdentityPool identityPool = ((TrustCache) Objects.requireNonNull(AuthStore.getInstance(this.sessionUuid).trustCache())).identityPool(str2);
            if (identityPool == null) {
                AuthenticationException authenticationException = new AuthenticationException(String.format("Token precheck failed - unknown Identity Pool %s.", str2), "IDENTITY_POOL_NOT_FOUND");
                handleExtensionError(preTokenValidationExtensionsValidatorCallback, authenticationException.getMessage(), "identityPoolId", authenticationException.reasonCode());
                return;
            }
            preTokenValidationExtensionsValidatorCallback.context().add("identityPoolId", identityPool.poolId());
            preTokenValidationExtensionsValidatorCallback.context().add(OAUTH_IDENTITY_PROVIDER_ID_PROPERTY_KEY, identityPool.providerId());
            preTokenValidationExtensionsValidatorCallback.context().add("jwksEndpoint", identityPool.jwksEndpoint());
            preTokenValidationExtensionsValidatorCallback.context().add("req_id", Long.valueOf(andIncrement));
            log.info("Properties from IdentityPool object - poolId: {}, providerId: {}, jwksEndpoint: {}. Req id: {}", new Object[]{identityPool.poolId(), identityPool.providerId(), identityPool.jwksEndpoint(), Long.valueOf(andIncrement)});
        }
    }

    private void handleValidatorCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        try {
            String str = oAuthBearerValidatorCallback.tokenValue();
            if (str == null) {
                throw new AuthenticationException("Callback missing required token value", "TOKEN_VALUE_ABSENT");
            }
            OAuthBearerJwsToken processToken = processToken(str, oAuthBearerValidatorCallback.context());
            boolean z = false;
            if ((processToken instanceof OAuthBearerJwsToken) && isConfluentIssuer(processToken)) {
                if (!checkAudClaim(processToken, oAuthBearerValidatorCallback)) {
                    return;
                } else {
                    z = true;
                }
            }
            if (!this.enableFlatNetworkingVerification || z || this.defaultDataPolicyValidationMode != DefaultDataPolicyValidationMode.NONE) {
                oAuthBearerValidatorCallback.token(processToken);
                log.debug("Successfully validated token. Req id: {}", Long.valueOf(getReqId(oAuthBearerValidatorCallback)));
            } else {
                if (processToken instanceof OAuthBearerJwsToken) {
                    log.info("Expected Confluent-issued token, actual issuer was: {}. Req id: {}", processToken.issuer(), Long.valueOf(getReqId(oAuthBearerValidatorCallback)));
                } else {
                    log.info("Expected Confluent-issued token, actual issuer was unknown. Req id: {}", Long.valueOf(getReqId(oAuthBearerValidatorCallback)));
                }
                oAuthBearerValidatorCallback.error("ISSUER_INVALID", (String) null, (String) null);
            }
        } catch (AuthenticationException e) {
            log.error(String.format("Failed to verify OAuth JWT token. Req id: %d", Long.valueOf(getReqId(oAuthBearerValidatorCallback))), e);
            oAuthBearerValidatorCallback.error(e.reasonCode().equals("AUTHENTICATION_EXCEPTION_OCCURRED") ? AUTH_ERROR_MESSAGE : e.reasonCode(), (String) null, (String) null);
        }
    }

    private long getReqId(Contextable contextable) {
        if (contextable == null || contextable.context() == null) {
            return -1L;
        }
        return contextable.context().getReqId();
    }

    private void handleExtensionsCallback(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        OAuthBearerJwsToken oAuthBearerJwsToken = (OAuthBearerJwsToken) oAuthBearerExtensionsValidatorCallback.token();
        String str = (String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("logicalCluster");
        String str2 = (String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("identityPoolId");
        String str3 = (String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("__confluent_sni_broker_host_name");
        String str4 = (String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("__confluent_traffic_network_id");
        String str5 = (String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("__confluent_ccloud_traffic_type");
        addIdentityInformation(str2, oAuthBearerJwsToken.jwtClaims(), oAuthBearerExtensionsValidatorCallback);
        if (doesClusterExtensionExist(oAuthBearerExtensionsValidatorCallback, str)) {
            try {
                KafkaLogicalClusterMetadata checkClusterMetadataMatched = checkClusterMetadataMatched(oAuthBearerExtensionsValidatorCallback, oAuthBearerJwsToken, str);
                if (!Objects.isNull(checkClusterMetadataMatched) && networkIdMatches(oAuthBearerExtensionsValidatorCallback, str, str4, str5) && checkSniHostNameMatched(oAuthBearerExtensionsValidatorCallback, str, str3, this.mode)) {
                    if (!isConfluentIssuer(oAuthBearerJwsToken) || checkLogicalClusterBelongToOrg(oAuthBearerExtensionsValidatorCallback, oAuthBearerJwsToken, checkClusterMetadataMatched)) {
                        if (isConfluentIssuer(oAuthBearerJwsToken)) {
                            if (!checkCallingResourceIdentityForConfluentIssuer(oAuthBearerJwsToken, oAuthBearerExtensionsValidatorCallback)) {
                                return;
                            }
                        } else if (!defaultDataPolicyAllowed(oAuthBearerExtensionsValidatorCallback, str)) {
                            return;
                        }
                        if (str2 != null) {
                            log.debug("Start validate identity pool trust policy based on token claims: {}. Req id: {}", oAuthBearerJwsToken.jwtClaims(), Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback)));
                            try {
                                oAuthBearerExtensionsValidatorCallback.valid("identityPoolId", this.admissionController.assumePrincipal(oAuthBearerJwsToken.jwtClaims(), str2, checkClusterMetadataMatched.organizationId()));
                                oAuthBearerExtensionsValidatorCallback.valid("identityPoolId", str2);
                            } catch (AuthenticationException e) {
                                handleExtensionError(oAuthBearerExtensionsValidatorCallback, e.getMessage(), "identityPoolId", e.reasonCode());
                                return;
                            } catch (IllegalArgumentException e2) {
                                handleExtensionError(oAuthBearerExtensionsValidatorCallback, e2.getMessage(), "identityPoolId", "FAILED_TO_READ_CLAIMS");
                                return;
                            }
                        }
                        oAuthBearerExtensionsValidatorCallback.valid("logicalCluster", str);
                        log.debug("Successfully authenticated for user: {} (cluster: {}). Req id: {}", new Object[]{oAuthBearerJwsToken.principalName(), str, Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback))});
                    }
                }
            } catch (IllegalStateException e3) {
                reportErrorGettingMetadata(oAuthBearerExtensionsValidatorCallback, e3);
            }
        }
    }

    private boolean checkAudClaim(OAuthBearerJwsToken oAuthBearerJwsToken, OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        if (!oAuthBearerJwsToken.jwtClaims().containsKey("aud")) {
            return true;
        }
        log.info("Expecting no aud claim got: {}. Req id: {}", oAuthBearerJwsToken.jwtClaims().get("aud"), Long.valueOf(getReqId(oAuthBearerValidatorCallback)));
        oAuthBearerValidatorCallback.error("AUD_CLAIM_MISMATCH", (String) null, (String) null);
        return false;
    }

    private boolean checkCallingResourceIdentityForConfluentIssuer(OAuthBearerJwsToken oAuthBearerJwsToken, OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        if (!this.requireCallingResourceIdentityForConfluentIssuer) {
            return true;
        }
        if (oAuthBearerJwsToken.jwtClaims().get(CALLING_RESOURCE_IDENTITY_CLAIM_KEY) != null && !oAuthBearerJwsToken.jwtClaims().get(CALLING_RESOURCE_IDENTITY_CLAIM_KEY).toString().isEmpty()) {
            return true;
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("Expected %s claim, but none was found. Req id: %s", CALLING_RESOURCE_IDENTITY_CLAIM_KEY, Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback))), CALLING_RESOURCE_IDENTITY_CLAIM_KEY, "CALLING_RESOURCE_IDENTITY_MISSING_OR_EMPTY");
        return false;
    }

    private boolean defaultDataPolicyAllowed(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, String str) {
        if (!this.enableFlatNetworkingVerification || this.defaultDataPolicyValidationMode == DefaultDataPolicyValidationMode.NONE) {
            return true;
        }
        KafkaLogicalClusterMetadata metadata = this.clusterMetadata.metadata(str);
        if (metadata == null) {
            log.debug("No lkc metadata for " + str);
            return false;
        }
        return new DefaultDataPolicyAuthenticator(this.defaultDataPolicyValidationMode, this.defaultDataPolicyDenyOrgIds != null && this.defaultDataPolicyDenyOrgIds.contains(metadata.organizationId()), metadata, str2 -> {
            handleExtensionErrors(oAuthBearerExtensionsValidatorCallback, str2, DEFAULT_DATA_POLICY_INVALID_EXTENSIONS);
        }).authenticate(new DefaultDataPolicyContext.Builder((String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("__confluent_cloud_organization_id"), SaslInternalConfigs.NetworkType.fromString((String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("__confluent_traffic_network_type")), Boolean.valueOf(Boolean.parseBoolean((String) oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get("__confluent_has_ssl_peer_certificate")))).build());
    }

    private boolean isConfluentIssuer(OAuthBearerJwsToken oAuthBearerJwsToken) {
        return oAuthBearerJwsToken.issuer() != null && "Confluent".equalsIgnoreCase(oAuthBearerJwsToken.issuer().trim());
    }

    private boolean checkLogicalClusterBelongToOrg(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, OAuthBearerJwsToken oAuthBearerJwsToken, KafkaLogicalClusterMetadata kafkaLogicalClusterMetadata) {
        if (!this.enableOrgIdCheck) {
            return true;
        }
        String str = (String) oAuthBearerJwsToken.jwtClaims().get("orgResourceId");
        if (str != null && str.equals(kafkaLogicalClusterMetadata.organizationId())) {
            return true;
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("The principal %s's logical cluster %s does not belong to the org in the token (%s). Req id: %d", oAuthBearerJwsToken.principalName(), kafkaLogicalClusterMetadata.logicalClusterId(), str, Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback))), "logicalCluster", "ORG_ID_CLUSTER_ID_MISMATCH");
        return false;
    }

    private void addIdentityInformation(String str, Map<String, Object> map, OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        if (str != null) {
            AuthStore authStore = (AuthStore) Objects.requireNonNull(AuthStore.getInstance(this.sessionUuid));
            oAuthBearerExtensionsValidatorCallback.valid("identityPoolId", str);
            IdentityPool identityPool = authStore.trustCache().identityPool(str);
            oAuthBearerExtensionsValidatorCallback.data(OAUTH_IDENTITY_PROVIDER_ID_PROPERTY_KEY, (identityPool.providerId() == null || !identityPool.providerId().trim().isEmpty()) ? identityPool.providerId() : null);
            Object orDefault = map.getOrDefault(identityPool.subjectClaim(), null);
            oAuthBearerExtensionsValidatorCallback.data(OAUTH_IDENTITY_PROPERTY_KEY, orDefault != null ? String.valueOf(orDefault) : null);
            oAuthBearerExtensionsValidatorCallback.data(OAUTH_ORGANIZATION_ID_PROPERTY_KEY, identityPool.orgId());
        }
    }

    private void reportErrorGettingMetadata(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, IllegalStateException illegalStateException) {
        log.error(String.format("Could not get physical cluster metadata to validate the token. Req id: %d", Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback))), illegalStateException);
        oAuthBearerExtensionsValidatorCallback.errorMessage("Could not get cluster metadata to validate the token");
        oAuthBearerExtensionsValidatorCallback.error("logicalCluster", AUTH_ERROR_MESSAGE);
    }

    private KafkaLogicalClusterMetadata checkClusterMetadataMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, OAuthBearerJwsToken oAuthBearerJwsToken, String str) {
        KafkaLogicalClusterMetadata metadata = this.clusterMetadata.metadata(str);
        if (!Objects.isNull(metadata)) {
            return metadata;
        }
        if (this.clusterMetadata.logicalClusterIdsIncludingStale().contains(str)) {
            log.info("Failing OAuth authentication because the metadata for the logical cluster {} is stale. Req id: {}", str, Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback)));
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("The principal %s's logical cluster %s is not hosted on this broker. Req id: %d", oAuthBearerJwsToken.principalName(), str, Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback))), "logicalCluster", "CLUSTER_NOT_FOUND");
        return null;
    }

    private boolean doesClusterExtensionExist(CommonExtensionsValidatorCallback commonExtensionsValidatorCallback, String str) {
        if (str != null && !str.isEmpty()) {
            return true;
        }
        handleExtensionError(commonExtensionsValidatorCallback, "The logical cluster extension is missing or is empty. Req id: " + getReqId(commonExtensionsValidatorCallback), "logicalCluster", "CLUSTER_ID_MISSING_OR_EMPTY");
        return false;
    }

    protected boolean checkSniHostNameMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, String str, String str2, SniValidationMode sniValidationMode) {
        Optional<PathAwareSniHostName> empty = str2 == null ? Optional.empty() : Optional.of(new PathAwareSniHostName(str2));
        Optional<String> map = empty.map((v0) -> {
            return v0.logicalClusterId();
        });
        if (sniValidationMode.sniHostNameMatches(str, map, empty)) {
            return true;
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("The SNI cluster Id: %s doesn't match with logical cluster extension: %s. Req id: %d", map.orElse("<empty>"), str, Long.valueOf(getReqId(oAuthBearerExtensionsValidatorCallback))), "__confluent_sni_broker_host_name", "SNI_ID_CLUSTER_ID_MISMATCH");
        return false;
    }

    private boolean networkIdMatches(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, String str, String str2, String str3) {
        return new TrafficNetworkIdAuthenticator(TrafficNetworkIdRoutesStore.getRoutes(this.sessionUuid), TrafficNetworkIdValidationMode.fromConfigs(str3 != null ? CCloudTrafficType.valueOf(str3) : null, () -> {
            return this.networkIdValidationModeJaasConfigEntry;
        }), str4 -> {
            handleExtensionError(oAuthBearerExtensionsValidatorCallback, str4, "__confluent_traffic_network_id", "NETWORK_ID_DISALLOWED");
        }).authenticate(Optional.ofNullable(str2), str);
    }

    private void handleExtensionError(CommonExtensionsValidatorCallback commonExtensionsValidatorCallback, String str, String str2, String str3) {
        log.info(str);
        commonExtensionsValidatorCallback.errorMessage(str);
        if (str3 == null || str3.trim().equals("") || str3.equals("AUTHENTICATION_EXCEPTION_OCCURRED")) {
            str3 = AUTH_ERROR_MESSAGE;
        }
        commonExtensionsValidatorCallback.error(str2, str3);
    }

    private void handleExtensionErrors(CommonExtensionsValidatorCallback commonExtensionsValidatorCallback, String str, Map<String, String> map) {
        log.trace(str);
        commonExtensionsValidatorCallback.errorMessage(str);
        commonExtensionsValidatorCallback.errors(map);
    }

    OAuthBearerToken processToken(String str, ClientContext clientContext) throws AuthenticationException {
        log.info("Using context {} for authentication.", clientContext.getContextMap());
        Claims authenticate = this.admissionController.authenticate(new BearerCredential(str), SecurityContext.fromMap(clientContext.getContextMap()));
        String str2 = (String) authenticate.claimValue("orgResourceId", String.class);
        return new OAuthBearerJwsToken(str, str2 != null ? Collections.singleton(str2) : Collections.emptySet(), authenticate.expiresOn(), authenticate.subject(), Long.valueOf(authenticate.issuedAt()), authenticate.asMap(), authenticate.issuer());
    }

    static {
        DEFAULT_DATA_POLICY_INVALID_EXTENSIONS.put("__confluent_cloud_organization_id", "DATA_POLICY_DISALLOWED");
        DEFAULT_DATA_POLICY_INVALID_EXTENSIONS.put("__confluent_traffic_network_type", "DATA_POLICY_DISALLOWED");
        DEFAULT_DATA_POLICY_INVALID_EXTENSIONS.put("__confluent_has_ssl_peer_certificate", "DATA_POLICY_DISALLOWED");
        REQ_COUNTER = new AtomicLong(1L);
    }
}
