package io.confluent.kafka.server.plugins.auth.token;

import io.confluent.kafka.clients.plugins.auth.jwt.PublicKeyJwks;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.rest.RestClient;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/token/TokenBearerServerLoginCallbackHandler.class */
public class TokenBearerServerLoginCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger(TokenBearerServerLoginCallbackHandler.class);
    private final Function<Map<String, String>, RestClient> restClientCreator;
    private RestClient restClient;
    private boolean configured;
    private boolean tokenRequired;
    private static final String KEY_OPTION = "publicKeyPath";
    private static final String LOGIN_SERVER_OPTION = "metadataServerUrls";
    private static final String USER_OPTION = "username";
    private static final String PASSWORD_OPTION = "password";

    public TokenBearerServerLoginCallbackHandler() {
        this(map -> {
            return new RestClient(map);
        });
    }

    TokenBearerServerLoginCallbackHandler(Function<Map<String, String>, RestClient> function) {
        this.configured = false;
        this.tokenRequired = false;
        this.restClientCreator = (Function) Objects.requireNonNull(function);
    }

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        Map<String, String> jaasConfigDef = jaasConfigDef(str, list);
        validatePublicKey(jaasConfigDef.getOrDefault(KEY_OPTION, ""));
        String orDefault = jaasConfigDef.getOrDefault(LOGIN_SERVER_OPTION, "");
        String orDefault2 = jaasConfigDef.getOrDefault(USER_OPTION, "");
        String orDefault3 = jaasConfigDef.getOrDefault(PASSWORD_OPTION, "");
        if (orDefault2.isEmpty()) {
            this.configured = true;
            return;
        }
        if (orDefault.isEmpty()) {
            throw new ConfigException(String.format("Missing required configuration %s which has no default value.", LOGIN_SERVER_OPTION));
        }
        if (orDefault3.isEmpty()) {
            throw new ConfigException("Option username specified with an empty password");
        }
        HashMap hashMap = new HashMap();
        hashMap.put("confluent.metadata.bootstrap.server.urls", orDefault);
        hashMap.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BASIC.name());
        hashMap.put("confluent.metadata.basic.auth.credentials.provider", BuiltInAuthProviders.BasicAuthCredentialProviders.USER_INFO.name());
        hashMap.put("confluent.metadata.basic.auth.user.info", orDefault2 + ":" + orDefault3);
        this.restClient = this.restClientCreator.apply(hashMap);
        this.configured = true;
        this.tokenRequired = true;
    }

    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (!this.configured) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerTokenCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            try {
                attachAuthToken((OAuthBearerTokenCallback) callback);
            } catch (KafkaException e) {
                throw new IOException(e.getMessage(), e);
            }
        }
    }

    private void attachAuthToken(OAuthBearerTokenCallback oAuthBearerTokenCallback) {
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had an Authentication Token already");
        }
        if (this.tokenRequired) {
            oAuthBearerTokenCallback.token(this.restClient.login());
        }
    }

    public void close() {
        if (this.restClient != null) {
            this.restClient.close();
        }
    }

    public static void validatePublicKey(String str) {
        try {
            if (str.isEmpty()) {
                log.error("No publicKeyPath was provided in the JAAS config!");
                throw new ConfigException("publicKeyPath option must be set in JAAS config!");
            }
            PublicKeyJwks.loadPublicKey(str);
        } catch (IOException e) {
            String format = String.format("Could not load the public key from %s", str);
            log.error(format);
            throw new ConfigException(format, e);
        }
    }

    private Map<String, String> jaasConfigDef(String str, List<AppConfigurationEntry> list) {
        JaasOptionsUtils.validateOAuthMechanismAndNonNullJaasConfig(str, list);
        return Collections.unmodifiableMap(list.get(0).getOptions());
    }
}
