package io.confluent.common.security.jetty;

import java.io.IOException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticator.class */
public class OAuthBearerAuthenticator extends LoginAuthenticator {
    public static final String ACCESS_TOKEN = "access_token";
    public static final String BEARER_KEYWORD = "Bearer";
    public static final String AUTH_TOKEN = "auth_token";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticator$ErrorCode.class */
    public enum ErrorCode {
        INVALID_REQUEST("invalid_request"),
        INVALID_TOKEN("invalid_token");

        final String error;

        ErrorCode(String str) {
            this.error = str;
        }

        public String asHeaderAttribute() {
            return "error=\"" + this.error + '\"';
        }
    }

    public String getAuthMethod() {
        return "BEARER";
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        if (!z) {
            return new DeferredAuthentication(this);
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        OAuthRequestData oAuthRequestData = OAuthRequestDataFactory.getInstance().getOAuthRequestData((HttpServletRequest) servletRequest);
        String str = oAuthRequestData.tokenFromAuthHeader();
        String str2 = oAuthRequestData.tokenFromCookie();
        String str3 = oAuthRequestData.tokenFromQueryParam();
        String str4 = str != null ? str : str2;
        if (str4 == null) {
            if (str3 == null) {
                return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST);
            }
            str4 = str3;
            if (oAuthRequestData.authHeaderSpecifiesSomeOtherAuthType()) {
                return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST);
            }
        } else if (str3 != null && !str4.equals(str3)) {
            return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST);
        }
        if (str3 != null) {
            httpServletResponse.setHeader(HttpHeader.CACHE_CONTROL.toString(), "private");
        }
        UserIdentity login = getLoginService().login((String) null, str4, servletRequest);
        return isValidUser(login) ? new UserAuthentication(getAuthMethod(), login) : !DeferredAuthentication.isDeferred(httpServletResponse) ? sendError(httpServletResponse, ErrorCode.INVALID_TOKEN) : Authentication.UNAUTHENTICATED;
    }

    public boolean requestIsOath(HttpServletRequest httpServletRequest) {
        return OAuthRequestDataFactory.getInstance().getOAuthRequestData(httpServletRequest).isOathRequest();
    }

    private Authentication sendError(HttpServletResponse httpServletResponse, ErrorCode errorCode) throws ServerAuthException {
        StringBuilder append = new StringBuilder().append("Bearer realm=\"").append(getLoginService().getName()).append('\"');
        if (errorCode != null) {
            append.append(',').append(errorCode.asHeaderAttribute());
        }
        try {
            httpServletResponse.resetBuffer();
            httpServletResponse.setStatus(401);
            httpServletResponse.setHeader("Content-Type", "text/plain");
            httpServletResponse.getOutputStream().print(append.toString());
            httpServletResponse.flushBuffer();
            return Authentication.SEND_FAILURE;
        } catch (IOException e) {
            throw new ServerAuthException(e);
        }
    }

    private boolean isValidUser(UserIdentity userIdentity) {
        return (userIdentity == null || userIdentity.getUserPrincipal() == null || userIdentity.getUserPrincipal().getName() == null || userIdentity.getUserPrincipal().getName().isEmpty()) ? false : true;
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
        return true;
    }
}
