package io.confluent.common.security.jetty;

import io.confluent.rest.RestConfig;
import java.io.IOException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticator.class */
public class OAuthBearerAuthenticator extends LoginAuthenticator {
    static final String ACCESS_TOKEN = "access_token";
    static final String BEARER_KEYWORD = "Bearer";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticator$ErrorCode.class */
    public enum ErrorCode {
        INVALID_REQUEST("invalid_request"),
        INVALID_TOKEN("invalid_token");

        final String error;

        ErrorCode(String str) {
            this.error = str;
        }

        public String asHeaderAttribute() {
            return "error=\"" + this.error + '\"';
        }
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public String getAuthMethod() {
        return RestConfig.AUTHENTICATION_METHOD_BEARER;
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        String str;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String header = httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.asString());
        String parameter = httpServletRequest.getParameter(ACCESS_TOKEN);
        if (!z) {
            return new DeferredAuthentication(this);
        }
        ErrorCode errorCode = null;
        if (header != null && parameter != null) {
            return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST);
        }
        if (header != null) {
            str = extractToken(header);
            if (str == null) {
                errorCode = ErrorCode.INVALID_REQUEST;
            }
        } else {
            str = parameter;
        }
        if (str != null) {
            if (parameter != null) {
                httpServletResponse.setHeader(HttpHeader.CACHE_CONTROL.toString(), "private");
            }
            UserIdentity login = getLoginService().login(null, str, servletRequest);
            if (login != null) {
                return new UserAuthentication(getAuthMethod(), login);
            }
            errorCode = ErrorCode.INVALID_TOKEN;
        }
        return !DeferredAuthentication.isDeferred(httpServletResponse) ? sendError(httpServletResponse, errorCode) : Authentication.UNAUTHENTICATED;
    }

    private String extractToken(String str) {
        int indexOf = str.indexOf(32);
        if (indexOf <= 0 || !BEARER_KEYWORD.equals(str.substring(0, indexOf))) {
            return null;
        }
        return str.substring(indexOf + 1);
    }

    private Authentication sendError(HttpServletResponse httpServletResponse, ErrorCode errorCode) throws ServerAuthException {
        StringBuilder append = new StringBuilder().append("Bearer realm=\"").append(getLoginService().getName()).append('\"');
        if (errorCode != null) {
            append.append(',').append(errorCode.asHeaderAttribute());
        }
        httpServletResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), append.toString());
        try {
            httpServletResponse.sendError(401);
            return Authentication.SEND_FAILURE;
        } catch (IOException e) {
            throw new ServerAuthException(e);
        }
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
        return true;
    }
}
