package io.confluent.kafka.server.plugins.auth.token;

import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticatorConfig;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtVerificationException;
import io.confluent.security.authentication.oauthbearer.CloudJwtPrincipal;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/token/TokenBearerValidatorCallbackHandler.class */
public class TokenBearerValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TokenBearerValidatorCallbackHandler.class);
    private static final String AUTH_ERROR_MESSAGE = "Authentication failed";
    private JwtAuthenticator authenticator;
    private boolean configured = false;

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        HashMap hashMap = new HashMap(list.get(0).getOptions());
        if (hashMap.containsKey("publicKeyPath")) {
            hashMap.put(JwtAuthenticatorConfig.JWKS_LOCATION_CONFIG, hashMap.remove("publicKeyPath"));
        }
        this.authenticator = new JwtAuthenticator(new JwtAuthenticatorConfig(hashMap));
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        if (!this.configured) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerValidatorCallback) {
                OAuthBearerValidatorCallback oAuthBearerValidatorCallback = (OAuthBearerValidatorCallback) callback;
                try {
                    handleValidatorCallback(oAuthBearerValidatorCallback);
                } catch (JwtVerificationException e) {
                    log.debug("Failed to verify token. ", (Throwable) e);
                    oAuthBearerValidatorCallback.error(AUTH_ERROR_MESSAGE, null, null);
                }
            } else {
                if (!(callback instanceof OAuthBearerExtensionsValidatorCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                handleExtensionsCallback((OAuthBearerExtensionsValidatorCallback) callback);
            }
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
        try {
            this.authenticator.close();
        } catch (IOException e) {
            log.error("Failed to close JwtAuthenticator", (Throwable) e);
        }
    }

    private void handleExtensionsCallback(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
    }

    private void handleValidatorCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) throws JwtVerificationException {
        String str = oAuthBearerValidatorCallback.tokenValue();
        if (str == null) {
            throw new IllegalArgumentException("Callback missing required token value");
        }
        OAuthBearerToken processToken = processToken(str);
        oAuthBearerValidatorCallback.token(processToken);
        log.debug("Successfully validated token from principal {}", processToken.principalName());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OAuthBearerToken processToken(String str) throws JwtVerificationException {
        return this.authenticator.login(str, CloudJwtPrincipal.CLAIM_CLUSTERS);
    }
}
