package io.confluent.kafka.server.plugins.auth.oauth;

import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtVerificationException;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.BasePhysicalClusterMetadata;
import io.confluent.kafka.multitenant.KafkaLogicalClusterMetadata;
import io.confluent.kafka.server.plugins.auth.SniValidationMode;
import io.confluent.shaded.org.slf4j.Logger;
import io.confluent.shaded.org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import kafka.server.KafkaConfig;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.apache.kafka.common.security.authenticator.SaslServerAuthenticator;
import org.apache.kafka.common.security.oauthbearer.CommonExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/oauth/OAuthBearerValidatorCallbackHandler.class */
public class OAuthBearerValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerValidatorCallbackHandler.class);
    private static final String DEFAULT_SCOPE_CLAIM = "orgResourceId";
    private static final String AUTH_ERROR_MESSAGE = "Authentication failed";
    private JwtAuthenticator jwtAuthenticator;
    private BasePhysicalClusterMetadata clusterMetadata;
    private SniValidationMode mode;
    private boolean configured = false;

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        HashMap hashMap = new HashMap(list.get(0).getOptions());
        if (hashMap.containsKey("publicKeyPath")) {
            hashMap.put(io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticatorConfig.JWKS_LOCATION_CONFIG, hashMap.remove("publicKeyPath"));
        }
        this.jwtAuthenticator = new JwtAuthenticator(new io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticatorConfig(hashMap));
        Object obj = map.get(KafkaConfig.BrokerSessionUuidProp());
        if (obj == null || obj.toString().isEmpty()) {
            throw new ConfigException("Broker session UUID must be set in the Kafka config!");
        }
        this.clusterMetadata = BasePhysicalClusterMetadata.getInstance(obj.toString());
        if (this.clusterMetadata == null) {
            throw new ConfigException("Could not get a PhysicalClusterMetadata instance with broker session UUID " + obj.toString());
        }
        this.mode = SniValidationMode.fromString((String) hashMap.get(SniValidationMode.SNI_HOST_NAME_VALIDATION_MODE_KEY));
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        if (!this.configured) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerValidatorCallback) {
                handleCallback((OAuthBearerValidatorCallback) callback);
            } else {
                if (!(callback instanceof OAuthBearerExtensionsValidatorCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                handleExtensionsCallback((OAuthBearerExtensionsValidatorCallback) callback);
            }
        }
    }

    private void handleCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        try {
            handleValidatorCallback(oAuthBearerValidatorCallback);
        } catch (JwtVerificationException e) {
            log.info("Failed to verify OAuth JWT token", (Throwable) e);
            oAuthBearerValidatorCallback.error(AUTH_ERROR_MESSAGE, null, null);
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
        if (this.jwtAuthenticator != null) {
            try {
                this.jwtAuthenticator.close();
            } catch (IOException e) {
                log.error("Failed to close Authenticator", (Throwable) e);
            }
        }
    }

    private void handleValidatorCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) throws JwtVerificationException {
        String str = oAuthBearerValidatorCallback.tokenValue();
        if (str == null) {
            throw new IllegalArgumentException("Callback missing required token value");
        }
        oAuthBearerValidatorCallback.token(processToken(str));
        log.debug("Successfully validated token");
    }

    private void handleExtensionsCallback(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback) {
        OAuthBearerJwsToken oAuthBearerJwsToken = (OAuthBearerJwsToken) oAuthBearerExtensionsValidatorCallback.token();
        String str = oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        String str2 = oAuthBearerExtensionsValidatorCallback.inputExtensions().map().get(SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY);
        try {
            KafkaLogicalClusterMetadata clusterMetadataMatched = clusterMetadataMatched(oAuthBearerExtensionsValidatorCallback, oAuthBearerJwsToken, str);
            if (!Objects.isNull(clusterMetadataMatched) && doesClusterExtensionExist(oAuthBearerExtensionsValidatorCallback, str) && isSniHostNameMatched(oAuthBearerExtensionsValidatorCallback, str, str2, this.mode) && isLogicalClusterBelongToOrg(oAuthBearerExtensionsValidatorCallback, oAuthBearerJwsToken, clusterMetadataMatched)) {
                oAuthBearerExtensionsValidatorCallback.valid(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
                log.debug("Successfully authenticated for user: {} (cluster: {})", oAuthBearerJwsToken.principalName(), str);
            }
        } catch (IllegalStateException e) {
            reportErrorGettingMetadata(oAuthBearerExtensionsValidatorCallback, e);
        }
    }

    private boolean isLogicalClusterBelongToOrg(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, OAuthBearerJwsToken oAuthBearerJwsToken, KafkaLogicalClusterMetadata kafkaLogicalClusterMetadata) {
        String str = (String) oAuthBearerJwsToken.jwtClaims().get("orgResourceId");
        if (str != null && str.equals(kafkaLogicalClusterMetadata.organizationId())) {
            return true;
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("The principal %s's logical cluster %s is not belong to the org in this token (%s).", oAuthBearerJwsToken.principalName(), kafkaLogicalClusterMetadata.logicalClusterId(), str), OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        return false;
    }

    private void reportErrorGettingMetadata(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, IllegalStateException illegalStateException) {
        log.error("Could not get physical cluster metadata to validate the token. ", (Throwable) illegalStateException);
        oAuthBearerExtensionsValidatorCallback.errorMessage("Could not get cluster metadata to validate the token");
        oAuthBearerExtensionsValidatorCallback.error(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, AUTH_ERROR_MESSAGE);
    }

    private KafkaLogicalClusterMetadata clusterMetadataMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, OAuthBearerJwsToken oAuthBearerJwsToken, String str) {
        if (this.clusterMetadata.logicalClusterIds().contains(str)) {
            return (KafkaLogicalClusterMetadata) this.clusterMetadata.metadata(str);
        }
        if (this.clusterMetadata.logicalClusterIdsIncludingStale().contains(str)) {
            log.info("Failing OAuth authentication because the metadata for the logical cluster {} is stale.", str);
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("The principal %s's logical cluster %s is not hosted on this broker.", oAuthBearerJwsToken.principalName(), str), OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        return null;
    }

    private boolean doesClusterExtensionExist(CommonExtensionsValidatorCallback commonExtensionsValidatorCallback, String str) {
        if (str != null && !str.isEmpty()) {
            return true;
        }
        handleExtensionError(commonExtensionsValidatorCallback, "The logical cluster extension is missing or is empty", OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        return false;
    }

    protected boolean isSniHostNameMatched(OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback, String str, String str2, SniValidationMode sniValidationMode) {
        Optional<PathAwareSniHostName> empty = str2 == null ? Optional.empty() : Optional.of(new PathAwareSniHostName(str2));
        Optional<String> map = empty.map((v0) -> {
            return v0.logicalClusterId();
        });
        if (sniValidationMode.sniHostNameMatches(str, map, empty)) {
            return true;
        }
        handleExtensionError(oAuthBearerExtensionsValidatorCallback, String.format("The SNI cluster Id: %s doesn't match with logical cluster extension: %s.", map.orElse("<empty>"), str), SaslServerAuthenticator.SNI_BROKER_HOST_NAME_SASL_PROPERTY_KEY);
        return false;
    }

    private void handleExtensionError(CommonExtensionsValidatorCallback commonExtensionsValidatorCallback, String str, String str2) {
        log.info(str);
        commonExtensionsValidatorCallback.errorMessage(str);
        commonExtensionsValidatorCallback.error(str2, AUTH_ERROR_MESSAGE);
    }

    OAuthBearerToken processToken(String str) throws JwtVerificationException {
        return this.jwtAuthenticator.login(str, "orgResourceId");
    }
}
