package io.confluent.controlcenter.rest;

import com.google.common.base.Strings;
import com.google.common.util.concurrent.ListeningScheduledExecutorService;
import com.google.common.util.concurrent.MoreExecutors;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.inject.Binder;
import com.google.inject.BindingAnnotation;
import com.google.inject.Inject;
import com.google.inject.Module;
import com.google.inject.Provides;
import com.google.inject.Singleton;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.OAuthBearerAuthenticator;
import io.confluent.controlcenter.ControlCenterConfig;
import io.confluent.controlcenter.ControlCenterRbacConfig;
import io.confluent.monitoring.common.SystemClock;
import io.confluent.rest.RestConfig;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.concurrent.Executors;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.jaas.JAASLoginService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;

/* loaded from: input_file:io/confluent/controlcenter/rest/RestModule.class */
public class RestModule implements Module {

    @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
    @BindingAnnotation
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:io/confluent/controlcenter/rest/RestModule$BrokerConfigsEditEnabled.class */
    public @interface BrokerConfigsEditEnabled {
    }

    @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
    @BindingAnnotation
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:io/confluent/controlcenter/rest/RestModule$SchemaRegistry.class */
    public @interface SchemaRegistry {
    }

    @Target({ElementType.FIELD, ElementType.PARAMETER, ElementType.METHOD})
    @BindingAnnotation
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:io/confluent/controlcenter/rest/RestModule$WebSockets.class */
    public @interface WebSockets {
    }

    @Override // com.google.inject.Module
    public void configure(Binder binder) {
    }

    @Singleton
    @WebSockets
    @Provides
    public ListeningScheduledExecutorService getScheduledExecutorService() {
        return MoreExecutors.listeningDecorator(Executors.newScheduledThreadPool(10, new ThreadFactoryBuilder().setDaemon(true).build()));
    }

    @Inject
    @Provides
    public RestSecuritySetup restSecuritySetup(ControlCenterConfig controlCenterConfig, RestConfig restConfig, ControlCenterRbacConfig controlCenterRbacConfig, SystemClock systemClock) {
        String str = null;
        LoginAuthenticator loginAuthenticator = null;
        LoginService loginService = null;
        String string = restConfig.getString(RestConfig.AUTHENTICATION_METHOD_CONFIG);
        String string2 = restConfig.getString(RestConfig.AUTHENTICATION_REALM_CONFIG);
        long longValue = controlCenterConfig.getLong(ControlCenterConfig.CONTROL_CENTER_AUTH_SESSION_EXPIRATION_MS).longValue();
        if (controlCenterRbacConfig.isRbacEnabled() && !RestConfig.AUTHENTICATION_METHOD_BEARER.equals(string)) {
            throw new ConfigException("confluent.controlcenter.rest.authentication.method=BEARER is required when RBAC is enabled");
        }
        if ("BASIC".equals(string)) {
            str = string2;
            loginAuthenticator = longValue <= 0 ? new BasicAuthenticator() : new SessionBasicAuthenticator(systemClock, longValue);
            loginService = new JAASLoginService(str);
        } else if (RestConfig.AUTHENTICATION_METHOD_BEARER.equals(string)) {
            str = string2;
            String string3 = controlCenterConfig.getString(ControlCenterConfig.CONTROL_CENTER_AUTH_BEARER_ISSUER);
            String string4 = controlCenterConfig.getString(ControlCenterConfig.CONTROL_CENTER_AUTH_BEARER_PUBLIC_KEY_PATH);
            String string5 = controlCenterConfig.getString(ControlCenterConfig.CONTROL_CENTER_AUTH_BEARER_ROLES_CLAIM);
            if (Strings.isNullOrEmpty(string4)) {
                throw new ConfigException("Must provide 'confluent.controlcenter.auth.bearer.public.key.path' when using 'confluent.controlcenter.rest.authentication.method=BEARER'");
            }
            loginAuthenticator = new OAuthBearerAuthenticator();
            loginService = new JwtLoginService(str, string3, string4, string5);
        }
        return new RestSecuritySetup(str, loginAuthenticator, loginService, null);
    }
}
