package io.confluent.common.security.auth.schemaregistry;

import io.confluent.common.config.ConfigException;
import io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider;
import io.confluent.security.auth.client.RestClientConfig;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.provider.HttpBearerCredentialProvider;
import io.confluent.security.auth.client.provider.HttpCredentialProvider;
import io.confluent.security.auth.client.rest.RestClient;
import io.confluent.security.auth.common.JwtBearerToken;
import java.net.URL;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.JaasContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/auth/schemaregistry/MdsBearerAuthProvider.class */
public class MdsBearerAuthProvider implements BearerAuthCredentialProvider {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MdsBearerAuthProvider.class);
    private static final double TOKEN_REFRESH_RATE = 0.8d;
    private ScheduledExecutorService tokenRefreshscheduler;
    private Throwable refreshError;
    private RestClient restClient;
    private JwtBearerToken currentToken;
    private HttpCredentialProvider restClientCredentialProvider;
    private static final String USER_OPTION = "username";
    private static final String PASSWORD_OPTION = "password";
    private static final String LOGIN_SERVER_OPTION = "metadataServerUrls";
    private static final String TOKEN_OPTION = "authenticationToken";

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.restClient = new RestClient(restClientConfigs(map));
        this.currentToken = this.restClient.login();
        this.refreshError = null;
        this.restClientCredentialProvider = new HttpBearerCredentialProvider();
        this.restClientCredentialProvider.configure(Collections.singletonMap(RestClientConfig.TOKEN_AUTH_CREDENTIAL_PROP, this.currentToken.value()));
        this.restClient.setCredentialProvider(this.restClientCredentialProvider);
        this.tokenRefreshscheduler = newTokenRefreshService();
        scheduleNextTokenRefresh();
    }

    private static ScheduledExecutorService newTokenRefreshService() {
        return Executors.newSingleThreadScheduledExecutor(runnable -> {
            Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
            newThread.setDaemon(true);
            return newThread;
        });
    }

    @Override // io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
    public String alias() {
        return "MDS";
    }

    @Override // io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
    public String getBearerToken(URL url) {
        if (this.refreshError != null) {
            log.warn("An error occurred while trying to refresh the current token; as a result, it may be expired", this.refreshError);
        }
        return this.currentToken.value();
    }

    private void scheduleNextTokenRefresh() {
        long longValue = this.currentToken.startTimeMs().longValue() + ((long) ((this.currentToken.lifetimeMs() - this.currentToken.startTimeMs().longValue()) * 0.8d));
        log.info("[Principal={}]: Expiring credential valid from {} to {}", this.currentToken.principalName(), new Date(this.currentToken.startTimeMs().longValue()), new Date(this.currentToken.lifetimeMs()));
        log.info("[Principal={}]: Expiring credential re-login sleeping until: {}", this.currentToken.principalName(), new Date(longValue));
        this.tokenRefreshscheduler.schedule(() -> {
            try {
                this.currentToken = this.restClient.login();
                this.restClientCredentialProvider.configure(Collections.singletonMap(RestClientConfig.TOKEN_AUTH_CREDENTIAL_PROP, this.currentToken.value()));
                scheduleNextTokenRefresh();
            } catch (Throwable th) {
                log.error("Failed to refresh token", th);
                this.refreshError = th;
            }
        }, longValue - System.currentTimeMillis(), TimeUnit.MILLISECONDS);
    }

    protected Map<String, Object> restClientConfigs(Map<String, ?> map) {
        Map<String, String> jaasConfigDef = jaasConfigDef(JaasContext.loadClientContext(extractSaslConfig(map)).configurationEntries());
        String orDefault = jaasConfigDef.getOrDefault(LOGIN_SERVER_OPTION, "");
        String orDefault2 = jaasConfigDef.getOrDefault(USER_OPTION, "");
        String orDefault3 = jaasConfigDef.getOrDefault(PASSWORD_OPTION, "");
        String orDefault4 = jaasConfigDef.getOrDefault(TOKEN_OPTION, "");
        validateHaveCredentials(orDefault2, orDefault3, orDefault4);
        if (orDefault == null || orDefault.isEmpty()) {
            throw new ConfigException(String.format("Missing required configuration %s which has no default value.", LOGIN_SERVER_OPTION));
        }
        HashMap hashMap = new HashMap(map);
        hashMap.put("confluent.metadata.bootstrap.server.urls", orDefault);
        hashMap.put("confluent.metadata.basic.auth.user.info", orDefault2 + ":" + orDefault3);
        hashMap.put(RestClientConfig.TOKEN_AUTH_CREDENTIAL_PROP, orDefault4);
        if (orDefault2.isEmpty()) {
            hashMap.put(RestClientConfig.HTTP_AUTH_CREDENTIALS_PROVIDER_PROP, BuiltInAuthProviders.HttpCredentialProviders.BEARER.name());
        }
        return hashMap;
    }

    private Map<String, Object> extractSaslConfig(Map<String, ?> map) {
        HashMap hashMap = new HashMap(map);
        if (hashMap.containsKey(SaslConfigs.SASL_JAAS_CONFIG)) {
            Object obj = hashMap.get(SaslConfigs.SASL_JAAS_CONFIG);
            if (obj instanceof String) {
                hashMap.put(SaslConfigs.SASL_JAAS_CONFIG, new Password((String) obj));
            }
        }
        return hashMap;
    }

    private Map<String, String> jaasConfigDef(List<AppConfigurationEntry> list) {
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        return Collections.unmodifiableMap(list.get(0).getOptions());
    }

    private void validateHaveCredentials(String str, String str2, String str3) throws ConfigException {
        if (str.isEmpty() && str3.isEmpty()) {
            throw new ConfigException("Must supply either a user or token credentials");
        }
        if (!str.isEmpty() && str2.isEmpty()) {
            throw new ConfigException("Option username specified with an empty password");
        }
    }
}
