package io.confluent.kafka.multitenant;

import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.utils.Utils;
import java.util.Map;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.SerializationException;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.KafkaPrincipalSerde;
import org.apache.kafka.common.security.auth.PlaintextAuthenticationContext;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer;

/* loaded from: input_file:io/confluent/kafka/multitenant/MultiTenantPrincipalBuilder.class */
public class MultiTenantPrincipalBuilder implements KafkaPrincipalBuilder, Configurable, KafkaPrincipalSerde {
    private static final String OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY = "OAUTHBEARER.token";
    public static final String CCLOUD_INTERNAL_USER = "0";
    private static final String RESOURCE_ID_SERVICE_ACCOUNT_PREFIX = "sa-";
    private boolean oauthSuperUserDisable;
    private boolean enableDataplaneRbacForPKC;
    private PhysicalClusterMetadata physicalClusterMetadata;

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.oauthSuperUserDisable = false;
        if (map != null && map.containsKey(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE)) {
            this.oauthSuperUserDisable = Boolean.parseBoolean((String) map.get(ConfluentConfigs.MULTITENANT_OAUTH_SUPERUSER_DISABLE));
        }
        this.enableDataplaneRbacForPKC = false;
        if (map != null && map.containsKey(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC)) {
            this.enableDataplaneRbacForPKC = Boolean.parseBoolean((String) map.get(ConfluentConfigs.ENABLE_DATAPLANE_RBAC_FOR_PKC));
        }
        this.physicalClusterMetadata = PhysicalClusterMetadata.getInstance(Utils.getBrokerSessionUuid(map));
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalBuilder
    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        if (authenticationContext instanceof SaslAuthenticationContext) {
            return createKafkaPrincipalfromSaslContext((SaslAuthenticationContext) authenticationContext);
        }
        if (authenticationContext instanceof SslAuthenticationContext) {
            return createKafkaPrincipalfromSslContext((SslAuthenticationContext) authenticationContext);
        }
        if (authenticationContext instanceof PlaintextAuthenticationContext) {
            return createKafkaPrincipalPlain();
        }
        throw new IllegalArgumentException("Unhandled authentication context type: " + authenticationContext.getClass().getName());
    }

    private KafkaPrincipal createKafkaPrincipalPlain() {
        return KafkaPrincipal.ANONYMOUS;
    }

    private KafkaPrincipal createKafkaPrincipalfromSslContext(SslAuthenticationContext sslAuthenticationContext) {
        try {
            return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, sslAuthenticationContext.session().getPeerPrincipal().getName());
        } catch (SSLPeerUnverifiedException e) {
            return KafkaPrincipal.ANONYMOUS;
        }
    }

    private KafkaPrincipal createKafkaPrincipalfromSaslContext(SaslAuthenticationContext saslAuthenticationContext) {
        SaslServer server = saslAuthenticationContext.server();
        String authorizationID = server.getAuthorizationID();
        if (server instanceof MultiTenantSaslServer) {
            MultiTenantSaslServer multiTenantSaslServer = (MultiTenantSaslServer) server;
            TenantMetadata tenantMetadata = multiTenantSaslServer.tenantMetadata();
            updateTenantMetadata(authorizationID, tenantMetadata.clusterId, tenantMetadata, !this.enableDataplaneRbacForPKC);
            return new MultiTenantPrincipal(authorizationID, multiTenantSaslServer.authenticationId(), tenantMetadata);
        }
        if (!(server instanceof OAuthBearerSaslServer)) {
            return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, authorizationID);
        }
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) server;
        OAuthBearerJwsToken oAuthBearerJwsToken = (OAuthBearerJwsToken) oAuthBearerSaslServer.getNegotiatedProperty(OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY);
        String str = (String) oAuthBearerSaslServer.getNegotiatedProperty(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        TenantMetadata build = new TenantMetadata.Builder(str, userResourceId(oAuthBearerJwsToken)).superUser(!isServiceAccount(oAuthBearerJwsToken)).build();
        updateTenantMetadata(oAuthBearerJwsToken.principalName(), str, build, (this.oauthSuperUserDisable || this.enableDataplaneRbacForPKC) ? false : true);
        return new MultiTenantPrincipal(oAuthBearerJwsToken.principalName(), oAuthBearerJwsToken.principalName(), build);
    }

    private void updateTenantMetadata(String str, String str2, TenantMetadata tenantMetadata, boolean z) {
        if (this.physicalClusterMetadata != null) {
            LogicalClusterMetadata metadata = this.physicalClusterMetadata.metadata(str2);
            if (metadata != null && metadata.organizationId() != null && metadata.environmentId() != null) {
                tenantMetadata.organizationId = metadata.organizationId();
                tenantMetadata.environmentId = metadata.environmentId();
            }
            if (!tenantMetadata.isSuperUser || metadata == null || metadata.isHealthcheckLogicalCluster() || internalUser(str)) {
                return;
            }
            tenantMetadata.isSuperUser = z;
        }
    }

    private boolean internalUser(String str) {
        return CCLOUD_INTERNAL_USER.equals(str);
    }

    private boolean isServiceAccount(OAuthBearerJwsToken oAuthBearerJwsToken) {
        String userResourceId = userResourceId(oAuthBearerJwsToken);
        return userResourceId != null && userResourceId.startsWith(RESOURCE_ID_SERVICE_ACCOUNT_PREFIX);
    }

    public String userResourceId(OAuthBearerJwsToken oAuthBearerJwsToken) {
        Object obj = oAuthBearerJwsToken.jwtClaims().get(OAuthBearerJwsToken.USER_RESOURCE_ID_CLAIM);
        if (obj != null) {
            return obj.toString();
        }
        return null;
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public byte[] serialize(KafkaPrincipal kafkaPrincipal) throws SerializationException {
        throw new UnsupportedOperationException();
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public KafkaPrincipal deserialize(byte[] bArr) throws SerializationException {
        throw new UnsupportedOperationException();
    }
}
