package io.confluent.security.authentication.oauthbearer;

import io.confluent.security.authentication.AuthenticationErrorInfo;
import io.confluent.security.authentication.AuthenticationException;
import io.confluent.security.authentication.AuthenticationExceptionReasonCodes;
import io.confluent.security.authentication.Authenticator;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.util.JwtUtils;
import io.confluent.security.util.SecurityContext;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Function;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticator.class */
public final class JwtAuthenticator implements Authenticator<BearerCredential, JwtPrincipal> {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JwtAuthenticator.class);
    private final Map<String, DecoratedJwtConsumer> jwtConsumers = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/authentication/oauthbearer/JwtAuthenticator$DecoratedJwtConsumer.class */
    public interface DecoratedJwtConsumer extends Function<SecurityContext, JwtConsumer> {
    }

    public JwtAuthenticator(List<JwtIssuer> list, Collection<Constraint> collection) {
        for (JwtIssuer jwtIssuer : list) {
            boolean equalsIgnoreCase = JwtAuthenticationConfig.CONFLUENT_ISSUER.equalsIgnoreCase(jwtIssuer.name());
            this.jwtConsumers.put(jwtIssuer.name(), securityContext -> {
                return jwtIssuer.createConsumer(collection, equalsIgnoreCase, securityContext);
            });
        }
    }

    @Override // io.confluent.security.authentication.Authenticator
    public JwtPrincipal authenticate(BearerCredential bearerCredential) {
        return authenticate(bearerCredential, null);
    }

    public JwtPrincipal authenticate(BearerCredential bearerCredential, SecurityContext securityContext) {
        try {
            String issuer = IssuerExtractor.getIssuer(bearerCredential.bearerToken());
            if (issuer == null) {
                throw new IllegalArgumentException("Bearer token missing required issuer claim");
            }
            DecoratedJwtConsumer orDefault = this.jwtConsumers.getOrDefault(issuer, this.jwtConsumers.get("*"));
            if (orDefault == null) {
                throw new AuthenticationException("Unrecognized issuer " + issuer, AuthenticationExceptionReasonCodes.TOKEN_ISSUER_CLAIM_UNRECOGNIZED);
            }
            return new JwtPrincipal(orDefault.apply(securityContext).processToClaims(bearerCredential.bearerToken()));
        } catch (Throwable th) {
            log.trace("Failed to process token", th);
            String str = AuthenticationException.AUTHENTICATION_EXCEPTION_OCCURRED;
            AuthenticationErrorInfo.JwtClaimsInfo jwtClaimsInfo = null;
            if (th instanceof IllegalArgumentException) {
                str = AuthenticationExceptionReasonCodes.TOKEN_ISSUER_CLAIM_ABSENT;
            } else if (th instanceof AuthenticationException) {
                str = ((AuthenticationException) th).reasonCode();
            } else if (th instanceof InvalidJwtException) {
                str = AuthenticationExceptionReasonCodes.TOKEN_PROCESSING_FAILURE;
                JwtClaims jwtClaims = ((InvalidJwtException) th).getJwtContext().getJwtClaims();
                if (jwtClaims != null) {
                    jwtClaimsInfo = new AuthenticationErrorInfo.JwtClaimsInfo();
                    jwtClaimsInfo.claims(jwtClaims.getClaimsMap());
                }
            }
            JwtUtils.Error errorDetails = JwtUtils.errorDetails(th, securityContext);
            if ((th instanceof InvalidJwtException) && errorDetails.errors() != null && errorDetails.errors().size() > 0) {
                str = errorDetails.errors().get(0).reasonCode().name();
            }
            log.error(errorDetails.toString());
            AuthenticationException authenticationException = new AuthenticationException("Failed to authenticate bearer credentials : " + errorDetails.message(), str);
            if (jwtClaimsInfo != null) {
                authenticationException.errorInfo(jwtClaimsInfo);
            }
            throw authenticationException;
        }
    }
}
