package io.confluent.security.auth.provider.ldap;

import io.confluent.rbacapi.app.CCRbacConfig;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Locale;
import java.util.Map;
import javax.naming.NamingException;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.security.auth.Subject;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.authenticator.LoginManager;
import org.apache.kafka.common.security.kerberos.KerberosLogin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/provider/ldap/LdapContextCreator.class */
public class LdapContextCreator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) LdapContextCreator.class);
    private final LdapConfig config;
    private final Subject subject = login();

    public LdapContextCreator(LdapConfig ldapConfig) {
        this.config = ldapConfig;
    }

    private Subject login() {
        Password password = (Password) this.config.values().get("ldap.sasl.jaas.config");
        if (password == null && !"GSSAPI".equals(this.config.originals().get(CCRbacConfig.LDAP_JAVA_NAMING_SECURITY_AUTH))) {
            return new Subject();
        }
        try {
            JaasContext jaasContext = jaasContext(password, "GSSAPI");
            HashMap hashMap = new HashMap();
            for (Map.Entry<String, ?> entry : this.config.values().entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (key.startsWith(LdapConfig.CONFIG_PREFIX) && value != null) {
                    hashMap.put(key.substring(LdapConfig.CONFIG_PREFIX.length()), value);
                }
            }
            return LoginManager.acquireLoginManager(jaasContext, "GSSAPI", KerberosLogin.class, hashMap).subject();
        } catch (Exception e) {
            throw new LdapException("Login using " + (password != null ? "ldap.sasl.jaas.config" : "static JAAS configuration") + " failed", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Subject subject() {
        return this.subject;
    }

    public InitialLdapContext createLdapContext() throws IOException, NamingException {
        Hashtable<String, String> hashtable = this.config.ldapContextEnvironment;
        return (InitialLdapContext) Subject.doAs(this.subject, () -> {
            try {
                return new InitialLdapContext(hashtable, (Control[]) null);
            } catch (NamingException e) {
                throw new LdapException("LDAP context could not be created with provided configs", e);
            }
        });
    }

    public static JaasContext jaasContext(Password password, String str) throws Exception {
        return JaasContext.loadServerContext(new ListenerName("ldap"), str, password == null ? Collections.emptyMap() : Collections.singletonMap(str.toLowerCase(Locale.ROOT) + "." + SaslConfigs.SASL_JAAS_CONFIG, password));
    }
}
