package io.confluent.kafka.multitenant;

import com.yammer.metrics.core.Meter;
import com.yammer.metrics.core.MetricName;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.utils.AuthUtils;
import java.nio.ByteBuffer;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.errors.SerializationException;
import org.apache.kafka.common.message.DefaultPrincipalData;
import org.apache.kafka.common.protocol.ByteBufferAccessor;
import org.apache.kafka.common.protocol.MessageUtil;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.KafkaPrincipalSerde;
import org.apache.kafka.common.security.auth.PlaintextAuthenticationContext;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer;
import org.apache.kafka.server.metrics.KafkaYammerMetrics;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/multitenant/MultiTenantPrincipalBuilder.class */
public class MultiTenantPrincipalBuilder implements KafkaPrincipalBuilder, KafkaPrincipalSerde, Configurable {
    private static final String OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY = "OAUTHBEARER.token";
    public static final String CCLOUD_INTERNAL_USER = "0";
    private static final String RESOURCE_ID_SERVICE_ACCOUNT_PREFIX = "sa-";
    private BasePhysicalClusterMetadata<?> physicalClusterMetadata;
    private final DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder(null, null);
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MultiTenantPrincipalBuilder.class);
    private static final MetricName ORG_PROPS_METRIC_NAME = KafkaYammerMetrics.getMetricName("kafka.multitenant", MultiTenantPrincipalBuilder.class.getSimpleName(), "org-props-missing-rate");
    private static final Meter ORG_PROPS_MISSING_METER = KafkaYammerMetrics.defaultRegistry().newMeter(ORG_PROPS_METRIC_NAME, "org-props-missing", TimeUnit.SECONDS);

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.physicalClusterMetadata = BasePhysicalClusterMetadata.getInstance(AuthUtils.getBrokerSessionUuid(map));
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalBuilder
    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        if (authenticationContext instanceof SaslAuthenticationContext) {
            return createKafkaPrincipalfromSaslContext((SaslAuthenticationContext) authenticationContext);
        }
        if (authenticationContext instanceof SslAuthenticationContext) {
            return createKafkaPrincipalfromSslContext((SslAuthenticationContext) authenticationContext);
        }
        if (authenticationContext instanceof PlaintextAuthenticationContext) {
            return createKafkaPrincipalPlain();
        }
        throw new IllegalArgumentException("Unhandled authentication context type: " + authenticationContext.getClass().getName());
    }

    private KafkaPrincipal createKafkaPrincipalPlain() {
        return KafkaPrincipal.ANONYMOUS;
    }

    private KafkaPrincipal createKafkaPrincipalfromSslContext(SslAuthenticationContext sslAuthenticationContext) {
        try {
            return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, sslAuthenticationContext.session().getPeerPrincipal().getName());
        } catch (SSLPeerUnverifiedException e) {
            return KafkaPrincipal.ANONYMOUS;
        }
    }

    private KafkaPrincipal createKafkaPrincipalfromSaslContext(SaslAuthenticationContext saslAuthenticationContext) {
        SaslServer server = saslAuthenticationContext.server();
        String authorizationID = server.getAuthorizationID();
        if (server instanceof MultiTenantSaslServer) {
            MultiTenantSaslServer multiTenantSaslServer = (MultiTenantSaslServer) server;
            TenantMetadata tenantMetadata = multiTenantSaslServer.tenantMetadata();
            updateTenantMetadata(tenantMetadata.clusterId, tenantMetadata, authorizationID);
            return new MultiTenantPrincipal(authorizationID, multiTenantSaslServer.authenticationId(), tenantMetadata, new IdentityMetadata(null));
        }
        if (!(server instanceof OAuthBearerSaslServer)) {
            return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, authorizationID);
        }
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) server;
        OAuthBearerJwsToken oAuthBearerJwsToken = (OAuthBearerJwsToken) oAuthBearerSaslServer.getNegotiatedProperty(OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY);
        String str = (String) oAuthBearerSaslServer.getNegotiatedProperty(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        String str2 = (String) oAuthBearerSaslServer.getNegotiatedProperty("identityPoolId-azp");
        String str3 = (String) oAuthBearerSaslServer.getNegotiatedProperty("identityPoolId-sub");
        String str4 = (String) oAuthBearerSaslServer.getNegotiatedProperty("identityPoolId");
        if ((str2 == null) ^ (str3 == null)) {
            throw new IllegalArgumentException("Unhandled identity pool context: authorizedPartyClaim = " + str2 + ", subjectClaim = " + str3);
        }
        TenantMetadata build = new TenantMetadata.Builder(str, str3 == null ? userResourceId(oAuthBearerJwsToken) : str3).serviceAccount(str3 != null || isServiceAccount(oAuthBearerJwsToken)).apiKeyAuthenticated(false).build();
        IdentityMetadata identityMetadata = new IdentityMetadata(str4);
        String principalName = str3 == null ? oAuthBearerJwsToken.principalName() : str3;
        updateTenantMetadata(str, build, principalName);
        return new MultiTenantPrincipal(principalName, str2 == null ? oAuthBearerJwsToken.principalName() : str2, build, identityMetadata);
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [io.confluent.kafka.multitenant.LogicalClusterMetadata] */
    private void updateTenantMetadata(String str, TenantMetadata tenantMetadata, String str2) {
        boolean z = false;
        if (this.physicalClusterMetadata == null) {
            tenantMetadata.isHealthcheckTenant = false;
        } else {
            ?? metadata = this.physicalClusterMetadata.metadata(str);
            z = metadata != 0;
            tenantMetadata.isHealthcheckTenant = z && metadata.isHealthcheckLogicalCluster();
            if (z && metadata.organizationId() != null && metadata.environmentId() != null) {
                tenantMetadata.updateOrgProperties(metadata.organizationId(), metadata.environmentId());
            } else if (z) {
                ORG_PROPS_MISSING_METER.mark();
                log.warn("Org Properties is missing for user {}, userResourceId {} and clusterId {}", str2, tenantMetadata.userResourceId, str);
            }
        }
        if (z) {
            return;
        }
        log.warn("LKC Metadata is unavailable due to " + (this.physicalClusterMetadata == null ? "physicalClusterMetadata=null" : "no metadata for cluster " + str));
    }

    private boolean isServiceAccount(OAuthBearerJwsToken oAuthBearerJwsToken) {
        String userResourceId = userResourceId(oAuthBearerJwsToken);
        return userResourceId != null && userResourceId.startsWith(RESOURCE_ID_SERVICE_ACCOUNT_PREFIX);
    }

    public String userResourceId(OAuthBearerJwsToken oAuthBearerJwsToken) {
        Object obj = oAuthBearerJwsToken.jwtClaims().get("userResourceId");
        if (obj != null) {
            return obj.toString();
        }
        return null;
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public byte[] serialize(KafkaPrincipal kafkaPrincipal) throws SerializationException {
        if (!(kafkaPrincipal instanceof MultiTenantPrincipal)) {
            return this.defaultKafkaPrincipalBuilder.serialize(kafkaPrincipal);
        }
        DefaultPrincipalData defaultPrincipalData = new DefaultPrincipalData();
        MultiTenantPrincipal multiTenantPrincipal = (MultiTenantPrincipal) kafkaPrincipal;
        TenantMetadata tenantMetadata = multiTenantPrincipal.tenantMetadata();
        defaultPrincipalData.setType(multiTenantPrincipal.getPrincipalType()).setName(multiTenantPrincipal.getName().substring(tenantMetadata.tenantName.length() + "_".length())).setSaslAuthenticationId(multiTenantPrincipal.authenticationId()).setTenantName(tenantMetadata.tenantName).setClusterId(tenantMetadata.clusterId).setOrganizationId(tenantMetadata.organizationId).setEnvironmentId(tenantMetadata.environmentId).setServiceAccount(tenantMetadata.isServiceAccount).setApiKeyAuthenticated(tenantMetadata.isApiKeyAuthenticated).setHealthcheckTenant(tenantMetadata.isHealthcheckTenant).setUserResourceId(tenantMetadata.userResourceId).setPoolId((String) multiTenantPrincipal.maybeGetIdentityMetadata().map((v0) -> {
            return v0.poolId();
        }).orElse(null));
        return MessageUtil.toVersionPrefixedBytes((short) 0, defaultPrincipalData);
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public KafkaPrincipal deserialize(byte[] bArr) throws SerializationException {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        short s = wrap.getShort();
        if (s < 0 || s > 0) {
            throw new SerializationException("Invalid principal data version " + ((int) s));
        }
        try {
            DefaultPrincipalData defaultPrincipalData = new DefaultPrincipalData(new ByteBufferAccessor(wrap), s);
            if (wrap.hasRemaining()) {
                throw new SerializationException("Failed to deserialize principal: " + wrap.remaining() + " bytes remaining after parsing");
            }
            String type = defaultPrincipalData.type();
            if (type.equals(KafkaPrincipal.USER_TYPE)) {
                return this.defaultKafkaPrincipalBuilder.deserialize(bArr);
            }
            if (type.equals(MultiTenantPrincipal.TENANT_USER_TYPE)) {
                return new MultiTenantPrincipal(defaultPrincipalData.name(), defaultPrincipalData.saslAuthenticationId(), new TenantMetadata(defaultPrincipalData.tenantName(), defaultPrincipalData.clusterId(), defaultPrincipalData.organizationId(), defaultPrincipalData.environmentId(), defaultPrincipalData.userResourceId(), defaultPrincipalData.serviceAccount(), defaultPrincipalData.apiKeyAuthenticated(), defaultPrincipalData.healthcheckTenant()), new IdentityMetadata(defaultPrincipalData.poolId()));
            }
            throw new SerializationException(String.format("Invalid principal type '%s', expected '%s' or '%s'", type, KafkaPrincipal.USER_TYPE, MultiTenantPrincipal.TENANT_USER_TYPE));
        } catch (Throwable th) {
            throw new SerializationException("Failed to deserialize principal", th);
        }
    }
}
