package io.confluent.common.security.auth;

import java.security.Principal;
import java.util.Optional;
import javax.annotation.Priority;
import javax.security.auth.login.LoginException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.apache.log4j.spi.Configurator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
/* loaded from: input_file:io/confluent/common/security/auth/AuthenticationFilter.class */
public final class AuthenticationFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthenticationFilter.class);
    private final AuthenticationModule authenticationModule;
    private final boolean anonymousPrincipalEnabled;

    public AuthenticationFilter(String str, Optional<SslPrincipalMapper> optional, boolean z) {
        this.authenticationModule = AuthenticationModuleFactory.getInstance().getAuthenticationModule(RestAuthType.valueOf(str), optional);
        this.anonymousPrincipalEnabled = z;
    }

    public AuthenticationFilter(String str, Optional<SslPrincipalMapper> optional) {
        this(str, optional, false);
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        String str = null;
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        if (userPrincipal instanceof JwtPrincipal) {
            str = RestAuthType.JETTY_AUTH.name();
        } else if (this.authenticationModule != null) {
            try {
                userPrincipal = this.authenticationModule.authenticate(containerRequestContext);
                if (this.anonymousPrincipalEnabled && isAnonymous(userPrincipal)) {
                    userPrincipal = KafkaPrincipal.ANONYMOUS;
                }
            } catch (LoginException e) {
                if (!this.anonymousPrincipalEnabled) {
                    handleAuthenticationFailure(e, containerRequestContext);
                    return;
                } else {
                    log.warn("Error attempting to authenticate the user; will authenticate as anonymous user", (Throwable) e);
                    userPrincipal = KafkaPrincipal.ANONYMOUS;
                }
            }
            str = this.authenticationModule.getAuthScheme();
        }
        if (str != null) {
            try {
                containerRequestContext.setSecurityContext(new RestSecurityContext(userPrincipal, str));
                log.debug("The principal is " + (userPrincipal == null ? Configurator.NULL : userPrincipal.getName()) + " for " + Thread.currentThread().getName());
            } catch (LoginException e2) {
                handleAuthenticationFailure(e2, containerRequestContext);
            }
        }
    }

    protected static boolean isAnonymous(Principal principal) {
        return principal == null || principal.getName() == null;
    }

    protected static void handleAuthenticationFailure(LoginException loginException, ContainerRequestContext containerRequestContext) {
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        log.error("Error attempting to authenticate the user: {} ", userPrincipal != null ? userPrincipal.getName() : "N/A", loginException);
        containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User cannot access the resource").build());
    }
}
