package io.confluent.security.authentication;

import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.oauthbearer.Claims;
import io.confluent.security.authentication.oauthbearer.JwtAuthenticator;
import io.confluent.security.policyapi.engine.PolicyEngine;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.trustservice.store.data.IdentityPool;
import java.util.Map;
import java.util.function.Supplier;

/* loaded from: input_file:io/confluent/security/authentication/AdmissionController.class */
public class AdmissionController {
    public static final String OAUTH_AUTHORIZED_PARTY = "azp";
    private final Authenticator<?, ?> authenticator;
    private final Supplier<TrustCache> trustCacheSupplier;
    private final PolicyEngine<String> policyEngine;

    public AdmissionController(Authenticator<?, ?> authenticator, Supplier<TrustCache> supplier, PolicyEngine<String> policyEngine) {
        this.authenticator = authenticator;
        this.trustCacheSupplier = supplier;
        this.policyEngine = policyEngine;
    }

    public Claims authenticate(BearerCredential bearerCredential) throws AuthenticationException {
        if (this.authenticator instanceof JwtAuthenticator) {
            return ((JwtAuthenticator) this.authenticator).authenticate(bearerCredential);
        }
        throw new AuthenticationException("Unable to process credential");
    }

    public Map<String, Object> assumePrincipal(Map<String, Object> map, String str) throws AuthenticationException, IllegalArgumentException {
        IdentityPool identityPool = this.trustCacheSupplier.get().identityPool(str);
        if (identityPool == null) {
            throw new AuthenticationException(String.format("Unknown Identity Pool %s.", str));
        }
        if (!validateIssuer(map, identityPool.issuer())) {
            throw new AuthenticationException(String.format("Provided claim issuer %s do not match Identity Pool %s Trust Policy issuer %s.", claimValue(map, "iss", String.class), str, identityPool.issuer()));
        }
        if (!this.policyEngine.evaluatePolicy(identityPool.policy(), map)) {
            throw new AuthenticationException(String.format("Provided claims do not match Identity Pool %s Trust Policy.", str));
        }
        map.put("azp", identityPool.subjectClaim());
        map.put("sub", identityPool.serviceAccount());
        return map;
    }

    private static boolean validateIssuer(Map<String, Object> map, String str) {
        return str.equals(claimValue(map, "iss", String.class));
    }

    private static <T> T claimValue(Map<String, Object> map, String str, Class<T> cls) {
        try {
            return cls.cast(map.get(str));
        } catch (Throwable th) {
            throw new IllegalArgumentException("Failed to read claim", th);
        }
    }
}
