package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.shaded.org.slf4j.Logger;
import io.confluent.shaded.org.slf4j.LoggerFactory;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.apache.kafka.server.audit.AuthenticationErrorInfo;
import org.mindrot.jbcrypt.BCrypt;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/PlainSaslAuthenticator.class */
public abstract class PlainSaslAuthenticator implements SaslAuthenticator {
    protected final Logger log = LoggerFactory.getLogger(getClass());
    protected static final String AUTHENTICATION_FAILED_MSG = "Authentication failed";
    protected static final String NOT_PROVIDED_MSG = "<not-provided>";
    private static final String SASL_MECHANISM_PLAIN = "PLAIN";
    public static final String USER_RESOURCE_ID = "USER_RESOURCE_ID";
    protected SniValidationMode mode;
    protected static final AuthAttemptCache SUCCESSFUL_AUTH_CACHE = new AuthAttemptCache();
    protected static final AuthAttemptCache FAILED_AUTH_CACHE = new AuthAttemptCache();
    private final AuthAttemptCache successfulAuthCache;
    private final AuthAttemptCache failedAuthCache;

    protected abstract MultiTenantSaslSecrets loadSecrets();

    public PlainSaslAuthenticator(AuthAttemptCache authAttemptCache, AuthAttemptCache authAttemptCache2) {
        this.successfulAuthCache = authAttemptCache;
        this.failedAuthCache = authAttemptCache2;
    }

    public static MultiTenantPrincipal multiTenantPrincipal(String str, MultiTenantSaslConfigEntry multiTenantSaslConfigEntry) {
        return new MultiTenantPrincipal(multiTenantSaslConfigEntry.userId, str, new TenantMetadata.Builder(multiTenantSaslConfigEntry.logicalClusterId, multiTenantSaslConfigEntry.userResourceId).serviceAccount(multiTenantSaslConfigEntry.serviceAccount()).apiKeyAuthenticated(true).healthcheckTenant(false).build());
    }

    @Override // io.confluent.kafka.server.plugins.auth.SaslAuthenticator
    public MultiTenantPrincipal authenticate(String str, String str2, Optional<PathAwareSniHostName> optional, Optional<String> optional2, Optional<String> optional3) throws SaslException, SaslAuthenticationException {
        try {
            MultiTenantSaslConfigEntry userInfoIfExists = getUserInfoIfExists(loadSecretsIfExists(optional2).entries(), str, optional2);
            verifySaslMechanismMatch(userInfoIfExists, str);
            verifyPassword(userInfoIfExists, str, str2);
            verifyBrokerHostName(userInfoIfExists, str, optional, optional2, this.mode);
            pluginAuthenticate(userInfoIfExists, str, optional3);
            return multiTenantPrincipal(str, userInfoIfExists);
        } catch (SaslAuthenticationException e) {
            throw e;
        } catch (Exception e2) {
            this.log.error("Unexpected exception during authentication for user {}", str, e2);
            throw new SaslException("Authentication failed: Unexpected exception", e2);
        }
    }

    protected void pluginAuthenticate(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, Optional<String> optional) {
    }

    private MultiTenantSaslSecrets loadSecretsIfExists(Optional<String> optional) {
        MultiTenantSaslSecrets loadSecrets = loadSecrets();
        if (loadSecrets == null) {
            throw new SaslAuthenticationException(AUTHENTICATION_FAILED_MSG, errorInfo(AuditEventStatus.UNAUTHENTICATED, "", optional.orElse(""), null, "Unable to find api key", null));
        }
        return loadSecrets;
    }

    private MultiTenantSaslConfigEntry getUserInfoIfExists(Map<String, MultiTenantSaslConfigEntry> map, String str, Optional<String> optional) {
        MultiTenantSaslConfigEntry multiTenantSaslConfigEntry = map.get(str);
        if (multiTenantSaslConfigEntry != null) {
            return multiTenantSaslConfigEntry;
        }
        throw new SaslAuthenticationException(AUTHENTICATION_FAILED_MSG, errorInfo(AuditEventStatus.UNKNOWN_USER_DENIED, str, optional.orElse(""), null, "Unknown user " + str, null));
    }

    private void verifySaslMechanismMatch(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str) {
        if ("PLAIN".equals(multiTenantSaslConfigEntry.saslMechanism)) {
            return;
        }
        throwAuthException(multiTenantSaslConfigEntry, str, "Wrong SASL mechanism " + multiTenantSaslConfigEntry.saslMechanism + " for user " + str);
    }

    private void verifyPassword(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, String str2) {
        String str3 = multiTenantSaslConfigEntry.hashFunction;
        boolean z = -1;
        switch (str3.hashCode()) {
            case -1394365876:
                if (str3.equals("bcrypt")) {
                    z = true;
                    break;
                }
                break;
            case 3387192:
                if (str3.equals("none")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (multiTenantSaslConfigEntry.hashedSecret.equals(str2)) {
                    return;
                }
                throwAuthException(multiTenantSaslConfigEntry, str, "Bad password for user " + str);
                return;
            case true:
                authenticateBcrypt(multiTenantSaslConfigEntry, str, str2);
                return;
            default:
                throwAuthException(multiTenantSaslConfigEntry, str, "Unknown hash function: " + multiTenantSaslConfigEntry.hashFunction + " for user " + multiTenantSaslConfigEntry.userId);
                return;
        }
    }

    private void verifyBrokerHostName(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, Optional<PathAwareSniHostName> optional, Optional<String> optional2, SniValidationMode sniValidationMode) {
        if (sniValidationMode.sniHostNameMatches(multiTenantSaslConfigEntry.logicalClusterId, optional2, optional)) {
            return;
        }
        String orElse = optional2.orElse(NOT_PROVIDED_MSG);
        throwAuthException(multiTenantSaslConfigEntry, str, String.format("Cluster ID: %s does not match API key cluster ID %s for user name: %s", orElse, multiTenantSaslConfigEntry.logicalClusterId, str), orElse);
    }

    private void authenticateBcrypt(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, String str2) {
        if (isCached(multiTenantSaslConfigEntry, str, str2, this.successfulAuthCache)) {
            return;
        }
        if (isCached(multiTenantSaslConfigEntry, str, str2, this.failedAuthCache)) {
            throwAuthException(multiTenantSaslConfigEntry, str, "Bad password for user " + str);
        }
        if (BCrypt.checkpw(str2, multiTenantSaslConfigEntry.hashedSecret)) {
            this.successfulAuthCache.put(str, str2, multiTenantSaslConfigEntry.hashedSecret);
        } else {
            this.failedAuthCache.put(str, str2, multiTenantSaslConfigEntry.hashedSecret);
            throwAuthException(multiTenantSaslConfigEntry, str, "Bad password for user " + str);
        }
    }

    private boolean isCached(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, String str2, AuthAttemptCache authAttemptCache) {
        String str3 = authAttemptCache.get(str, str2);
        if (str3 == null) {
            return false;
        }
        if (str3.equals(multiTenantSaslConfigEntry.hashedSecret)) {
            return true;
        }
        this.successfulAuthCache.invalidate(str, str2);
        this.failedAuthCache.invalidate(str, str2);
        return false;
    }

    private void throwAuthException(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, String str2, String str3) {
        throw new SaslAuthenticationException(AUTHENTICATION_FAILED_MSG, errorInfo(AuditEventStatus.UNAUTHENTICATED, str, multiTenantSaslConfigEntry.logicalClusterId, multiTenantSaslConfigEntry.userResourceId(), str2, str3));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void throwAuthException(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, String str2) {
        throwAuthException(multiTenantSaslConfigEntry, str, str2, null);
    }

    private AuthenticationErrorInfo errorInfo(AuditEventStatus auditEventStatus, String str, String str2, String str3, String str4, String str5) {
        AuthenticationErrorInfo authenticationErrorInfo = new AuthenticationErrorInfo(auditEventStatus, str4, str, str2, str5);
        authenticationErrorInfo.data(USER_RESOURCE_ID, str3);
        return authenticationErrorInfo;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String configEntryOption(List<AppConfigurationEntry> list, String str, String str2) {
        for (AppConfigurationEntry appConfigurationEntry : list) {
            if (str2 == null || str2.equals(appConfigurationEntry.getLoginModuleName())) {
                Object obj = appConfigurationEntry.getOptions().get(str);
                if (obj != null) {
                    return (String) obj;
                }
            }
        }
        return null;
    }

    @Override // io.confluent.kafka.server.plugins.auth.SaslAuthenticator
    public Optional<String> clusterId(String str) throws SaslException {
        try {
            return Optional.ofNullable(loadSecrets().entries().get(str)).map((v0) -> {
                return v0.logicalClusterId();
            });
        } catch (Exception e) {
            this.log.error("Unexpected exception during authentication for user {}", str, e);
            throw new SaslException("Authentication failed: Unexpected exception", e);
        }
    }
}
