package io.confluent.security.authentication;

import io.confluent.security.authentication.AuthenticationErrorInfo;
import io.confluent.security.authentication.credential.BearerCredential;
import io.confluent.security.authentication.oauthbearer.Claims;
import io.confluent.security.authentication.oauthbearer.JwtAuthenticator;
import io.confluent.security.policyapi.engine.PolicyEngine;
import io.confluent.security.trustservice.store.TrustCache;
import io.confluent.security.trustservice.store.data.IdentityPool;
import io.confluent.security.util.SecurityContext;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Supplier;
import org.jose4j.jwt.ReservedClaimNames;

/* loaded from: input_file:io/confluent/security/authentication/AdmissionController.class */
public class AdmissionController {
    public static final String OAUTH_AUTHORIZED_PARTY = "azp";
    private final Authenticator<?, ?> authenticator;
    private final Supplier<TrustCache> trustCacheSupplier;
    private final PolicyEngine<String> policyEngine;

    public AdmissionController(Authenticator<?, ?> authenticator, Supplier<TrustCache> supplier, PolicyEngine<String> policyEngine) {
        this.authenticator = authenticator;
        this.trustCacheSupplier = supplier;
        this.policyEngine = policyEngine;
    }

    public Claims authenticate(BearerCredential bearerCredential, SecurityContext securityContext) throws AuthenticationException {
        if (this.authenticator instanceof JwtAuthenticator) {
            return ((JwtAuthenticator) this.authenticator).authenticate(bearerCredential, securityContext);
        }
        throw new AuthenticationException("Unable to process credential", AuthenticationExceptionReasonCodes.INCORRECT_AUTHENTICATOR_TYPE);
    }

    public Claims authenticate(BearerCredential bearerCredential) throws AuthenticationException {
        if (this.authenticator instanceof JwtAuthenticator) {
            return ((JwtAuthenticator) this.authenticator).authenticate(bearerCredential);
        }
        throw new AuthenticationException("Unable to process credential", AuthenticationExceptionReasonCodes.INCORRECT_AUTHENTICATOR_TYPE);
    }

    public Map<String, Object> assumePrincipal(Map<String, Object> map, String str, String str2) throws AuthenticationException, IllegalArgumentException {
        IdentityPool identityPool = this.trustCacheSupplier.get().identityPool(str);
        HashMap hashMap = new HashMap();
        if (identityPool == null) {
            throw getAuthExWithClaimsInfo(String.format("Unknown Identity Pool %s.", str), AuthenticationExceptionReasonCodes.IDENTITY_POOL_NOT_FOUND, map);
        }
        if (!validateIssuer(map, identityPool.issuer())) {
            throw getAuthExWithClaimsInfo(String.format("Provided claim issuer %s do not match Identity Pool %s Pool Filter issuer %s.", claimValue(map, ReservedClaimNames.ISSUER, String.class), str, identityPool.issuer()), AuthenticationExceptionReasonCodes.CLAIM_ISSUER_POOL_FILTER_MISMATCH, map);
        }
        if (!this.policyEngine.evaluatePolicy(identityPool.policy(), map)) {
            throw getAuthExWithClaimsInfo(String.format("Provided claims do not match Identity Pool %s Pool Filter.", str), AuthenticationExceptionReasonCodes.CLAIMS_POOL_FILTER_MISMATCH, map);
        }
        if (!str2.equals(identityPool.orgId())) {
            throw getAuthExWithClaimsInfo(String.format("Provided orgId %s do not match Identity Pool orgId %s Pool Filter.", str2, identityPool.orgId()), AuthenticationExceptionReasonCodes.ORG_ID_POOL_FILTER_MISMATCH, map);
        }
        if (!map.containsKey(identityPool.subjectClaim())) {
            throw getAuthExWithClaimsInfo(String.format("Provided token does not contain claim %s in Identity Pool.", identityPool.subjectClaim()), AuthenticationExceptionReasonCodes.IDENTITY_POOL_IDENTITY_CLAIM_ABSENT_IN_CLAIMS, map);
        }
        hashMap.put(OAUTH_AUTHORIZED_PARTY, map.get(identityPool.subjectClaim()));
        map.put(OAUTH_AUTHORIZED_PARTY, map.get(identityPool.subjectClaim()));
        hashMap.put("sub", identityPool.serviceAccount());
        map.put("sub", identityPool.serviceAccount());
        return hashMap;
    }

    private static boolean validateIssuer(Map<String, Object> map, String str) {
        return str.equals(claimValue(map, ReservedClaimNames.ISSUER, String.class));
    }

    private static <T> T claimValue(Map<String, Object> map, String str, Class<T> cls) {
        try {
            return cls.cast(map.get(str));
        } catch (Throwable th) {
            throw new IllegalArgumentException("Failed to read claim - " + str, th);
        }
    }

    private AuthenticationException getAuthExWithClaimsInfo(String str, String str2, Map<String, Object> map) {
        AuthenticationException authenticationException = new AuthenticationException(str, str2);
        AuthenticationErrorInfo.JwtClaimsInfo jwtClaimsInfo = new AuthenticationErrorInfo.JwtClaimsInfo();
        jwtClaimsInfo.claims(map);
        authenticationException.errorInfo(jwtClaimsInfo);
        return authenticationException;
    }
}
