package io.confluent.kafka.security.authenticator;

import io.confluent.security.authorizer.ConfluentAuthorizerConfig;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.errors.SerializationException;
import org.apache.kafka.common.message.DefaultPrincipalData;
import org.apache.kafka.common.network.SaslChannelBuilder;
import org.apache.kafka.common.network.SslChannelBuilder;
import org.apache.kafka.common.protocol.ByteBufferAccessor;
import org.apache.kafka.common.protocol.MessageUtil;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.ConfluentPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.KafkaPrincipalSerde;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;

/* loaded from: input_file:io/confluent/kafka/security/authenticator/OAuthKafkaPrincipalBuilder.class */
public class OAuthKafkaPrincipalBuilder implements KafkaPrincipalBuilder, KafkaPrincipalSerde, Configurable {
    private static final String CONFLUENT_ISSUER = "Confluent";
    private static final String CONFLUENT_GROUPS_CLAIM_NAME = "groups";
    private static final String OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY = "OAUTHBEARER.token";
    private DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder;
    private String oauthGroupsClaimName = "";
    private final JwtConsumer jwtConsumer = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().build();

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder(SaslChannelBuilder.createKerberosShortNamerFromConfigs(map), SslChannelBuilder.createSslPrincipalMapperFromConfigs(map));
        this.oauthGroupsClaimName = getConfiguredOauthGroupsClaimName(map);
    }

    private String getConfiguredOauthGroupsClaimName(Map<String, ?> map) {
        String str = (String) map.get(ConfluentAuthorizerConfig.OAUTH_GROUPS_CLAIM_NAME);
        return str == null ? "" : str.trim();
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalBuilder
    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        if (authenticationContext instanceof SaslAuthenticationContext) {
            SaslServer server = ((SaslAuthenticationContext) authenticationContext).server();
            if (OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(server.getMechanismName())) {
                return applyOAuthBearerPrincipalMapper((OAuthBearerToken) server.getNegotiatedProperty(OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY));
            }
        }
        return ((DefaultKafkaPrincipalBuilder) Objects.requireNonNull(this.defaultKafkaPrincipalBuilder, "Principal builder instance has not yet been configured")).build(authenticationContext);
    }

    private KafkaPrincipal applyOAuthBearerPrincipalMapper(OAuthBearerToken oAuthBearerToken) {
        try {
            JwtClaims processToClaims = this.jwtConsumer.processToClaims(oAuthBearerToken.value());
            String str = getJwtIssuerOrEmpty(processToClaims).equals("Confluent") ? CONFLUENT_GROUPS_CLAIM_NAME : this.oauthGroupsClaimName;
            return processToClaims.hasClaim(str) ? new ConfluentPrincipal(KafkaPrincipal.USER_TYPE, oAuthBearerToken.principalName(), oAuthBearerToken.principalName(), Optional.empty(), false, new HashSet(processToClaims.getStringListClaimValue(str))) : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, oAuthBearerToken.principalName());
        } catch (Exception e) {
            throw new KafkaException("Failed to map OAuthBearer token to ConfluentPrincipal for '" + oAuthBearerToken.principalName() + "'", e);
        }
    }

    private String getJwtIssuerOrEmpty(JwtClaims jwtClaims) {
        try {
            return jwtClaims.getIssuer();
        } catch (MalformedClaimException e) {
            return "";
        }
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public byte[] serialize(KafkaPrincipal kafkaPrincipal) throws SerializationException {
        if (!(kafkaPrincipal instanceof ConfluentPrincipal)) {
            return this.defaultKafkaPrincipalBuilder.serialize(kafkaPrincipal);
        }
        ConfluentPrincipal confluentPrincipal = (ConfluentPrincipal) kafkaPrincipal;
        DefaultPrincipalData tokenAuthenticated = new DefaultPrincipalData().setType(kafkaPrincipal.getPrincipalType()).setName(kafkaPrincipal.getName()).setTokenAuthenticated(kafkaPrincipal.tokenAuthenticated());
        if (confluentPrincipal.getGroups() != null && !confluentPrincipal.getGroups().isEmpty()) {
            tokenAuthenticated.setGroups(new ArrayList(confluentPrincipal.getGroups()));
        }
        return MessageUtil.toVersionPrefixedBytes((short) 0, tokenAuthenticated);
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public KafkaPrincipal deserialize(byte[] bArr) throws SerializationException {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        short s = wrap.getShort();
        if (s < 0 || s > 0) {
            throw new SerializationException("Invalid principal data version " + ((int) s));
        }
        try {
            DefaultPrincipalData defaultPrincipalData = new DefaultPrincipalData(new ByteBufferAccessor(wrap), s);
            if (wrap.hasRemaining()) {
                throw new SerializationException("Failed to deserialize principal: " + wrap.remaining() + " bytes remaining after parsing");
            }
            return (defaultPrincipalData.groups() == null || defaultPrincipalData.groups().isEmpty()) ? this.defaultKafkaPrincipalBuilder.deserialize(bArr) : new ConfluentPrincipal(defaultPrincipalData.type(), defaultPrincipalData.name(), defaultPrincipalData.name(), Optional.empty(), defaultPrincipalData.tokenAuthenticated(), new HashSet(defaultPrincipalData.groups()));
        } catch (Throwable th) {
            throw new SerializationException("Failed to deserialize principal", th);
        }
    }
}
