package io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth;

import io.confluent.kafka.schemaregistry.client.SchemaRegistryClientConfig;
import io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpAccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/client/security/bearerauth/oauth/SaslOauthCredentialProvider.class */
public class SaslOauthCredentialProvider implements BearerAuthCredentialProvider {
    public static final String SASL_IDENTITY_POOL_CONFIG = "extension_identityPoolId";
    private CachedOauthTokenRetriever tokenRetriever;
    private String targetSchemaRegistry;
    private String targetIdentityPoolId;

    @Override // io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
    public String alias() {
        return "SASL_OAUTHBEARER_INHERIT";
    }

    @Override // io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
    public String getBearerToken(URL url) {
        return this.tokenRetriever.getToken();
    }

    @Override // io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
    public String getTargetSchemaRegistry() {
        return this.targetSchemaRegistry;
    }

    @Override // io.confluent.kafka.schemaregistry.client.security.bearerauth.BearerAuthCredentialProvider
    public String getTargetIdentityPoolId() {
        return this.targetIdentityPoolId;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        List<AppConfigurationEntry> configurationEntries = JaasContext.loadClientContext(getConfigsForJaasUtil(map)).configurationEntries();
        if (((List) Objects.requireNonNull(configurationEntries)).size() != 1 || configurationEntries.get(0) == null) {
            throw new ConfigException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(configurationEntries.size())));
        }
        Map unmodifiableMap = Collections.unmodifiableMap(configurationEntries.get(0).getOptions());
        ConfigurationUtils configurationUtils = new ConfigurationUtils(map);
        JaasOptionsUtils jaasOptionsUtils = new JaasOptionsUtils(unmodifiableMap);
        this.targetSchemaRegistry = configurationUtils.validateString(SchemaRegistryClientConfig.BEARER_AUTH_LOGICAL_CLUSTER);
        this.targetIdentityPoolId = configurationUtils.get(SchemaRegistryClientConfig.BEARER_AUTH_IDENTITY_POOL_ID) != null ? configurationUtils.validateString(SchemaRegistryClientConfig.BEARER_AUTH_IDENTITY_POOL_ID) : jaasOptionsUtils.validateString(SASL_IDENTITY_POOL_CONFIG);
        this.tokenRetriever = new CachedOauthTokenRetriever();
        this.tokenRetriever.configure(getTokenRetriever(configurationUtils, jaasOptionsUtils), getTokenValidator(configurationUtils, map), getOauthTokenCache(map));
    }

    private OauthTokenCache getOauthTokenCache(Map<String, ?> map) {
        return new OauthTokenCache(SchemaRegistryClientConfig.getBearerAuthCacheExpiryBufferSeconds(map));
    }

    private AccessTokenRetriever getTokenRetriever(ConfigurationUtils configurationUtils, JaasOptionsUtils jaasOptionsUtils) {
        String validateString = configurationUtils.get(SchemaRegistryClientConfig.BEARER_AUTH_CLIENT_ID) != null ? configurationUtils.validateString(SchemaRegistryClientConfig.BEARER_AUTH_CLIENT_ID) : jaasOptionsUtils.validateString("clientId");
        String validateString2 = configurationUtils.get(SchemaRegistryClientConfig.BEARER_AUTH_CLIENT_SECRET) != null ? configurationUtils.validateString(SchemaRegistryClientConfig.BEARER_AUTH_CLIENT_SECRET) : jaasOptionsUtils.validateString("clientSecret");
        String validateString3 = configurationUtils.get(SchemaRegistryClientConfig.BEARER_AUTH_SCOPE) != null ? configurationUtils.validateString(SchemaRegistryClientConfig.BEARER_AUTH_SCOPE) : jaasOptionsUtils.validateString(SchemaRegistryClientConfig.BEARER_AUTH_SCOPE_CLAIM_NAME_DEFAULT, false);
        Long l = 100L;
        Long l2 = 10000L;
        SSLSocketFactory sSLSocketFactory = null;
        URL validateUrl = configurationUtils.get(SchemaRegistryClientConfig.BEARER_AUTH_ISSUER_ENDPOINT_URL) != null ? configurationUtils.validateUrl(SchemaRegistryClientConfig.BEARER_AUTH_ISSUER_ENDPOINT_URL) : configurationUtils.validateUrl("sasl.oauthbearer.token.endpoint.url");
        if (jaasOptionsUtils.shouldCreateSSLSocketFactory(validateUrl)) {
            sSLSocketFactory = jaasOptionsUtils.createSSLSocketFactory();
        }
        return new HttpAccessTokenRetriever(validateString, validateString2, validateString3, sSLSocketFactory, validateUrl.toString(), l.longValue(), l2.longValue(), (Integer) null, (Integer) null);
    }

    private AccessTokenValidator getTokenValidator(ConfigurationUtils configurationUtils, Map<String, ?> map) {
        return new LoginAccessTokenValidator(configurationUtils.get("sasl.oauthbearer.scope.claim.name") != null ? configurationUtils.validateString("sasl.oauthbearer.scope.claim.name") : SchemaRegistryClientConfig.getBearerAuthScopeClaimName(map), configurationUtils.get("sasl.oauthbearer.sub.claim.name") != null ? configurationUtils.validateString("sasl.oauthbearer.sub.claim.name") : SchemaRegistryClientConfig.getBearerAuthSubClaimName(map));
    }

    Map<String, Object> getConfigsForJaasUtil(Map<String, ?> map) {
        HashMap hashMap = new HashMap(map);
        if (hashMap.containsKey(SaslConfigs.SASL_JAAS_CONFIG)) {
            Object obj = hashMap.get(SaslConfigs.SASL_JAAS_CONFIG);
            if (obj instanceof String) {
                hashMap.put(SaslConfigs.SASL_JAAS_CONFIG, new Password((String) obj));
            }
        }
        return hashMap;
    }
}
