package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.TenantMetadata;
import java.util.Map;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.JaasContext;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/FileBasedPlainSaslAuthenticator.class */
public class FileBasedPlainSaslAuthenticator implements SaslAuthenticator {
    static final String JAAS_ENTRY_CONFIG = "config_path";
    static final String JAAS_ENTRY_REFRESH_MS = "refresh_ms";
    private static final String AUTHENTICATION_FAILED_ERROR = "Authentication failed: Invalid username or password";
    private static final Logger logger = LoggerFactory.getLogger(new Object() { // from class: io.confluent.kafka.server.plugins.auth.FileBasedPlainSaslAuthenticator.1
    }.getClass().getEnclosingClass());
    private static final String SASL_MECHANISM_PLAIN = "PLAIN";
    private SecretsLoader loader;

    @Override // io.confluent.kafka.server.plugins.auth.SaslAuthenticator
    public void initialize(JaasContext jaasContext) {
        this.loader = new SecretsLoader(jaasContext.configEntryOption(JAAS_ENTRY_CONFIG, FileBasedLoginModule.class.getName()), Long.valueOf(jaasContext.configEntryOption(JAAS_ENTRY_REFRESH_MS, FileBasedLoginModule.class.getName())).longValue());
    }

    @Override // io.confluent.kafka.server.plugins.auth.SaslAuthenticator
    public MultiTenantPrincipal authenticate(String str, String str2) throws SaslException, SaslAuthenticationException {
        try {
            Map<String, KeyConfigEntry> map = this.loader.get();
            if (!map.containsKey(str)) {
                logger.trace("Unknown user {}", str);
                throw new SaslAuthenticationException(AUTHENTICATION_FAILED_ERROR);
            }
            KeyConfigEntry keyConfigEntry = map.get(str);
            if (!keyConfigEntry.saslMechanism.equals("PLAIN")) {
                logger.error("Wrong SASL mechanism {} for user {}", keyConfigEntry.saslMechanism, str);
                throw new SaslAuthenticationException(AUTHENTICATION_FAILED_ERROR);
            }
            String str3 = keyConfigEntry.hashFunction;
            boolean z = -1;
            switch (str3.hashCode()) {
                case -1394365876:
                    if (str3.equals("bcrypt")) {
                        z = true;
                        break;
                    }
                    break;
                case 3387192:
                    if (str3.equals("none")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    if (!keyConfigEntry.hashedSecret.equals(str2)) {
                        logger.trace("Bad password for user {}", str);
                        throw new SaslAuthenticationException(AUTHENTICATION_FAILED_ERROR);
                    }
                    break;
                case true:
                    if (!BCrypt.checkpw(str2, keyConfigEntry.hashedSecret)) {
                        logger.trace("Bad password for user {}", str);
                        throw new SaslAuthenticationException(AUTHENTICATION_FAILED_ERROR);
                    }
                    break;
                default:
                    logger.error("Unknown hash function: {} for user {}", keyConfigEntry.hashFunction, str);
                    throw new SaslAuthenticationException(AUTHENTICATION_FAILED_ERROR);
            }
            return new MultiTenantPrincipal(keyConfigEntry.userId, new TenantMetadata(keyConfigEntry.logicalClusterId, keyConfigEntry.logicalClusterId));
        } catch (Exception e) {
            logger.error("Unexpected exception during authentication for user {}", str, e);
            throw new SaslException("Authentication failed: Unexpected exception", e);
        } catch (SaslAuthenticationException e2) {
            throw e2;
        }
    }
}
