package io.confluent.ksql.security;

import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.OAuthBearerAuthenticator;
import io.confluent.common.security.jetty.initializer.InstallOAuthSecurityHandler;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:io/confluent/ksql/security/VertxOAuthAuthenticationPlugin.class */
public class VertxOAuthAuthenticationPlugin extends VertxAuthenticationPlugin {
    List<String> allowedRoles = Collections.emptyList();

    @Override // io.confluent.ksql.security.VertxAuthenticationPlugin
    public void configure(Map<String, ?> map) {
        InstallOAuthSecurityHandler.OAuthConfig oAuthConfig = new InstallOAuthSecurityHandler.OAuthConfig(map);
        String string = oAuthConfig.getString("authentication.realm");
        this.allowedRoles = (List) oAuthConfig.getList("authentication.roles").stream().filter(str -> {
            return !"*".equals(str);
        }).map(str2 -> {
            return "**".equals(str2) ? "*" : str2;
        }).collect(Collectors.toList());
        configure(string, new OAuthBearerAuthenticator(), new JwtLoginService(string, new JwtAuthenticator(oAuthConfig.jwtAuthenticatorConfig())));
    }

    @Override // io.confluent.ksql.security.VertxAuthenticationPlugin
    protected boolean validateUser(UserIdentity userIdentity) {
        if (this.allowedRoles.contains("*")) {
            return true;
        }
        return this.allowedRoles.stream().anyMatch(str -> {
            return userIdentity.isUserInRole(str, (UserIdentity.Scope) null);
        });
    }
}
