package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.OAuthBearerAuthenticator;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigDef;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.servlet.ServletContextHandler;

/* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallOAuthSecurityHandler.class */
public class InstallOAuthSecurityHandler implements Consumer<ServletContextHandler>, Configurable {
    static final String JWT_ISSUER = "Confluent";
    static final String JWT_ROLES_CLAIM = "clusters";
    OAuthConfig config;

    /* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallOAuthSecurityHandler$OAuthConfig.class */
    public static class OAuthConfig extends RestConfig {
        public static final String JWT_PUBLIC_KEY_PATH_CONFIG = "oauth.jwt.public.key.path";
        private static final String JWT_PUBLIC_KEY_PATH_DOC = "path to the public key expected for signed JWT OAuth tokens, or a directory that will be searched for public key files. Any file ending in '.pem' within the directory will be loaded.";
        private static final ConfigDef CONFIG = baseConfigDef().define(JWT_PUBLIC_KEY_PATH_CONFIG, ConfigDef.Type.STRING, ConfigDef.Importance.HIGH, JWT_PUBLIC_KEY_PATH_DOC);

        private OAuthConfig(Map<?, ?> map) {
            super(CONFIG, map);
        }
    }

    public void configure(Map<String, ?> map) {
        this.config = new OAuthConfig(map);
    }

    @Override // java.util.function.Consumer
    public void accept(ServletContextHandler servletContextHandler) {
        servletContextHandler.setSecurityHandler(createOAuthSecurityHandler());
    }

    private ConstraintSecurityHandler createOAuthSecurityHandler() {
        String string = this.config.getString("authentication.realm");
        String string2 = this.config.getString(OAuthConfig.JWT_PUBLIC_KEY_PATH_CONFIG);
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.addConstraintMapping(AuthUtil.createGlobalAuthConstraint(this.config));
        constraintSecurityHandler.setAuthenticator(new OAuthBearerAuthenticator());
        constraintSecurityHandler.setLoginService(new JwtLoginService(string, JWT_ISSUER, string2, JWT_ROLES_CLAIM));
        constraintSecurityHandler.setIdentityService(new DefaultIdentityService());
        constraintSecurityHandler.setRealmName(string);
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        constraintSecurityHandler.getClass();
        createUnsecuredConstraints.forEach(constraintSecurityHandler::addConstraintMapping);
        return constraintSecurityHandler;
    }
}
