package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.MdsBasicLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticatorConfig;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigDef;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.servlet.ServletContextHandler;

/* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallBearerOrBasicSecurityHandler.class */
public class InstallBearerOrBasicSecurityHandler implements Consumer<ServletContextHandler>, Configurable {
    private BearerConfig config;

    /* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallBearerOrBasicSecurityHandler$BearerConfig.class */
    public static class BearerConfig extends RestConfig {
        public static final String TOKEN_ISSUER_DEFAULT = "Confluent";
        private static final boolean EXPOSE_INTERNAL_CONNECT_ENDPOINTS_DEFAULT = false;
        public static final String TOKEN_PUBLIC_KEY_PATH_PROP = "public.key.path";
        public static final String TOKEN_PUBLIC_KEY_PATH_DOC = "Location of the PEM encoded public key to be used  by a loginService to verify Authentication Tokens. Since the token service only supports RS256 signatures  key pairs must be generated using the RSA algorithm.";
        public static final String TOKEN_ISSUER_PROP = "token.issuer";
        public static final String TOKEN_ISSUER_DOC = "An identifier for the token issuer.";
        private static final String EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG = "expose.internal.connect.endpoints";
        private static final ConfigDef CONFIG = baseConfigDef().define(TOKEN_PUBLIC_KEY_PATH_PROP, ConfigDef.Type.STRING, ConfigDef.Importance.HIGH, TOKEN_PUBLIC_KEY_PATH_DOC).define(TOKEN_ISSUER_PROP, ConfigDef.Type.STRING, "Confluent", ConfigDef.Importance.HIGH, TOKEN_ISSUER_DOC).defineInternal(EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG, ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW);

        boolean exposeInternalConnectEndpoints() {
            return getBoolean(EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG).booleanValue();
        }

        public BearerConfig(Map<String, ?> map) {
            super(CONFIG, map);
        }

        public JwtAuthenticatorConfig jwtAuthenticatorConfig(String str) {
            Map originalsWithPrefix = originalsWithPrefix(str, true);
            originalsWithPrefix.put("jwksLocation", get(TOKEN_PUBLIC_KEY_PATH_PROP));
            return new JwtAuthenticatorConfig(originalsWithPrefix);
        }

        public JwtAuthenticatorConfig jwtAuthenticatorConfig() {
            return jwtAuthenticatorConfig("");
        }
    }

    public void configure(Map<String, ?> map) {
        this.config = new BearerConfig(map);
    }

    @Override // java.util.function.Consumer
    public void accept(ServletContextHandler servletContextHandler) {
        servletContextHandler.setSecurityHandler(createOAuthOrBasicSecurityHandler());
    }

    public ConstraintSecurityHandler createOAuthOrBasicSecurityHandler() {
        String string = this.config.getString("authentication.realm");
        this.config.getString(BearerConfig.TOKEN_PUBLIC_KEY_PATH_PROP);
        this.config.getString(BearerConfig.TOKEN_ISSUER_PROP);
        ConstraintMapping createGlobalAuthConstraint = AuthUtil.createGlobalAuthConstraint(this.config);
        createGlobalAuthConstraint.getConstraint().setRoles(new String[]{"**"});
        ConstraintSecurityHandler newConstraintSecurityHandler = newConstraintSecurityHandler();
        newConstraintSecurityHandler.addConstraintMapping(createGlobalAuthConstraint);
        newConstraintSecurityHandler.setAuthenticator(new OAuthOrBasicAuthenticator());
        newConstraintSecurityHandler.setLoginService(new JwtWithFallbackLoginService(new JwtLoginService(string, new JwtAuthenticator(this.config.jwtAuthenticatorConfig())), new MdsBasicLoginService(this.config.originals(), string)));
        newConstraintSecurityHandler.setIdentityService(new DefaultIdentityService());
        newConstraintSecurityHandler.setRealmName(string);
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        newConstraintSecurityHandler.getClass();
        createUnsecuredConstraints.forEach(newConstraintSecurityHandler::addConstraintMapping);
        return newConstraintSecurityHandler;
    }

    private ConstraintSecurityHandler newConstraintSecurityHandler() {
        return this.config.exposeInternalConnectEndpoints() ? new ConnectConstraintSecurityHandler() : new ConstraintSecurityHandler();
    }
}
