package io.confluent.common.security.jetty;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.PublicKeyJwks;
import io.confluent.kafka.clients.plugins.auth.jwt.PublicKeyVerificationKeyResolver;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import java.io.IOException;
import java.security.PublicKey;
import java.util.List;
import java.util.Objects;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/JwtLoginService.class */
public class JwtLoginService extends AbstractLifeCycle implements LoginService {
    private static final Logger log = LoggerFactory.getLogger(JwtLoginService.class);
    private static final String rolesClaimDefault = "clusters";
    private final String realmName;
    private final String rolesClaim;
    private transient JwtAuthenticator authenticator;
    private transient IdentityService identityService;
    public static final String ORG_RESOURCE_ID_KEY = "orgResourceId";

    public JwtLoginService(String str, String str2, String str3, String str4) {
        Objects.requireNonNull(str3, "public key path must not be null");
        this.realmName = str;
        this.rolesClaim = str4;
        try {
            this.authenticator = new JwtAuthenticator(str2, new PublicKeyVerificationKeyResolver(new PublicKeyJwks(PublicKeyJwks.loadPublicKey(str3))));
        } catch (IOException e) {
            throw new ConfigException("Failed to load public keys at " + str3);
        }
    }

    public JwtLoginService(String str, String str2, List<PublicKey> list, String str3) {
        this(str, str3, new JwtAuthenticator(str2, new PublicKeyVerificationKeyResolver(new PublicKeyJwks(list))));
    }

    public JwtLoginService(String str, String str2, JwtAuthenticator jwtAuthenticator) {
        Objects.requireNonNull(jwtAuthenticator, "authenticator must not be null");
        this.realmName = str;
        this.rolesClaim = str2 == null ? rolesClaimDefault : str2;
        this.authenticator = jwtAuthenticator;
    }

    public JwtLoginService(String str, JwtAuthenticator jwtAuthenticator) {
        this(str, rolesClaimDefault, jwtAuthenticator);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isJwtUser(UserIdentity userIdentity) {
        return !userIdentity.getSubject().getPrincipals(JwtPrincipal.class).isEmpty();
    }

    protected void doStart() throws Exception {
        super.doStart();
        if (this.identityService == null) {
            this.identityService = new DefaultIdentityService();
        }
    }

    public String getName() {
        return this.realmName;
    }

    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        try {
            log.debug("Processing new Jwt login request.");
            OAuthBearerJwsToken login = this.authenticator.login((String) obj, this.rolesClaim);
            Subject subject = new Subject();
            JwtPrincipal jwtPrincipal = new JwtPrincipal(login);
            subject.getPrincipals().add(jwtPrincipal);
            String[] strArr = (String[]) login.scope().toArray(new String[0]);
            Object orDefault = login.jwtClaims().getOrDefault(ORG_RESOURCE_ID_KEY, "");
            log.debug("Organization resource id in jwt : {}", orDefault);
            if (servletRequest != null) {
                servletRequest.setAttribute(ORG_RESOURCE_ID_KEY, orDefault);
            }
            return this.identityService.newUserIdentity(subject, jwtPrincipal, strArr);
        } catch (Exception e) {
            log.debug("Exception", e);
            return null;
        }
    }

    public boolean validate(UserIdentity userIdentity) {
        return true;
    }

    public IdentityService getIdentityService() {
        return this.identityService;
    }

    public void setIdentityService(IdentityService identityService) {
        this.identityService = identityService;
    }

    public void logout(UserIdentity userIdentity) {
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        JwtLoginService jwtLoginService = (JwtLoginService) obj;
        return Objects.equals(this.realmName, jwtLoginService.realmName) && Objects.equals(this.authenticator.issuer(), jwtLoginService.authenticator.issuer()) && Objects.equals(this.rolesClaim, jwtLoginService.rolesClaim);
    }

    public int hashCode() {
        return Objects.hash(this.realmName, this.authenticator.issuer(), this.rolesClaim);
    }
}
