package io.confluent.common.security.util;

import io.confluent.common.security.jetty.CertificateAuthenticator;
import io.confluent.common.security.jetty.CertificateLoginService;
import io.confluent.common.security.jetty.CompositeAuthenticator;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.MdsBasicLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.common.security.jetty.initializer.AuthenticationHandler;
import io.confluent.common.security.metrics.MetricsContainer;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.rest.RestConfig;
import io.confluent.rest.SslFactory;
import io.confluent.rest.auth.AuthUtil;
import java.util.List;
import java.util.Objects;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/util/AuthUtils.class */
public class AuthUtils {
    private static final Logger log = LoggerFactory.getLogger(AuthenticationHandler.class);

    /* loaded from: input_file:io/confluent/common/security/util/AuthUtils$MdsBasicLoginServiceProxy.class */
    static class MdsBasicLoginServiceProxy {
        MdsBasicLoginServiceProxy() {
        }

        public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
            return getMdsBasicLoginService(securityHandlerConfig, null);
        }

        public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
            return new MdsBasicLoginService(securityHandlerConfig.originals(), securityHandlerConfig.getString("authentication.realm")).withMetricsContainer(metricsContainer);
        }
    }

    public static LoginAuthenticator createCompositeAuthenticator(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return new CompositeAuthenticator(new OAuthOrBasicAuthenticator(), new CertificateAuthenticator(), securityHandlerConfig.allowAnonymousUser());
    }

    public static ConstraintSecurityHandler getOAuthSecurityHandler(RestConfig restConfig) {
        String string = restConfig.getString("authentication.realm");
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.setRealmName(string);
        ConstraintMapping createGlobalAuthConstraint = AuthUtil.createGlobalAuthConstraint(restConfig);
        createGlobalAuthConstraint.getConstraint().setRoles(new String[]{"**"});
        log.debug("Configured Jetty authentication roles: {}", String.join(",", createGlobalAuthConstraint.getConstraint().getRoles()));
        constraintSecurityHandler.addConstraintMapping(createGlobalAuthConstraint);
        constraintSecurityHandler.setIdentityService(new DefaultIdentityService());
        return constraintSecurityHandler;
    }

    public static LoginService createX509LoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return createX509LoginService(securityHandlerConfig, null);
    }

    public static LoginService createX509LoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
        SslPrincipalMapper fromRules = SslPrincipalMapper.fromRules(securityHandlerConfig.getString("auth.ssl.principal.mapping.rules"));
        CertificateLoginService certificateLoginService = new CertificateLoginService();
        certificateLoginService.setSslPrincipalMapper(fromRules);
        if (Objects.nonNull(metricsContainer)) {
            certificateLoginService.withMetricsContainer(metricsContainer);
        }
        return certificateLoginService;
    }

    public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig) {
        return MdsBasicLoginServiceProxy.getMdsBasicLoginService(securityHandlerConfig);
    }

    public static MdsBasicLoginService getMdsBasicLoginService(AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
        return MdsBasicLoginServiceProxy.getMdsBasicLoginService(securityHandlerConfig, metricsContainer);
    }

    public static JwtLoginService getConfluentJwtLoginService(String str, String str2, String str3, MetricsContainer metricsContainer) {
        return new JwtLoginService(str, str2, str3, "").withMetricsContainer(metricsContainer, str2);
    }

    public static JwtLoginService getIdpJwtLoginService(String str, String str2, List<String> list, String str3, String str4, AuthenticationHandler.SecurityHandlerConfig securityHandlerConfig, MetricsContainer metricsContainer) {
        return new JwtLoginService(str, new JwtAuthenticator(str2, JwtUtils.getJwtKeyResolver(Utils.getBaseString(AuthenticationHandler.SecurityHandlerConfig.OAUTHBEARER_JWKS_ENDPOINT_URL, securityHandlerConfig), Utils.getBaseString("ssl.endpoint.identification.algorithm", securityHandlerConfig), StringUtils.isAllBlank(new CharSequence[]{securityHandlerConfig.getBaseSslConfig().getTrustStorePath()}) ? null : SslFactory.createSslContextFactory(securityHandlerConfig.getBaseSslConfig())), list, false), str3, str4).withMetricsContainer(metricsContainer);
    }
}
