package io.confluent.common.security.jetty.initializer;

import io.confluent.common.security.jetty.CertificateAuthenticator;
import io.confluent.common.security.jetty.CertificateLoginService;
import io.confluent.common.security.jetty.CompositeAuthenticator;
import io.confluent.common.security.jetty.CompositeLoginService;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.MdsBasicLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.servlet.ServletContextHandler;

/* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallCompositeSecurityHandler.class */
public class InstallCompositeSecurityHandler implements Consumer<ServletContextHandler>, Configurable {
    private SecurityHandlerConfig config;

    /* loaded from: input_file:io/confluent/common/security/jetty/initializer/InstallCompositeSecurityHandler$SecurityHandlerConfig.class */
    public static class SecurityHandlerConfig extends RestConfig {
        public static final String TOKEN_ISSUER_PROP = "token.issuer";
        public static final String TOKEN_ISSUER_DEFAULT = "Confluent";
        public static final String TOKEN_ISSUER_DOC = "An identifier for the token issuer.";
        public static final String TOKEN_PUBLIC_KEY_PATH_PROP = "public.key.path";
        public static final String TOKEN_PUBLIC_KEY_PATH_DOC = "Location of the PEM encoded public key to be used  by a loginService to verify Authentication Tokens. Since the token service only supports RS256 signatures  key pairs must be generated using the RSA algorithm.";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_PROP = "auth.ssl.principal.mapping.rules";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_DEFAULT = "DEFAULT";
        public static final String SSL_PRINCIPAL_MAPPING_RULES_DOC = "Rules to execute the conversion from the certificate SN into principal name";
        public static final String ALLOW_ANONYMOUS_USER_PROP = "auth.allow.anonymous.user";
        public static final boolean ALLOW_ANONYMOUS_USER_DEFAULT = false;
        public static final String ALLOW_ANONYMOUS_USER_DOC = "Decide what to do when no credentials are provided. The default behaviour (false) is to request BASIC authorization.";
        private static final String EXPOSE_INTERNAL_CONNECT_ENDPOINTS_CONFIG = "expose.internal.connect.endpoints";
        private static final boolean EXPOSE_INTERNAL_CONNECT_ENDPOINTS_DEFAULT = false;
        private static final ConfigDef CONFIG = baseConfigDef().define("public.key.path", ConfigDef.Type.STRING, ConfigDef.Importance.HIGH, "Location of the PEM encoded public key to be used  by a loginService to verify Authentication Tokens. Since the token service only supports RS256 signatures  key pairs must be generated using the RSA algorithm.").define("token.issuer", ConfigDef.Type.STRING, "Confluent", ConfigDef.Importance.HIGH, "An identifier for the token issuer.").define("auth.ssl.principal.mapping.rules", ConfigDef.Type.STRING, "DEFAULT", ConfigDef.Importance.MEDIUM, "Rules to execute the conversion from the certificate SN into principal name").define("auth.allow.anonymous.user", ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.MEDIUM, "Decide what to do when no credentials are provided. The default behaviour (false) is to request BASIC authorization.").defineInternal("expose.internal.connect.endpoints", ConfigDef.Type.BOOLEAN, false, ConfigDef.Importance.LOW);

        boolean allowAnonymousUser() {
            return getBoolean("auth.allow.anonymous.user").booleanValue();
        }

        boolean exposeInternalConnectEndpoints() {
            return getBoolean("expose.internal.connect.endpoints").booleanValue();
        }

        public SecurityHandlerConfig(Map<String, ?> map) {
            super(CONFIG, map);
        }
    }

    public void configure(Map<String, ?> map) {
        this.config = new SecurityHandlerConfig(map);
    }

    @Override // java.util.function.Consumer
    public void accept(ServletContextHandler servletContextHandler) {
        servletContextHandler.setSecurityHandler(createSecurityHandler());
    }

    protected ConstraintSecurityHandler createSecurityHandler() {
        String string = this.config.getString("authentication.realm");
        ConstraintSecurityHandler newConstraintSecurityHandler = newConstraintSecurityHandler();
        newConstraintSecurityHandler.addConstraintMapping(createGlobalAuthConstraint());
        newConstraintSecurityHandler.setAuthenticator(createAuthenticator());
        newConstraintSecurityHandler.setLoginService(createLoginService());
        newConstraintSecurityHandler.setIdentityService(createIdentityService());
        newConstraintSecurityHandler.setRealmName(string);
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        newConstraintSecurityHandler.getClass();
        createUnsecuredConstraints.forEach(newConstraintSecurityHandler::addConstraintMapping);
        return newConstraintSecurityHandler;
    }

    private ConstraintSecurityHandler newConstraintSecurityHandler() {
        return this.config.exposeInternalConnectEndpoints() ? new ConnectConstraintSecurityHandler() : new ConstraintSecurityHandler();
    }

    protected ConstraintMapping createGlobalAuthConstraint() {
        return AuthUtil.createGlobalAuthConstraint(this.config);
    }

    protected LoginAuthenticator createAuthenticator() {
        return new CompositeAuthenticator(new OAuthOrBasicAuthenticator(), new CertificateAuthenticator(), this.config.allowAnonymousUser());
    }

    protected LoginService createLoginService() {
        return new CompositeLoginService(createHttpLoginService(), createX509LoginService());
    }

    protected LoginService createHttpLoginService() {
        String string = this.config.getString("authentication.realm");
        return new JwtWithFallbackLoginService(new JwtLoginService(string, this.config.getString("token.issuer"), this.config.getString("public.key.path"), ""), new MdsBasicLoginService(this.config.originals(), string));
    }

    protected LoginService createX509LoginService() {
        SslPrincipalMapper fromRules = SslPrincipalMapper.fromRules(this.config.getString("auth.ssl.principal.mapping.rules"));
        CertificateLoginService certificateLoginService = new CertificateLoginService();
        certificateLoginService.setSslPrincipalMapper(fromRules);
        return certificateLoginService;
    }

    protected IdentityService createIdentityService() {
        return new DefaultIdentityService();
    }
}
