package io.confluent.common.security.jetty;

import java.io.IOException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.DeferredAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticator.class */
public class OAuthBearerAuthenticator extends LoginAuthenticator {
    public static final String ACCESS_TOKEN = "access_token";
    public static final String BEARER_KEYWORD = "Bearer";
    public static final String AUTH_TOKEN = "auth_token";
    private static final Logger log = LoggerFactory.getLogger(OAuthBearerAuthenticator.class);
    private final JwtConsumer jwtConsumer = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().build();

    /* loaded from: input_file:io/confluent/common/security/jetty/OAuthBearerAuthenticator$ErrorCode.class */
    public enum ErrorCode {
        INVALID_REQUEST_TOKEN_NOT_FOUND("Invalid_Request", "Token is not present"),
        INVALID_REQUEST_BEARER_NOT_FOUND("Invalid_Request", "Authorization Header specifies Auth type other than Bearer"),
        INVALID_REQUEST_INCORRECT_QUERY_PARAM_TOKEN("Invalid_Request", "Query param token does not match with token present in header or cookie."),
        INVALID_TOKEN_UNDEFINED_USER("Invalid Token", "User Identity not found"),
        INVALID_TOKEN_UNDEFINED_PRINCIPAL("Invalid Token", "Unable to extract Principal"),
        INVALID_TOKEN_UNDEFINED_SUBCLAIM_OR_PRINCIPAL("Invalid Token", "Unable to extract SubClaim or Principal Name"),
        INVALID_TOKEN_EXPIRED("Invalid Token", "Token has expired");

        final String error;
        final String message;

        ErrorCode(String str, String str2) {
            this.error = str;
            this.message = str2;
        }

        public String asHeaderAttribute() {
            return "error=\"" + this.error + " : " + this.message + '\"';
        }
    }

    public String getAuthMethod() {
        return "BEARER";
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        if (!z) {
            return new DeferredAuthentication(this);
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        OAuthRequestData extractAuthRequestData = extractAuthRequestData(servletRequest);
        String str = extractAuthRequestData.tokenFromAuthHeader();
        String str2 = extractAuthRequestData.tokenFromCookie();
        String str3 = extractAuthRequestData.tokenFromQueryParam();
        String str4 = str != null ? str : str2;
        if (str4 == null) {
            if (str3 == null) {
                log.debug("Authentication failed: Request does not have a token.");
                return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST_TOKEN_NOT_FOUND);
            }
            str4 = str3;
            if (extractAuthRequestData.authHeaderSpecifiesSomeOtherAuthType()) {
                log.debug("Authentication failed: Request has an Authorization header, but it does not specify Bearer.");
                return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST_BEARER_NOT_FOUND);
            }
        } else if (str3 != null && !str4.equals(str3)) {
            log.debug("Authentication failed: Request has a token in the Authorization header, but it does not match the token in the query parameter.");
            return sendError(httpServletResponse, ErrorCode.INVALID_REQUEST_INCORRECT_QUERY_PARAM_TOKEN);
        }
        if (str3 != null) {
            httpServletResponse.setHeader(HttpHeader.CACHE_CONTROL.toString(), "private");
        }
        return authenticateUser(servletRequest, httpServletResponse, str4);
    }

    private OAuthRequestData extractAuthRequestData(ServletRequest servletRequest) {
        return OAuthRequestDataFactory.getInstance().getOAuthRequestData((HttpServletRequest) servletRequest);
    }

    private Authentication authenticateUser(ServletRequest servletRequest, HttpServletResponse httpServletResponse, String str) throws ServerAuthException {
        JwtClaims parseJwtToken = parseJwtToken(str);
        if (parseJwtToken != null) {
            try {
                if (parseJwtToken.getExpirationTime() != null && parseJwtToken.getExpirationTime().getValue() * 1000 < System.currentTimeMillis()) {
                    log.debug("Invalid Token: Token has expired.");
                    return sendError(httpServletResponse, ErrorCode.INVALID_TOKEN_EXPIRED);
                }
            } catch (MalformedClaimException e) {
                log.error("exp claim not present in JwtClaims");
            }
        }
        UserIdentity login = getLoginService().login((String) null, str, servletRequest);
        ErrorCode userValidityResult = getUserValidityResult(login);
        if (userValidityResult == null) {
            return new UserAuthentication(getAuthMethod(), login);
        }
        if (DeferredAuthentication.isDeferred(httpServletResponse)) {
            log.debug("Authentication failed: Unauthenticated.");
            return Authentication.UNAUTHENTICATED;
        }
        log.debug("Authentication failed: {}", userValidityResult.message);
        return sendError(httpServletResponse, userValidityResult);
    }

    private JwtClaims parseJwtToken(Object obj) {
        JwtClaims jwtClaims = null;
        try {
            jwtClaims = this.jwtConsumer.processToClaims((String) obj);
        } catch (Exception e) {
            log.error("Found an invalid JWT token, letting the underlying login service handle it.");
        }
        return jwtClaims;
    }

    public boolean requestIsOath(HttpServletRequest httpServletRequest) {
        return OAuthRequestDataFactory.getInstance().getOAuthRequestData(httpServletRequest).isOathRequest();
    }

    private Authentication sendError(HttpServletResponse httpServletResponse, ErrorCode errorCode) throws ServerAuthException {
        StringBuilder append = new StringBuilder().append("Bearer realm=\"").append(getLoginService().getName()).append('\"');
        if (errorCode != null) {
            append.append(',').append(errorCode.asHeaderAttribute());
        }
        try {
            httpServletResponse.resetBuffer();
            httpServletResponse.setStatus(401);
            httpServletResponse.setHeader("Content-Type", "text/plain");
            httpServletResponse.getOutputStream().print(append.toString());
            httpServletResponse.flushBuffer();
            return Authentication.SEND_FAILURE;
        } catch (IOException e) {
            throw new ServerAuthException(e);
        }
    }

    private ErrorCode getUserValidityResult(UserIdentity userIdentity) {
        if (userIdentity == null) {
            return ErrorCode.INVALID_TOKEN_UNDEFINED_USER;
        }
        if (userIdentity.getUserPrincipal() == null) {
            return ErrorCode.INVALID_TOKEN_UNDEFINED_PRINCIPAL;
        }
        String name = userIdentity.getUserPrincipal().getName();
        if (name == null || name.isEmpty()) {
            return ErrorCode.INVALID_TOKEN_UNDEFINED_SUBCLAIM_OR_PRINCIPAL;
        }
        return null;
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
        return true;
    }
}
