package io.confluent.kafka.clients.plugins.auth.oauth;

import io.confluent.kafka.clients.plugins.auth.oauth.internals.SpireJwtTokenLoginValidator;
import io.confluent.kafka.clients.plugins.auth.oauth.internals.SpireJwtTokenRetriever;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/oauth/SpireJwtLoginCallbackHandler.class */
public class SpireJwtLoginCallbackHandler implements AuthenticateCallbackHandler {
    public static final String SASL_OAUTHBEARER_TOKEN_SPIRE_AGENT_ENDPOINT = "sasl.oauthbearer.token.spire.agent.endpoint";
    private final Logger log = LoggerFactory.getLogger((Class<?>) SpireJwtLoginCallbackHandler.class);
    private boolean isConfigured = false;
    protected AccessTokenRetriever accessTokenRetriever;
    private AccessTokenValidator accessTokenValidator;
    private String logicalCluster;

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        JaasOptionsUtils.validateOAuthMechanismAndNonNullJaasConfig(str, list);
        this.logicalCluster = (String) Collections.unmodifiableMap(list.get(0).getOptions()).get(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        if (this.logicalCluster == null || this.logicalCluster.isEmpty()) {
            this.log.error("No logical cluster extension was provided in JAAS config!");
            throw new ConfigException("Logical cluster for must be set in the JAAS config.");
        }
        initAccessTokenRetriever(validateSpireAgentEndpoint(map.get(SASL_OAUTHBEARER_TOKEN_SPIRE_AGENT_ENDPOINT)));
        this.accessTokenValidator = new SpireJwtTokenLoginValidator();
        this.isConfigured = true;
    }

    protected void initAccessTokenRetriever(String str) {
        this.accessTokenRetriever = new SpireJwtTokenRetriever(str, this.logicalCluster);
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
        try {
            this.accessTokenRetriever.close();
        } catch (IOException e) {
            this.log.error("Unable to close the SpireJwtTokenRetriever", (Throwable) e);
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        checkConfigured();
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerTokenCallback) {
                handleSpireTokenCallback((OAuthBearerTokenCallback) callback);
            } else {
                if (!(callback instanceof SaslExtensionsCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                handleExtensionsCallback((SaslExtensionsCallback) callback);
            }
        }
    }

    private void handleSpireTokenCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) throws IOException {
        checkConfigured();
        oAuthBearerTokenCallback.token(this.accessTokenValidator.validate(this.accessTokenRetriever.retrieve()));
    }

    private void handleExtensionsCallback(SaslExtensionsCallback saslExtensionsCallback) {
        checkConfigured();
        HashMap hashMap = new HashMap();
        hashMap.put(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY, this.logicalCluster);
        saslExtensionsCallback.extensions(new SaslExtensions(hashMap));
    }

    private String validateSpireAgentEndpoint(Object obj) {
        if (obj == null || obj.toString().isEmpty()) {
            throw new ConfigException(String.format("The OAuth configuration option %s value must be non-null", SASL_OAUTHBEARER_TOKEN_SPIRE_AGENT_ENDPOINT));
        }
        return obj.toString();
    }

    private void checkConfigured() {
        if (!this.isConfigured) {
            throw new IllegalStateException(String.format("To use %s, first call the configure", getClass().getSimpleName()));
        }
    }
}
