package io.confluent.kafka.clients.plugins.auth.token;

import com.fasterxml.jackson.core.type.TypeReference;
import io.confluent.kafka.clients.plugins.auth.entities.SanitizeTokenRequest;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.rest.RestClient;
import io.confluent.security.auth.client.rest.RestRequest;
import io.confluent.security.auth.client.rest.entities.AuthenticationResponse;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import io.confluent.security.auth.common.JwtBearerToken;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/token/TokenBearerLoginCallbackHandler.class */
public class TokenBearerLoginCallbackHandler extends AbstractTokenLoginCallbackHandler {
    private RestClient restClient;
    private Map<String, Object> configs;
    private JwtConsumer jwtReader;
    private static final String SANITIZE_TOKEN_ENDPOINT = "/token/sanitize";
    private static final String MEX_CLAIM = "mex";
    private static final Logger log = LoggerFactory.getLogger(TokenBearerLoginCallbackHandler.class);
    private static final TypeReference<AuthenticationResponse> AUTHENTICATION_RESPONSE_TYPE = new TypeReference<AuthenticationResponse>() { // from class: io.confluent.kafka.clients.plugins.auth.token.TokenBearerLoginCallbackHandler.1
    };

    @Override // io.confluent.kafka.clients.plugins.auth.token.AbstractTokenLoginCallbackHandler
    public void configure(Map<String, ?> map) {
        this.configs = new HashMap(map);
        this.configs.put("confluent.metadata.http.auth.credentials.provider", BuiltInAuthProviders.HttpCredentialProviders.BEARER.name());
        this.jwtReader = new JwtConsumerBuilder().setSkipSignatureVerification().setDisableRequireSignature().setSkipAllValidators().setSkipAllDefaultValidators().build();
        String str = (String) map.get("authenticationToken");
        if (str.isEmpty()) {
            throw new ConfigException(String.format("Missing required configuration %s which has no default value.", "authenticationToken"));
        }
        createAndSetRestClient(this.configs, str);
    }

    private void createAndSetRestClient(Map<String, Object> map, String str) {
        map.put("confluent.metadata.token.auth.credential", str);
        close();
        this.restClient = createRestClient(map);
    }

    protected RestClient createRestClient(Map<String, Object> map) {
        return new RestClient(map);
    }

    @Override // io.confluent.kafka.clients.plugins.auth.token.AbstractTokenLoginCallbackHandler
    void attachAuthToken(OAuthBearerTokenCallback oAuthBearerTokenCallback) {
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had an Authentication Token already");
        }
        try {
            String obj = this.configs.get("confluent.metadata.token.auth.credential").toString();
            if (getCurrentClaims(obj).hasClaim(MEX_CLAIM)) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(MEX_CLAIM);
                OAuthBearerToken sanitizeToken = sanitizeToken(obj, arrayList);
                log.debug("Successfully sanitized the token for claims: {}", Arrays.toString(arrayList.toArray()));
                createAndSetRestClient(this.configs, sanitizeToken.value());
            }
            OAuthBearerToken login = this.restClient.login();
            createAndSetRestClient(this.configs, login.value());
            oAuthBearerTokenCallback.token(login);
        } catch (Exception e) {
            throw new KafkaException("TokenBearerLoginCallbackHandler failed due to exception while sanitizing token", e);
        }
    }

    protected JwtClaims getCurrentClaims(String str) {
        try {
            return this.jwtReader.processToClaims(str);
        } catch (Exception e) {
            throw new KafkaException("TokenBearerLoginCallbackHandler failed due to get current claims", e);
        }
    }

    protected OAuthBearerToken sanitizeToken(String str, Collection<String> collection) throws RestClientException, URISyntaxException {
        log.debug("Got a request to sanitize the token for claims: {}", Arrays.toString(collection.toArray()));
        RestRequest newRequest = this.restClient.newRequest(SANITIZE_TOKEN_ENDPOINT);
        newRequest.setRequest(new SanitizeTokenRequest(str, collection));
        newRequest.setRequestMethod("POST");
        newRequest.setResponse(AUTHENTICATION_RESPONSE_TYPE);
        return new JwtBearerToken(((AuthenticationResponse) this.restClient.sendRequest(newRequest)).authenticationToken());
    }

    @Override // io.confluent.kafka.clients.plugins.auth.token.AbstractTokenLoginCallbackHandler
    public void close() {
        closeRestClient();
    }

    private void closeRestClient() {
        if (this.restClient != null) {
            this.restClient.close();
        }
    }
}
