package io.confluent.rbacapi.login.initializer;

import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.rbacapi.app.RbacApiAppConfig;
import io.confluent.rest.auth.AuthUtil;
import io.confluent.tokenapi.jwt.JwtConfig;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigDef;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.HashLoginService;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rbacapi/login/initializer/InstallHashLoginServiceSecurityHandler.class */
public class InstallHashLoginServiceSecurityHandler implements Consumer<ServletContextHandler>, Configurable {
    private static final Logger log = LoggerFactory.getLogger(InstallHashLoginServiceSecurityHandler.class);
    private HashLoginServiceConfig config;

    /* loaded from: input_file:io/confluent/rbacapi/login/initializer/InstallHashLoginServiceSecurityHandler$HashLoginServiceConfig.class */
    public static class HashLoginServiceConfig extends JwtConfig {
        public static final String HASH_LOGIN_PATH_PROP = "hash.login.path";
        private static final String HASH_LOGIN_PROP_PATH_DOC = "HashLoginService property file containing user credentials.";
        private static final ConfigDef CONFIG = baseConfigDef().define(HASH_LOGIN_PATH_PROP, ConfigDef.Type.STRING, ConfigDef.Importance.HIGH, HASH_LOGIN_PROP_PATH_DOC);

        private HashLoginServiceConfig(Map<?, ?> map) {
            super(CONFIG, map);
        }
    }

    public void configure(Map<String, ?> map) {
        this.config = new HashLoginServiceConfig(map);
    }

    @Override // java.util.function.Consumer
    public void accept(ServletContextHandler servletContextHandler) {
        servletContextHandler.setSecurityHandler(createHashLoginServiceSecurityHandler());
    }

    private ConstraintSecurityHandler createHashLoginServiceSecurityHandler() {
        String string = this.config.getString("authentication.realm");
        String string2 = this.config.getString(RbacApiAppConfig.PUBLIC_KEY_PATH_PROP);
        String string3 = this.config.getString(HashLoginServiceConfig.HASH_LOGIN_PATH_PROP);
        String string4 = this.config.getString(JwtConfig.TOKEN_ISSUER_PROP);
        String string5 = this.config.getString(JwtConfig.TOKEN_ROLES_PROP);
        HashLoginService hashLoginService = new HashLoginService(string, string3);
        JwtLoginService jwtLoginService = new JwtLoginService(string, string4, string2, string5);
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.addConstraintMapping(AuthUtil.createGlobalAuthConstraint(this.config));
        constraintSecurityHandler.setAuthenticator(new OAuthOrBasicAuthenticator());
        constraintSecurityHandler.setLoginService(new JwtWithFallbackLoginService(jwtLoginService, hashLoginService));
        constraintSecurityHandler.setIdentityService(jwtLoginService.getIdentityService());
        constraintSecurityHandler.setRealmName(string);
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        constraintSecurityHandler.getClass();
        createUnsecuredConstraints.forEach(constraintSecurityHandler::addConstraintMapping);
        log.trace("Enable HashLoginService.");
        return constraintSecurityHandler;
    }
}
