package io.strimzi.kafka.oauth.server;

import com.fasterxml.jackson.databind.node.ObjectNode;
import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.Config;
import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.common.DeprecationUtil;
import io.strimzi.kafka.oauth.common.IOUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.PrincipalExtractor;
import io.strimzi.kafka.oauth.common.TimeUtil;
import io.strimzi.kafka.oauth.common.TokenInfo;
import io.strimzi.kafka.oauth.common.TokenIntrospection;
import io.strimzi.kafka.oauth.services.Services;
import io.strimzi.kafka.oauth.services.ValidatorKey;
import io.strimzi.kafka.oauth.validator.JWTSignatureValidator;
import io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator;
import io.strimzi.kafka.oauth.validator.TokenValidationException;
import io.strimzi.kafka.oauth.validator.TokenValidator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/JaasServerOauthValidatorCallbackHandler.class */
public class JaasServerOauthValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger(JaasServerOauthValidatorCallbackHandler.class);
    private TokenValidator validator;
    private ServerConfig config;
    private boolean isJwt;
    private SSLSocketFactory socketFactory;
    private HostnameVerifier verifier;
    private PrincipalExtractor principalExtractor;
    private int connectTimeout;
    private int readTimeout;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/strimzi/kafka/oauth/server/JaasServerOauthValidatorCallbackHandler$BearerTokenWithPayloadImpl.class */
    public static class BearerTokenWithPayloadImpl implements BearerTokenWithPayload {
        private final TokenInfo ti;
        private Object payload;

        BearerTokenWithPayloadImpl(TokenInfo tokenInfo) {
            if (tokenInfo == null) {
                throw new IllegalArgumentException("TokenInfo == null");
            }
            this.ti = tokenInfo;
        }

        public Object getPayload() {
            return this.payload;
        }

        public void setPayload(Object obj) {
            this.payload = obj;
        }

        public Set<String> getGroups() {
            return this.ti.groups();
        }

        public ObjectNode getJSON() {
            return this.ti.payload();
        }

        public String value() {
            return this.ti.token();
        }

        public Set<String> scope() {
            return this.ti.scope();
        }

        public long lifetimeMs() {
            return this.ti.expiresAtMs();
        }

        public String principalName() {
            return this.ti.principal();
        }

        public Long startTimeMs() {
            return Long.valueOf(this.ti.issuedAtMs());
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return Objects.equals(this.ti, ((BearerTokenWithPayloadImpl) obj).ti);
        }

        public int hashCode() {
            return Objects.hash(this.ti);
        }

        public String toString() {
            return "BearerTokenWithPayloadImpl (principalName: " + this.ti.principal() + ", groups: " + this.ti.groups() + ", lifetimeMs: " + this.ti.expiresAtMs() + " [" + TimeUtil.formatIsoDateTimeUTC(this.ti.expiresAtMs()) + " UTC], startTimeMs: " + this.ti.issuedAtMs() + " [" + TimeUtil.formatIsoDateTimeUTC(this.ti.issuedAtMs()) + " UTC], scope: " + this.ti.scope() + ")";
        }
    }

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        parseJaasConfig(list);
        this.isJwt = DeprecationUtil.isAccessTokenJwt(this.config, log, "OAuth validator configuration error: ");
        validateConfig();
        this.socketFactory = ConfigUtil.createSSLFactory(this.config);
        this.verifier = ConfigUtil.createHostnameVerifier(this.config);
        String value = this.config.getValue(ServerConfig.OAUTH_JWKS_ENDPOINT_URI);
        String value2 = this.config.getValue(ServerConfig.OAUTH_VALID_ISSUER_URI);
        validateIssuerUri(value2);
        checkDeprecatedConfig();
        boolean isCheckAccessTokenType = isCheckAccessTokenType(this.config);
        boolean valueAsBoolean = this.config.getValueAsBoolean(ServerConfig.OAUTH_CHECK_AUDIENCE, false);
        String value3 = this.config.getValue("oauth.username.claim");
        String value4 = this.config.getValue("oauth.fallback.username.claim");
        String value5 = this.config.getValue("oauth.fallback.username.prefix");
        validateFallbackUsernameParameters(value3, value4, value5);
        this.principalExtractor = new PrincipalExtractor(value3, value4, value5);
        String value6 = this.config.getValue("oauth.client.id");
        String value7 = this.config.getValue("oauth.client.secret");
        if (valueAsBoolean && value6 == null) {
            throw new RuntimeException("Oauth validator configuration error: OAUTH_CLIENT_ID must be set when OAUTH_CHECK_AUDIENCE is 'true'");
        }
        String str2 = valueAsBoolean ? value6 : null;
        String value8 = this.config.getValue(ServerConfig.OAUTH_CUSTOM_CLAIM_CHECK);
        String value9 = this.config.getValue(ServerConfig.OAUTH_GROUPS_CLAIM);
        String value10 = this.config.getValue(ServerConfig.OAUTH_GROUPS_CLAIM_DELIMITER);
        if (!Services.isAvailable()) {
            Services.configure(map);
        }
        String value11 = this.config.getValue("oauth.ssl.truststore.location");
        String value12 = this.config.getValue("oauth.ssl.truststore.password");
        String value13 = this.config.getValue("oauth.ssl.truststore.type");
        String value14 = this.config.getValue("oauth.ssl.secure.random.implementation");
        this.connectTimeout = ConfigUtil.getConnectTimeout(this.config);
        this.readTimeout = ConfigUtil.getReadTimeout(this.config);
        if (value != null) {
            setupJWKSValidator(value, value2, isCheckAccessTokenType, value3, value4, value5, value9, value10, str2, value8, value11, value12, value13, value14);
        } else {
            setupIntrospectionValidator(value2, value3, value4, value5, value9, value10, value6, value7, str2, value8, value11, value12, value13, value14);
        }
    }

    private void setupIntrospectionValidator(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, String str12, String str13, String str14) {
        String value = this.config.getValue(ServerConfig.OAUTH_INTROSPECTION_ENDPOINT_URI);
        String value2 = this.config.getValue(ServerConfig.OAUTH_USERINFO_ENDPOINT_URI);
        String value3 = this.config.getValue(ServerConfig.OAUTH_VALID_TOKEN_TYPE);
        this.validator = Services.getInstance().getValidators().get(new ValidatorKey.IntrospectionValidatorKey(str, str9, str10, str2, str3, str4, str5, str6, str11, str12, str13, str14, this.verifier != null, value, value2, value3, str7, str8, this.connectTimeout, this.readTimeout), () -> {
            return new OAuthIntrospectionValidator(value, this.socketFactory, this.verifier, this.principalExtractor, str5, str6, str, value2, value3, str7, str8, str9, str10, this.connectTimeout, this.readTimeout);
        });
    }

    private void setupJWKSValidator(String str, String str2, boolean z, String str3, String str4, String str5, String str6, String str7, String str8, String str9, String str10, String str11, String str12, String str13) {
        int valueAsInt = this.config.getValueAsInt(ServerConfig.OAUTH_JWKS_REFRESH_SECONDS, 300);
        int valueAsInt2 = this.config.getValueAsInt(ServerConfig.OAUTH_JWKS_EXPIRY_SECONDS, 360);
        int valueAsInt3 = this.config.getValueAsInt(ServerConfig.OAUTH_JWKS_REFRESH_MIN_PAUSE_SECONDS, 1);
        this.validator = Services.getInstance().getValidators().get(new ValidatorKey.JwtValidatorKey(str2, str8, str9, str3, str4, str5, str6, str7, str10, str11, str12, str13, this.verifier != null, str, valueAsInt, valueAsInt2, valueAsInt3, z, this.connectTimeout, this.readTimeout), () -> {
            return new JWTSignatureValidator(str, this.socketFactory, this.verifier, this.principalExtractor, str6, str7, str2, valueAsInt, valueAsInt3, valueAsInt2, z, str8, str9, this.connectTimeout, this.readTimeout);
        });
    }

    private void checkDeprecatedConfig() {
        if (this.config.getValue("oauth.crypto.provider.bouncycastle") != null) {
            log.warn("The OAUTH_CRYPTO_PROVIDER_BOUNCYCASTLE option has been deprecated. ECDSA is automatically available without the need for BouncyCastle JCE provider.");
        }
        if (this.config.getValue("oauth.crypto.provider.bouncycastle.position") != null) {
            log.warn("The OAUTH_CRYPTO_PROVIDER_BOUNCYCASTLE_POSITION option has been deprecated. ECDSA is automatically available without the need for BouncyCastle JCE provider.");
        }
    }

    protected ServerConfig parseJaasConfig(List<AppConfigurationEntry> list) {
        if (this.config != null) {
            return this.config;
        }
        if (list.size() != 1) {
            throw new IllegalArgumentException("Exactly one jaasConfigEntry expected (size: " + list.size());
        }
        AppConfigurationEntry appConfigurationEntry = list.get(0);
        Properties properties = new Properties();
        properties.putAll(appConfigurationEntry.getOptions());
        this.config = new ServerConfig(properties);
        return this.config;
    }

    private static boolean isCheckAccessTokenType(Config config) {
        String value = config.getValue(ServerConfig.OAUTH_VALIDATION_SKIP_TYPE_CHECK);
        if (value != null) {
            log.warn("OAUTH_VALIDATION_SKIP_TYPE_CHECK is deprecated. Use OAUTH_CHECK_ACCESS_TOKEN_TYPE (with reverse meaning) instead.");
            if (config.getValue(ServerConfig.OAUTH_CHECK_ACCESS_TOKEN_TYPE) != null) {
                throw new RuntimeException("OAuth validator configuration error: can't use both OAUTH_CHECK_ACCESS_TOKEN_TYPE and OAUTH_VALIDATION_SKIP_TYPE_CHECK");
            }
        }
        return value != null ? !Config.isTrue(value) : config.getValueAsBoolean(ServerConfig.OAUTH_CHECK_ACCESS_TOKEN_TYPE, true);
    }

    private void validateConfig() {
        String value = this.config.getValue(ServerConfig.OAUTH_JWKS_ENDPOINT_URI);
        String value2 = this.config.getValue(ServerConfig.OAUTH_INTROSPECTION_ENDPOINT_URI);
        if (value == null && value2 == null) {
            throw new RuntimeException("OAuth validator configuration error: either OAUTH_JWKS_ENDPOINT_URI (for fast local signature validation) or OAUTH_INTROSPECTION_ENDPOINT_URI (for using authorization server during validation) should be specified!");
        }
        if (value != null && value2 != null) {
            throw new RuntimeException("OAuth validator configuration error: only one of OAUTH_JWKS_ENDPOINT_URI (for fast local signature validation) and OAUTH_INTROSPECTION_ENDPOINT_URI (for using authorization server during validation) can be specified!");
        }
        if (value != null && !this.isJwt) {
            throw new RuntimeException("OAuth validator configuration error: OAUTH_JWKS_ENDPOINT_URI (for fast local signature validation) is not compatible with OAUTH_ACCESS_TOKEN_IS_JWT=false");
        }
    }

    private void validateIssuerUri(String str) {
        if (str == null && this.config.getValueAsBoolean(ServerConfig.OAUTH_CHECK_ISSUER, true)) {
            throw new RuntimeException("OAuth validator configuration error: OAUTH_VALID_ISSUER_URI must be set or OAUTH_CHECK_ISSUER has to be set to 'false'");
        }
    }

    private void validateFallbackUsernameParameters(String str, String str2, String str3) {
        if (str2 != null && str == null) {
            throw new RuntimeException("OAuth validator configuration error: OAUTH_USERNAME_CLAIM must be set when OAUTH_FALLBACK_USERNAME_CLAIM is set");
        }
        if (str3 != null && str2 == null) {
            throw new RuntimeException("OAuth validator configuration error: OAUTH_FALLBACK_USERNAME_CLAIM must be set when OAUTH_FALLBACK_USERNAME_PREFIX is set");
        }
    }

    public void close() {
    }

    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerValidatorCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            handleCallback((OAuthBearerValidatorCallback) callback);
        }
    }

    private void handleCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        if (oAuthBearerValidatorCallback.tokenValue() == null) {
            throw new IllegalArgumentException("Callback has null token value!");
        }
        String str = oAuthBearerValidatorCallback.tokenValue();
        debugLogToken(str);
        try {
            oAuthBearerValidatorCallback.token(new BearerTokenWithPayloadImpl(validateToken(str)));
            if (log.isDebugEnabled()) {
                log.debug("Set validated token on callback: " + oAuthBearerValidatorCallback.token());
            }
        } catch (RuntimeException e) {
            handleError("Runtime failure during token validation", e);
        } catch (TokenValidationException e2) {
            handleError("Token validation failed for token: " + LogUtil.mask(str), e2);
        } catch (Throwable th) {
            handleError("Unexpected failure during token validation", th);
        }
    }

    private void handleError(String str, Throwable th) {
        handleErrorWithLogger(log, str, th);
    }

    protected void handleErrorWithLogger(Logger logger, String str, Throwable th) {
        String randomHexString = IOUtil.randomHexString();
        String str2 = str + " (ErrId: " + randomHexString + ")";
        if ((th instanceof TokenValidationException) || (th instanceof SaslAuthenticationException)) {
            if (logger.isDebugEnabled()) {
                logger.debug(str2, th);
            }
            str = th.getMessage();
            th = th.getCause() != null ? th.getCause() : th;
        } else if (!(th instanceof RuntimeException)) {
            logger.error(str2, th);
        } else if (logger.isDebugEnabled()) {
            logger.debug(str2, th);
        }
        throw new OAuthSaslAuthenticationException(str, randomHexString, th);
    }

    private TokenInfo validateToken(String str) {
        TokenInfo validate = this.validator.validate(str);
        if (log.isDebugEnabled()) {
            log.debug("User validated (Principal:{})", validate == null ? "null" : validate.principal());
        }
        return validate;
    }

    private void debugLogToken(String str) {
        if (log.isDebugEnabled() && this.isJwt) {
            TokenIntrospection.debugLogJWT(log, str);
        }
    }

    public boolean isJwt() {
        return this.isJwt;
    }

    public SSLSocketFactory getSocketFactory() {
        return this.socketFactory;
    }

    public HostnameVerifier getVerifier() {
        return this.verifier;
    }

    public PrincipalExtractor getPrincipalExtractor() {
        return this.principalExtractor;
    }

    public int getConnectTimeout() {
        return this.connectTimeout;
    }

    public int getReadTimeout() {
        return this.readTimeout;
    }
}
