package org.apache.kafka.connect.rest.basic.auth.extension;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashSet;
import java.util.Set;
import java.util.function.Predicate;
import java.util.regex.Pattern;
import javax.annotation.Priority;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.connect.errors.ConnectException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(1000)
/* loaded from: input_file:org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter.class */
public class JaasBasicAuthFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(JaasBasicAuthFilter.class);
    private static final Set<RequestMatcher> INTERNAL_REQUEST_MATCHERS = new HashSet(Arrays.asList(new RequestMatcher("POST", "/?connectors/([^/]+)/tasks/?"), new RequestMatcher("PUT", "/?connectors/[^/]+/fence/?")));
    private static final String CONNECT_LOGIN_MODULE = "KafkaConnect";
    static final String AUTHORIZATION = "Authorization";
    final Configuration configuration;

    /* loaded from: input_file:org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter$BasicAuthCallBackHandler.class */
    public static class BasicAuthCallBackHandler implements CallbackHandler {
        private String username;
        private String password;

        public BasicAuthCallBackHandler(BasicAuthCredentials basicAuthCredentials) {
            this.username = basicAuthCredentials.username();
            this.password = basicAuthCredentials.password();
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            ArrayList arrayList = new ArrayList();
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password != null ? this.password.toCharArray() : null);
                } else {
                    arrayList.add(callback);
                }
            }
            if (!arrayList.isEmpty()) {
                throw new ConnectException(String.format("Unsupported callbacks %s; request authentication will fail. This indicates the Connect worker was configured with a JAAS LoginModule that is incompatible with the %s, and will need to be corrected and restarted.", arrayList, BasicAuthSecurityRestExtension.class.getSimpleName()));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter$BasicAuthCredentials.class */
    public static class BasicAuthCredentials {
        private String username;
        private String password;

        public BasicAuthCredentials(String str) {
            if (str == null) {
                JaasBasicAuthFilter.log.trace("No credentials were provided with the request");
                return;
            }
            int indexOf = str.indexOf(32);
            if (indexOf <= 0) {
                JaasBasicAuthFilter.log.trace("Request credentials were malformed; no space present in value for authorization header");
                return;
            }
            String substring = str.substring(0, indexOf);
            if (!"BASIC".equalsIgnoreCase(substring)) {
                JaasBasicAuthFilter.log.trace("Request credentials used {} authentication, but only {} supported; ignoring", substring, "BASIC");
                return;
            }
            String str2 = new String(Base64.getDecoder().decode(str.substring(indexOf + 1)), StandardCharsets.UTF_8);
            int indexOf2 = str2.indexOf(58);
            if (indexOf2 <= 0) {
                JaasBasicAuthFilter.log.trace("Request credentials were malformed; no colon present between username and password");
            } else {
                this.username = str2.substring(0, indexOf2);
                this.password = str2.substring(indexOf2 + 1);
            }
        }

        public String username() {
            return this.username;
        }

        public String password() {
            return this.password;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter$RequestMatcher.class */
    public static class RequestMatcher implements Predicate<ContainerRequestContext> {
        private final String method;
        private final Pattern path;

        public RequestMatcher(String str, String str2) {
            this.method = str;
            this.path = Pattern.compile(str2);
        }

        @Override // java.util.function.Predicate
        public boolean test(ContainerRequestContext containerRequestContext) {
            return containerRequestContext.getMethod().equals(this.method) && this.path.matcher(containerRequestContext.getUriInfo().getPath()).matches();
        }
    }

    public JaasBasicAuthFilter(Configuration configuration) {
        this.configuration = configuration;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (isInternalRequest(containerRequestContext)) {
            log.trace("Skipping authentication for internal request");
            return;
        }
        try {
            log.debug("Authenticating request");
            BasicAuthCredentials basicAuthCredentials = new BasicAuthCredentials(containerRequestContext.getHeaderString(AUTHORIZATION));
            new LoginContext(CONNECT_LOGIN_MODULE, (Subject) null, new BasicAuthCallBackHandler(basicAuthCredentials), this.configuration).login();
            setSecurityContextForRequest(containerRequestContext, basicAuthCredentials);
        } catch (LoginException | ConfigException e) {
            log.debug("Request failed authentication", e);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User cannot access the resource.").build());
        }
    }

    private boolean isInternalRequest(ContainerRequestContext containerRequestContext) {
        return INTERNAL_REQUEST_MATCHERS.stream().anyMatch(requestMatcher -> {
            return requestMatcher.test(containerRequestContext);
        });
    }

    private void setSecurityContextForRequest(final ContainerRequestContext containerRequestContext, final BasicAuthCredentials basicAuthCredentials) {
        containerRequestContext.setSecurityContext(new SecurityContext() { // from class: org.apache.kafka.connect.rest.basic.auth.extension.JaasBasicAuthFilter.1
            public Principal getUserPrincipal() {
                BasicAuthCredentials basicAuthCredentials2 = basicAuthCredentials;
                basicAuthCredentials2.getClass();
                return basicAuthCredentials2::username;
            }

            public boolean isUserInRole(String str) {
                return false;
            }

            public boolean isSecure() {
                return "https".equalsIgnoreCase(containerRequestContext.getUriInfo().getRequestUri().getScheme());
            }

            public String getAuthenticationScheme() {
                return "BASIC";
            }
        });
    }
}
