package org.apache.nifi.kafka.shared.validation;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.function.Function;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.kafka.shared.component.KafkaClientComponent;
import org.apache.nifi.kafka.shared.property.KafkaClientProperty;
import org.apache.nifi.kafka.shared.property.SaslMechanism;
import org.apache.nifi.kafka.shared.property.SecurityProtocol;
import org.apache.nifi.kerberos.KerberosCredentialsService;
import org.apache.nifi.kerberos.KerberosUserService;

/* loaded from: input_file:org/apache/nifi/kafka/shared/validation/KafkaClientCustomValidationFunction.class */
public class KafkaClientCustomValidationFunction implements Function<ValidationContext, Collection<ValidationResult>> {
    static final String JAVA_SECURITY_AUTH_LOGIN_CONFIG = "java.security.auth.login.config";
    private static final String ALLOW_EXPLICIT_KEYTAB = "NIFI_ALLOW_EXPLICIT_KEYTAB";
    private static final String JNDI_LOGIN_MODULE_CLASS = "JndiLoginModule";
    private static final String JND_LOGIN_MODULE_EXPLANATION = "The JndiLoginModule is not allowed in the JAAS configuration";
    private static final List<String> USERNAME_PASSWORD_SASL_MECHANISMS = Arrays.asList(SaslMechanism.PLAIN.getValue(), SaslMechanism.SCRAM_SHA_256.getValue(), SaslMechanism.SCRAM_SHA_512.getValue());
    private static final List<String> SASL_PROTOCOLS = Arrays.asList(SecurityProtocol.SASL_PLAINTEXT.name(), SecurityProtocol.SASL_SSL.name());

    @Override // java.util.function.Function
    public Collection<ValidationResult> apply(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList();
        validateLoginModule(validationContext, arrayList);
        validateKerberosServices(validationContext, arrayList);
        validateKerberosCredentials(validationContext, arrayList);
        validateUsernamePassword(validationContext, arrayList);
        return arrayList;
    }

    private void validateLoginModule(ValidationContext validationContext, Collection<ValidationResult> collection) {
        Optional findFirst = validationContext.getProperties().keySet().stream().filter(propertyDescriptor -> {
            return KafkaClientProperty.SASL_JAAS_CONFIG.getProperty().equals(propertyDescriptor.getName());
        }).findFirst();
        if (findFirst.isPresent()) {
            PropertyDescriptor propertyDescriptor2 = (PropertyDescriptor) findFirst.get();
            if (validationContext.getProperty(propertyDescriptor2).getValue().contains(JNDI_LOGIN_MODULE_CLASS)) {
                collection.add(new ValidationResult.Builder().subject(propertyDescriptor2.getName()).valid(false).explanation(JND_LOGIN_MODULE_EXPLANATION).build());
            }
        }
    }

    private void validateKerberosServices(ValidationContext validationContext, Collection<ValidationResult> collection) {
        PropertyValue property = validationContext.getProperty(KafkaClientComponent.SELF_CONTAINED_KERBEROS_USER_SERVICE);
        PropertyValue property2 = validationContext.getProperty(KafkaClientComponent.KERBEROS_CREDENTIALS_SERVICE);
        String value = validationContext.getProperty(KafkaClientComponent.KERBEROS_PRINCIPAL).evaluateAttributeExpressions().getValue();
        String value2 = validationContext.getProperty(KafkaClientComponent.KERBEROS_KEYTAB).evaluateAttributeExpressions().getValue();
        if (property.isSet()) {
            if (property2.isSet()) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.KERBEROS_CREDENTIALS_SERVICE.getDisplayName()).valid(false).explanation(String.format("Cannot configure both [%s] and [%s]", KafkaClientComponent.SELF_CONTAINED_KERBEROS_USER_SERVICE.getDisplayName(), KafkaClientComponent.KERBEROS_CREDENTIALS_SERVICE.getDisplayName())).build());
            }
            if (isNotEmpty(value) || isNotEmpty(value2)) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.SELF_CONTAINED_KERBEROS_USER_SERVICE.getDisplayName()).valid(false).explanation(String.format("Cannot configure [%s] with [%s] or [%s]", KafkaClientComponent.SELF_CONTAINED_KERBEROS_USER_SERVICE.getDisplayName(), KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName(), KafkaClientComponent.KERBEROS_KEYTAB.getDisplayName())).build());
            }
        } else if (property2.isSet() && (isNotEmpty(value) || isNotEmpty(value2))) {
            collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.KERBEROS_CREDENTIALS_SERVICE.getDisplayName()).valid(false).explanation(String.format("Cannot configure [%s] with [%s] or [%s]", KafkaClientComponent.KERBEROS_CREDENTIALS_SERVICE.getDisplayName(), KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName(), KafkaClientComponent.KERBEROS_KEYTAB.getDisplayName())).build());
        }
        if (Boolean.FALSE.toString().equalsIgnoreCase(System.getenv(ALLOW_EXPLICIT_KEYTAB))) {
            if (isNotEmpty(value) || isNotEmpty(value2)) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName()).valid(false).explanation(String.format("Environment Variable [%s] disables configuring [%s] and [%s] properties", ALLOW_EXPLICIT_KEYTAB, KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName(), KafkaClientComponent.KERBEROS_KEYTAB.getDisplayName())).build());
            }
        }
    }

    private void validateKerberosCredentials(ValidationContext validationContext, Collection<ValidationResult> collection) {
        String value = validationContext.getProperty(KafkaClientComponent.SASL_MECHANISM).getValue();
        String value2 = validationContext.getProperty(KafkaClientComponent.SECURITY_PROTOCOL).getValue();
        if (SaslMechanism.GSSAPI.name().equals(value) && SASL_PROTOCOLS.contains(value2)) {
            if (isEmpty(validationContext.getProperty(KafkaClientComponent.KERBEROS_SERVICE_NAME).evaluateAttributeExpressions().getValue())) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.KERBEROS_SERVICE_NAME.getDisplayName()).valid(false).explanation(String.format("[%s] required for [%s] value [%s]", KafkaClientComponent.KERBEROS_SERVICE_NAME.getDisplayName(), KafkaClientComponent.SASL_MECHANISM.getDisplayName(), SaslMechanism.GSSAPI)).build());
            }
            String value3 = validationContext.getProperty(KafkaClientComponent.KERBEROS_PRINCIPAL).evaluateAttributeExpressions().getValue();
            String value4 = validationContext.getProperty(KafkaClientComponent.KERBEROS_KEYTAB).evaluateAttributeExpressions().getValue();
            String property = System.getProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG);
            if (isEmpty(value3) && isNotEmpty(value4)) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName()).valid(false).explanation(String.format("[%s] required when configuring [%s]", KafkaClientComponent.KERBEROS_KEYTAB.getDisplayName(), KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName())).build());
            } else if (isNotEmpty(value3) && isEmpty(value4)) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.KERBEROS_KEYTAB.getDisplayName()).valid(false).explanation(String.format("[%s] required when configuring [%s]", KafkaClientComponent.KERBEROS_PRINCIPAL.getDisplayName(), KafkaClientComponent.KERBEROS_KEYTAB.getDisplayName())).build());
            }
            KerberosUserService asControllerService = validationContext.getProperty(KafkaClientComponent.SELF_CONTAINED_KERBEROS_USER_SERVICE).asControllerService(KerberosUserService.class);
            KerberosCredentialsService asControllerService2 = validationContext.getProperty(KafkaClientComponent.KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
            if (asControllerService == null && asControllerService2 == null && isEmpty(value3) && isEmpty(value4) && isEmpty(property)) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.SASL_MECHANISM.getDisplayName()).valid(false).explanation(String.format("Kerberos Credentials not found in component properties or System Property [%s]", JAVA_SECURITY_AUTH_LOGIN_CONFIG)).build());
            }
        }
    }

    private void validateUsernamePassword(ValidationContext validationContext, Collection<ValidationResult> collection) {
        if (USERNAME_PASSWORD_SASL_MECHANISMS.contains(validationContext.getProperty(KafkaClientComponent.SASL_MECHANISM).getValue())) {
            String value = validationContext.getProperty(KafkaClientComponent.SASL_USERNAME).evaluateAttributeExpressions().getValue();
            if (value == null || value.isEmpty()) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.SASL_USERNAME.getDisplayName()).valid(false).explanation(String.format("[%s] required for [%s] values: %s", KafkaClientComponent.SASL_USERNAME.getDisplayName(), KafkaClientComponent.SASL_MECHANISM.getDisplayName(), USERNAME_PASSWORD_SASL_MECHANISMS)).build());
            }
            String value2 = validationContext.getProperty(KafkaClientComponent.SASL_PASSWORD).evaluateAttributeExpressions().getValue();
            if (value2 == null || value2.isEmpty()) {
                collection.add(new ValidationResult.Builder().subject(KafkaClientComponent.SASL_PASSWORD.getDisplayName()).valid(false).explanation(String.format("[%s] required for [%s] values: %s", KafkaClientComponent.SASL_PASSWORD.getDisplayName(), KafkaClientComponent.SASL_MECHANISM.getDisplayName(), USERNAME_PASSWORD_SASL_MECHANISMS)).build());
            }
        }
    }

    private boolean isEmpty(String str) {
        return str == null || str.isEmpty();
    }

    private boolean isNotEmpty(String str) {
        return (str == null || str.isEmpty()) ? false : true;
    }
}
