package io.kareldb.server;

import io.kareldb.KarelDbConfig;
import io.kareldb.server.leader.KarelDbIdentity;
import io.kareldb.server.leader.KarelDbProtocol;
import java.util.List;
import java.util.concurrent.Callable;
import javax.security.auth.Subject;
import org.apache.calcite.avatica.remote.AuthenticationType;
import org.apache.calcite.avatica.server.AvaticaHandler;
import org.apache.calcite.avatica.server.AvaticaServerConfiguration;
import org.apache.calcite.avatica.server.HttpServer;
import org.apache.calcite.avatica.server.RemoteUserExtractor;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.jaas.JAASLoginService;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.security.authentication.DigestAuthenticator;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/kareldb/server/HttpServerExtension.class */
public class HttpServerExtension extends HttpServer {
    private static final Logger LOG = LoggerFactory.getLogger(HttpServerExtension.class);

    public HttpServerExtension(KarelDbIdentity karelDbIdentity, AvaticaHandler avaticaHandler, KarelDbConfig karelDbConfig) {
        super(karelDbIdentity.getPort().intValue(), avaticaHandler, buildUserAuthConfig(karelDbConfig), (Subject) null, karelDbIdentity.getScheme().equals("https") ? createSslContextFactory(karelDbConfig) : null);
    }

    protected ConstraintSecurityHandler configureBasicAuthentication(Server server, AvaticaServerConfiguration avaticaServerConfiguration) {
        LOG.info("Configuring basic auth");
        String[] allowedRoles = avaticaServerConfiguration.getAllowedRoles();
        JAASLoginService jAASLoginService = new JAASLoginService(avaticaServerConfiguration.getHashLoginServiceRealm());
        server.addBean(jAASLoginService);
        return configureCommonAuthentication("BASIC", allowedRoles, new BasicAuthenticator(), null, jAASLoginService);
    }

    protected ConstraintSecurityHandler configureDigestAuthentication(Server server, AvaticaServerConfiguration avaticaServerConfiguration) {
        LOG.info("Configuring digest auth");
        String[] allowedRoles = avaticaServerConfiguration.getAllowedRoles();
        JAASLoginService jAASLoginService = new JAASLoginService(avaticaServerConfiguration.getHashLoginServiceRealm());
        server.addBean(jAASLoginService);
        return configureCommonAuthentication("DIGEST", allowedRoles, new DigestAuthenticator(), null, jAASLoginService);
    }

    private static AvaticaServerConfiguration buildUserAuthConfig(KarelDbConfig karelDbConfig) {
        final String string = karelDbConfig.getString("authentication.method");
        if ("NONE".equals(string)) {
            return null;
        }
        final String string2 = karelDbConfig.getString("authentication.realm");
        final String[] strArr = (String[]) karelDbConfig.getList("authentication.roles").toArray(new String[0]);
        return new AvaticaServerConfiguration() { // from class: io.kareldb.server.HttpServerExtension.1
            public AuthenticationType getAuthenticationType() {
                String str = string;
                boolean z = -1;
                switch (str.hashCode()) {
                    case 62970894:
                        if (str.equals("BASIC")) {
                            z = false;
                            break;
                        }
                        break;
                    case 2016383428:
                        if (str.equals("DIGEST")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case KarelDbProtocol.Assignment.NO_ERROR /* 0 */:
                        return AuthenticationType.BASIC;
                    case true:
                        return AuthenticationType.DIGEST;
                    default:
                        throw new IllegalArgumentException("Unsupported authentication method " + string);
                }
            }

            public String[] getAllowedRoles() {
                return strArr;
            }

            public String getHashLoginServiceRealm() {
                return string2;
            }

            public String getHashLoginServiceProperties() {
                return null;
            }

            public String getKerberosRealm() {
                return null;
            }

            public String getKerberosPrincipal() {
                return null;
            }

            public boolean supportsImpersonation() {
                return false;
            }

            public <T> T doAsRemoteUser(String str, String str2, Callable<T> callable) throws Exception {
                return null;
            }

            public RemoteUserExtractor getRemoteUserExtractor() {
                return null;
            }
        };
    }

    private static SslContextFactory createSslContextFactory(KarelDbConfig karelDbConfig) {
        SslContextFactory sslContextFactory = new SslContextFactory();
        if (!karelDbConfig.getString("ssl.keystore.location").isEmpty()) {
            sslContextFactory.setKeyStorePath(karelDbConfig.getString("ssl.keystore.location"));
            sslContextFactory.setKeyStorePassword(karelDbConfig.getPassword("ssl.keystore.password").value());
            sslContextFactory.setKeyManagerPassword(karelDbConfig.getPassword("ssl.key.password").value());
            sslContextFactory.setKeyStoreType(karelDbConfig.getString("ssl.keystore.type"));
            if (!karelDbConfig.getString("ssl.keymanager.algorithm").isEmpty()) {
                sslContextFactory.setKeyManagerFactoryAlgorithm(karelDbConfig.getString("ssl.keymanager.algorithm"));
            }
        }
        configureClientAuth(karelDbConfig, sslContextFactory);
        List list = karelDbConfig.getList("ssl.enabled.protocols");
        if (!list.isEmpty()) {
            sslContextFactory.setIncludeProtocols((String[]) list.toArray(new String[0]));
        }
        List list2 = karelDbConfig.getList("ssl.cipher.suites");
        if (!list2.isEmpty()) {
            sslContextFactory.setIncludeCipherSuites((String[]) list2.toArray(new String[0]));
        }
        sslContextFactory.setEndpointIdentificationAlgorithm(karelDbConfig.getString("ssl.endpoint.identification.algorithm"));
        if (!karelDbConfig.getString("ssl.truststore.location").isEmpty()) {
            sslContextFactory.setTrustStorePath(karelDbConfig.getString("ssl.truststore.location"));
            sslContextFactory.setTrustStorePassword(karelDbConfig.getPassword("ssl.truststore.password").value());
            sslContextFactory.setTrustStoreType(karelDbConfig.getString("ssl.truststore.type"));
            if (!karelDbConfig.getString("ssl.trustmanager.algorithm").isEmpty()) {
                sslContextFactory.setTrustManagerFactoryAlgorithm(karelDbConfig.getString("ssl.trustmanager.algorithm"));
            }
        }
        sslContextFactory.setProtocol(karelDbConfig.getString("ssl.protocol"));
        if (!karelDbConfig.getString("ssl.provider").isEmpty()) {
            sslContextFactory.setProtocol(karelDbConfig.getString("ssl.provider"));
        }
        sslContextFactory.setRenegotiationAllowed(false);
        return sslContextFactory;
    }

    private static void configureClientAuth(KarelDbConfig karelDbConfig, SslContextFactory sslContextFactory) {
        String string = karelDbConfig.getString("ssl.client.authentication");
        boolean z = -1;
        switch (string.hashCode()) {
            case -814438578:
                if (string.equals("REQUESTED")) {
                    z = true;
                    break;
                }
                break;
            case 2402104:
                if (string.equals("NONE")) {
                    z = 2;
                    break;
                }
                break;
            case 389487519:
                if (string.equals("REQUIRED")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case KarelDbProtocol.Assignment.NO_ERROR /* 0 */:
                sslContextFactory.setNeedClientAuth(true);
                return;
            case true:
                sslContextFactory.setWantClientAuth(true);
                return;
            case true:
                return;
            default:
                throw new ConfigException("Unexpected value for {} configuration: {}", "ssl.client.authentication", string);
        }
    }
}
