package io.strimzi.kafka.oauth.client;

import io.strimzi.kafka.oauth.client.metrics.ClientAuthenticationSensorKeyProducer;
import io.strimzi.kafka.oauth.client.metrics.ClientHttpSensorKeyProducer;
import io.strimzi.kafka.oauth.common.ConfigException;
import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.common.DeprecationUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.MetricsHandler;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.PrincipalExtractor;
import io.strimzi.kafka.oauth.common.TokenInfo;
import io.strimzi.kafka.oauth.metrics.SensorKeyProducer;
import io.strimzi.kafka.oauth.services.OAuthMetrics;
import io.strimzi.kafka.oauth.services.Services;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/client/JaasClientOauthLoginCallbackHandler.class */
public class JaasClientOauthLoginCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger LOG = LoggerFactory.getLogger(JaasClientOauthLoginCallbackHandler.class);
    private String token;
    private String refreshToken;
    private String clientId;
    private String clientSecret;
    private String username;
    private String password;
    private String scope;
    private String audience;
    private URI tokenEndpoint;
    private boolean isJwt;
    private int maxTokenExpirySeconds;
    private PrincipalExtractor principalExtractor;
    private SSLSocketFactory socketFactory;
    private HostnameVerifier hostnameVerifier;
    private int connectTimeout;
    private int readTimeout;
    private boolean enableMetrics;
    private OAuthMetrics metrics;
    private SensorKeyProducer authSensorKeyProducer;
    private SensorKeyProducer tokenSensorKeyProducer;
    private ClientConfig config = new ClientConfig();
    private final ClientMetricsHandler authenticatorMetrics = new ClientMetricsHandler();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/strimzi/kafka/oauth/client/JaasClientOauthLoginCallbackHandler$ClientMetricsHandler.class */
    public class ClientMetricsHandler implements MetricsHandler {
        ClientMetricsHandler() {
        }

        public void addSuccessRequestTime(long j) {
            if (JaasClientOauthLoginCallbackHandler.this.enableMetrics) {
                JaasClientOauthLoginCallbackHandler.this.metrics.addTime(JaasClientOauthLoginCallbackHandler.this.tokenSensorKeyProducer.successKey(), j);
            }
        }

        public void addErrorRequestTime(Throwable th, long j) {
            if (JaasClientOauthLoginCallbackHandler.this.enableMetrics) {
                JaasClientOauthLoginCallbackHandler.this.metrics.addTime(JaasClientOauthLoginCallbackHandler.this.tokenSensorKeyProducer.errorKey(th), j);
            }
        }
    }

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException("Unexpected SASL mechanism: " + str);
        }
        for (AppConfigurationEntry appConfigurationEntry : list) {
            Properties properties = new Properties();
            properties.putAll(appConfigurationEntry.getOptions());
            this.config = new ClientConfig(properties);
        }
        this.token = this.config.getValue(ClientConfig.OAUTH_ACCESS_TOKEN);
        if (this.token == null) {
            String value = this.config.getValue(ClientConfig.OAUTH_TOKEN_ENDPOINT_URI);
            if (value == null) {
                throw new ConfigException("Access token not specified ('oauth.access.token'). OAuth token endpoint ('oauth.token.endpoint.uri') should then be set.");
            }
            try {
                this.tokenEndpoint = new URI(value);
            } catch (URISyntaxException e) {
                throw new ConfigException("Specified token endpoint uri is invalid ('oauth.token.endpoint.uri'): " + value, e);
            }
        }
        this.refreshToken = this.config.getValue(ClientConfig.OAUTH_REFRESH_TOKEN);
        this.clientId = this.config.getValue("oauth.client.id");
        this.clientSecret = this.config.getValue("oauth.client.secret");
        this.username = this.config.getValue(ClientConfig.OAUTH_PASSWORD_GRANT_USERNAME);
        this.password = this.config.getValue(ClientConfig.OAUTH_PASSWORD_GRANT_PASSWORD);
        this.scope = this.config.getValue("oauth.scope");
        this.audience = this.config.getValue("oauth.audience");
        this.socketFactory = ConfigUtil.createSSLFactory(this.config);
        this.hostnameVerifier = ConfigUtil.createHostnameVerifier(this.config);
        this.connectTimeout = ConfigUtil.getConnectTimeout(this.config);
        this.readTimeout = ConfigUtil.getReadTimeout(this.config);
        checkConfiguration();
        this.principalExtractor = new PrincipalExtractor(this.config.getValue("oauth.username.claim"), this.config.getValue("oauth.fallback.username.claim"), this.config.getValue("oauth.fallback.username.prefix"));
        this.isJwt = DeprecationUtil.isAccessTokenJwt(this.config, LOG, (String) null);
        if (!this.isJwt && this.principalExtractor.isConfigured()) {
            LOG.warn("Token is not JWT ('{}' is 'false') - custom username claim configuration will be ignored ('{}', '{}', '{}')", new Object[]{"oauth.access.token.is.jwt", "oauth.username.claim", "oauth.fallback.username.claim", "oauth.fallback.username.prefix"});
        }
        this.maxTokenExpirySeconds = this.config.getValueAsInt(ClientConfig.OAUTH_MAX_TOKEN_EXPIRY_SECONDS, -1);
        if (this.maxTokenExpirySeconds > 0 && this.maxTokenExpirySeconds < 60) {
            throw new ConfigException("Invalid value configured for 'oauth.max.token.expiry.seconds': " + this.maxTokenExpirySeconds + " (should be at least 60)");
        }
        String configureMetrics = configureMetrics(map);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Configured JaasClientOauthLoginCallbackHandler:\n    configId: " + configureMetrics + "\n    token: " + LogUtil.mask(this.token) + "\n    refreshToken: " + LogUtil.mask(this.refreshToken) + "\n    tokenEndpointUri: " + this.tokenEndpoint + "\n    clientId: " + this.clientId + "\n    clientSecret: " + LogUtil.mask(this.clientSecret) + "\n    username: " + this.username + "\n    password: " + LogUtil.mask(this.password) + "\n    scope: " + this.scope + "\n    audience: " + this.audience + "\n    isJwt: " + this.isJwt + "\n    maxTokenExpirySeconds: " + this.maxTokenExpirySeconds + "\n    principalExtractor: " + this.principalExtractor + "\n    connectTimeout: " + this.connectTimeout + "\n    readTimeout: " + this.readTimeout + "\n    enableMetrics: " + this.enableMetrics);
        }
    }

    private void checkConfiguration() {
        if (this.token != null) {
            if (this.refreshToken != null) {
                LOG.warn("Access token is configured ('{}'), refresh token will be ignored ('{}').", ClientConfig.OAUTH_ACCESS_TOKEN, ClientConfig.OAUTH_REFRESH_TOKEN);
            }
            if (this.username != null) {
                LOG.warn("Access token is configured ('{}'), username will be ignored ('{}').", ClientConfig.OAUTH_ACCESS_TOKEN, ClientConfig.OAUTH_PASSWORD_GRANT_USERNAME);
            }
            if (this.clientId != null) {
                LOG.warn("Access token is configured ('{}'), client id will be ignored ('{}').", ClientConfig.OAUTH_ACCESS_TOKEN, "oauth.client.id");
            }
        } else if (this.refreshToken != null && this.username != null) {
            LOG.warn("Refresh token is configured ('{}'), username will be ignored ('{}').", ClientConfig.OAUTH_REFRESH_TOKEN, ClientConfig.OAUTH_PASSWORD_GRANT_USERNAME);
        }
        if (this.token == null) {
            if (this.clientId == null) {
                throw new ConfigException("No client id specified ('oauth.client.id')");
            }
            if (this.username != null && this.password == null) {
                throw new ConfigException("Username configured ('oauth.password.grant.username') but no password specified ('oauth.password.grant.password')");
            }
            if (this.refreshToken == null && this.clientSecret == null && this.username == null) {
                throw new ConfigException("No access token ('oauth.access.token'), refresh token ('oauth.refresh.token'), client credentials ('oauth.client.secret') or user credentials specified ('oauth.password.grant.username')");
            }
        }
    }

    private String configureMetrics(Map<String, ?> map) {
        String value = this.config.getValue("oauth.config.id", "client");
        this.enableMetrics = this.config.getValueAsBoolean("oauth.enable.metrics", false);
        this.authSensorKeyProducer = new ClientAuthenticationSensorKeyProducer(value, this.tokenEndpoint);
        this.tokenSensorKeyProducer = this.tokenEndpoint != null ? new ClientHttpSensorKeyProducer(value, this.tokenEndpoint) : null;
        if (!Services.isAvailable()) {
            Services.configure(map);
        }
        if (this.enableMetrics) {
            this.metrics = Services.getInstance().getMetrics();
        }
        return value;
    }

    public void close() {
    }

    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerTokenCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            handleCallback((OAuthBearerTokenCallback) callback);
        }
    }

    private void handleCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) throws IOException {
        TokenInfo loginWithClientSecret;
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had a token already");
        }
        long currentTimeMillis = System.currentTimeMillis();
        try {
            if (this.token != null) {
                loginWithClientSecret = OAuthAuthenticator.loginWithAccessToken(this.token, this.isJwt, this.principalExtractor);
            } else if (this.refreshToken != null) {
                loginWithClientSecret = OAuthAuthenticator.loginWithRefreshToken(this.tokenEndpoint, this.socketFactory, this.hostnameVerifier, this.refreshToken, this.clientId, this.clientSecret, this.isJwt, this.principalExtractor, this.scope, this.audience, this.connectTimeout, this.readTimeout, this.authenticatorMetrics);
            } else if (this.username != null) {
                loginWithClientSecret = OAuthAuthenticator.loginWithPassword(this.tokenEndpoint, this.socketFactory, this.hostnameVerifier, this.username, this.password, this.clientId, this.clientSecret, this.isJwt, this.principalExtractor, this.scope, this.audience, this.connectTimeout, this.readTimeout, this.authenticatorMetrics);
            } else {
                if (this.clientSecret == null) {
                    throw new IllegalStateException("Invalid oauth client configuration - no credentials");
                }
                loginWithClientSecret = OAuthAuthenticator.loginWithClientSecret(this.tokenEndpoint, this.socketFactory, this.hostnameVerifier, this.clientId, this.clientSecret, this.isJwt, this.principalExtractor, this.scope, this.audience, this.connectTimeout, this.readTimeout, this.authenticatorMetrics);
            }
            addSuccessTime(currentTimeMillis);
            final TokenInfo tokenInfo = loginWithClientSecret;
            oAuthBearerTokenCallback.token(new OAuthBearerToken() { // from class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler.1
                public String value() {
                    return tokenInfo.token();
                }

                public Set<String> scope() {
                    return tokenInfo.scope();
                }

                public long lifetimeMs() {
                    long issuedAtMs = tokenInfo.issuedAtMs() + (JaasClientOauthLoginCallbackHandler.this.maxTokenExpirySeconds * 1000);
                    return (JaasClientOauthLoginCallbackHandler.this.maxTokenExpirySeconds <= 0 || tokenInfo.expiresAtMs() <= issuedAtMs) ? tokenInfo.expiresAtMs() : issuedAtMs;
                }

                public String principalName() {
                    return tokenInfo.principal();
                }

                public Long startTimeMs() {
                    return Long.valueOf(tokenInfo.issuedAtMs());
                }
            });
        } catch (Throwable th) {
            addErrorTime(th, currentTimeMillis);
            throw th;
        }
    }

    private void addSuccessTime(long j) {
        if (this.enableMetrics) {
            this.metrics.addTime(this.authSensorKeyProducer.successKey(), System.currentTimeMillis() - j);
        }
    }

    private void addErrorTime(Throwable th, long j) {
        if (this.enableMetrics) {
            this.metrics.addTime(this.authSensorKeyProducer.errorKey(th), System.currentTimeMillis() - j);
        }
    }
}
