package io.strimzi.kafka.oauth.server.authorizer;

import io.strimzi.kafka.oauth.common.Config;
import io.strimzi.kafka.oauth.common.ConfigException;
import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/Configuration.class */
public class Configuration {
    private static final Logger log = LoggerFactory.getLogger(Configuration.class);
    private static final String PRINCIPAL_BUILDER_CLASS = OAuthKafkaPrincipalBuilder.class.getName();
    private static final String DEPRECATED_PRINCIPAL_BUILDER_CLASS = JwtKafkaPrincipalBuilder.class.getName();
    private final Map<String, ?> configMap;
    private final boolean reuseGrants;
    private final String clientId;
    private final String clusterName;
    private final boolean delegateToKafkaACL;
    private final int grantsRefreshPeriodSeconds;
    private final int grantsMaxIdleTimeSeconds;
    private final int grantsRefreshPoolSize;
    private final int gcPeriodSeconds;
    private boolean isKRaft;
    private String truststore;
    private String truststoreData;
    private String truststorePassword;
    private String truststoreType;
    private String prng;
    private String certificateHostCheckAlgorithm;
    private int httpRetries;
    private boolean enableMetrics;
    private URI tokenEndpointUrl;
    private int connectTimeoutSeconds;
    private int readTimeoutSeconds;
    private final List<Log> logs = new LinkedList();
    private List<UserSpec> superUsers = Collections.emptyList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/Configuration$Log.class */
    public static class Log {
        Level level;
        String message;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:io/strimzi/kafka/oauth/server/authorizer/Configuration$Log$Level.class */
        public enum Level {
            WARNING,
            DEBUG
        }

        Log(Level level, String str) {
            if (level == null) {
                throw new IllegalArgumentException("level is null");
            }
            this.level = level;
            this.message = str;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Configuration(Map<String, ?> map) {
        this.configMap = map;
        AuthzConfig convertToAuthzConfig = convertToAuthzConfig(map);
        String str = (String) this.configMap.get("principal.builder.class");
        if (!PRINCIPAL_BUILDER_CLASS.equals(str) && !DEPRECATED_PRINCIPAL_BUILDER_CLASS.equals(str)) {
            throw new ConfigException("This authorizer requires " + PRINCIPAL_BUILDER_CLASS + " as 'principal.builder.class'");
        }
        if (DEPRECATED_PRINCIPAL_BUILDER_CLASS.equals(str)) {
            this.logs.add(new Log(Log.Level.WARNING, "The '" + DEPRECATED_PRINCIPAL_BUILDER_CLASS + "' class has been deprecated, and may be removed in the future. Please use '" + PRINCIPAL_BUILDER_CLASS + "' as 'principal.builder.class' instead."));
        }
        configureTokenEndpoint(convertToAuthzConfig);
        this.clientId = ConfigUtil.getConfigWithFallbackLookup(convertToAuthzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_CLIENT_ID, "oauth.client.id");
        if (this.clientId == null) {
            throw new ConfigException("OAuth client id ('strimzi.authorization.client.id') not set.");
        }
        configureSSLFactory(convertToAuthzConfig);
        configureHostnameVerifier(convertToAuthzConfig);
        configureHttpTimeouts(convertToAuthzConfig);
        String value = convertToAuthzConfig.getValue(AuthzConfig.STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME);
        this.clusterName = value == null ? "kafka-cluster" : value;
        this.delegateToKafkaACL = convertToAuthzConfig.getValueAsBoolean(AuthzConfig.STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL, false);
        configureSuperUsers(map);
        this.grantsRefreshPoolSize = convertToAuthzConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_POOL_SIZE, 5);
        if (this.grantsRefreshPoolSize < 1) {
            throw new ConfigException("Invalid value of 'strimzi.authorization.grants.refresh.pool.size': " + this.grantsRefreshPoolSize + ". Has to be >= 1.");
        }
        this.grantsRefreshPeriodSeconds = convertToAuthzConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_PERIOD_SECONDS, 60);
        this.grantsMaxIdleTimeSeconds = configureGrantsMaxIdleTimeSeconds(convertToAuthzConfig);
        this.gcPeriodSeconds = configureGcPeriodSeconds(convertToAuthzConfig);
        this.reuseGrants = convertToAuthzConfig.getValueAsBoolean(AuthzConfig.STRIMZI_AUTHORIZATION_REUSE_GRANTS, true);
        configureHttpRetries(convertToAuthzConfig);
        configureMetrics(convertToAuthzConfig);
    }

    public void printLogs() {
        for (Log log2 : this.logs) {
            if (log2.level == Log.Level.WARNING) {
                log.warn(log2.message);
            } else {
                log.debug(log2.message);
            }
        }
    }

    private int configureGrantsMaxIdleTimeSeconds(AuthzConfig authzConfig) {
        int valueAsInt = authzConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_MAX_IDLE_TIME_SECONDS, 300);
        if (valueAsInt <= 0) {
            this.logs.add(new Log(Log.Level.WARNING, "'strimzi.authorization.grants.max.idle.time.seconds' set to invalid value: " + valueAsInt + " (should be a positive number), using the default value: 300 seconds"));
            valueAsInt = 300;
        }
        return valueAsInt;
    }

    private int configureGcPeriodSeconds(AuthzConfig authzConfig) {
        int valueAsInt = authzConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_GC_PERIOD_SECONDS, 300);
        if (valueAsInt <= 0) {
            this.logs.add(new Log(Log.Level.WARNING, "'strimzi.authorization.grants.gc.period.seconds' set to invalid value: " + valueAsInt + ", using the default value: 300 seconds"));
            valueAsInt = 300;
        }
        return valueAsInt;
    }

    private void configureSuperUsers(Map<String, ?> map) {
        String str = (String) map.get("super.users");
        if (str != null) {
            this.superUsers = (List) Arrays.stream(str.split(";")).map(UserSpec::of).collect(Collectors.toList());
        }
    }

    private void configureSSLFactory(AuthzConfig authzConfig) {
        this.truststore = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_LOCATION, "oauth.ssl.truststore.location");
        this.truststoreData = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_CERTIFICATES, "oauth.ssl.truststore.certificates");
        this.truststorePassword = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_PASSWORD, "oauth.ssl.truststore.password");
        this.truststoreType = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_TYPE, "oauth.ssl.truststore.type");
        this.prng = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_SECURE_RANDOM_IMPLEMENTATION, "oauth.ssl.secure.random.implementation");
    }

    private void configureHostnameVerifier(AuthzConfig authzConfig) {
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "oauth.ssl.endpoint.identification.algorithm");
        if (configWithFallbackLookup == null) {
            configWithFallbackLookup = "HTTPS";
        }
        this.certificateHostCheckAlgorithm = configWithFallbackLookup;
    }

    private void configureHttpRetries(AuthzConfig authzConfig) {
        this.httpRetries = authzConfig.getValueAsInt(AuthzConfig.STRIMZI_AUTHORIZATION_HTTP_RETRIES, 0);
        if (this.httpRetries < 0) {
            throw new ConfigException("Invalid value of 'strimzi.authorization.http.retries': " + this.httpRetries + ". Has to be >= 0.");
        }
    }

    private void configureMetrics(AuthzConfig authzConfig) {
        boolean z;
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_ENABLE_METRICS, "oauth.enable.metrics");
        if (configWithFallbackLookup != null) {
            try {
                if (Config.isTrue(configWithFallbackLookup)) {
                    z = true;
                    this.enableMetrics = z;
                }
            } catch (Exception e) {
                throw new ConfigException("Bad boolean value for key: strimzi.authorization.enable.metrics, value: " + configWithFallbackLookup);
            }
        }
        z = false;
        this.enableMetrics = z;
    }

    private void configureTokenEndpoint(AuthzConfig authzConfig) {
        String configWithFallbackLookup = ConfigUtil.getConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI, "oauth.token.endpoint.uri");
        if (configWithFallbackLookup == null) {
            throw new ConfigException("OAuth2 Token Endpoint ('strimzi.authorization.token.endpoint.uri') not set.");
        }
        try {
            this.tokenEndpointUrl = new URI(configWithFallbackLookup);
        } catch (URISyntaxException e) {
            throw new ConfigException("Specified token endpoint uri is invalid: " + configWithFallbackLookup);
        }
    }

    private void configureHttpTimeouts(AuthzConfig authzConfig) {
        LinkedList linkedList = new LinkedList();
        this.connectTimeoutSeconds = ConfigUtil.getTimeoutConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_CONNECT_TIMEOUT_SECONDS, "oauth.connect.timeout.seconds", linkedList);
        this.readTimeoutSeconds = ConfigUtil.getTimeoutConfigWithFallbackLookup(authzConfig, AuthzConfig.STRIMZI_AUTHORIZATION_READ_TIMEOUT_SECONDS, "oauth.read.timeout.seconds", linkedList);
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            this.logs.add(new Log(Log.Level.WARNING, (String) it.next()));
        }
    }

    static AuthzConfig convertToCommonConfig(Map<String, ?> map) {
        Properties properties = new Properties();
        for (String str : new String[]{AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_PERIOD_SECONDS, AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_REFRESH_POOL_SIZE, AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_MAX_IDLE_TIME_SECONDS, AuthzConfig.STRIMZI_AUTHORIZATION_GRANTS_GC_PERIOD_SECONDS, AuthzConfig.STRIMZI_AUTHORIZATION_HTTP_RETRIES, AuthzConfig.STRIMZI_AUTHORIZATION_REUSE_GRANTS, AuthzConfig.STRIMZI_AUTHORIZATION_DELEGATE_TO_KAFKA_ACL, AuthzConfig.STRIMZI_AUTHORIZATION_KAFKA_CLUSTER_NAME, AuthzConfig.STRIMZI_AUTHORIZATION_CLIENT_ID, "oauth.client.id", AuthzConfig.STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI, "oauth.token.endpoint.uri", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_LOCATION, "oauth.ssl.truststore.location", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_CERTIFICATES, "oauth.ssl.truststore.certificates", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_PASSWORD, "oauth.ssl.truststore.password", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_TRUSTSTORE_TYPE, "oauth.ssl.truststore.type", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_SECURE_RANDOM_IMPLEMENTATION, "oauth.ssl.secure.random.implementation", AuthzConfig.STRIMZI_AUTHORIZATION_SSL_ENDPOINT_IDENTIFICATION_ALGORITHM, "oauth.ssl.endpoint.identification.algorithm", AuthzConfig.STRIMZI_AUTHORIZATION_CONNECT_TIMEOUT_SECONDS, "oauth.connect.timeout.seconds", AuthzConfig.STRIMZI_AUTHORIZATION_READ_TIMEOUT_SECONDS, "oauth.read.timeout.seconds", AuthzConfig.STRIMZI_AUTHORIZATION_ENABLE_METRICS, "oauth.enable.metrics"}) {
            ConfigUtil.putIfNotNull(properties, str, map.get(str));
        }
        return new AuthzConfig(properties);
    }

    AuthzConfig convertToAuthzConfig(Map<String, ?> map) {
        AuthzConfig convertToCommonConfig = convertToCommonConfig(map);
        this.isKRaft = detectKRaft(map);
        if (this.isKRaft) {
            this.logs.add(new Log(Log.Level.DEBUG, "Detected KRaft mode ('process.roles' configured)"));
        }
        return convertToCommonConfig;
    }

    private boolean detectKRaft(Map<String, ?> map) {
        Object obj = map.get("process.roles");
        String valueOf = obj != null ? String.valueOf(obj) : null;
        return valueOf != null && valueOf.length() > 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isKRaft() {
        return this.isKRaft;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getTruststore() {
        return this.truststore;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getTruststoreData() {
        return this.truststoreData;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getTruststorePassword() {
        return this.truststorePassword;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getTruststoreType() {
        return this.truststoreType;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getPrng() {
        return this.prng;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCertificateHostCheckAlgorithm() {
        return this.certificateHostCheckAlgorithm;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isDelegateToKafkaACL() {
        return this.delegateToKafkaACL;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public URI getTokenEndpointUrl() {
        return this.tokenEndpointUrl;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getClientId() {
        return this.clientId;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isReuseGrants() {
        return this.reuseGrants;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getClusterName() {
        return this.clusterName;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getGrantsRefreshPeriodSeconds() {
        return this.grantsRefreshPeriodSeconds;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getGrantsMaxIdleTimeSeconds() {
        return this.grantsMaxIdleTimeSeconds;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getGrantsRefreshPoolSize() {
        return this.grantsRefreshPoolSize;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getGcPeriodSeconds() {
        return this.gcPeriodSeconds;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<UserSpec> getSuperUsers() {
        return this.superUsers;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getHttpRetries() {
        return this.httpRetries;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isEnableMetrics() {
        return this.enableMetrics;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getConnectTimeoutSeconds() {
        return this.connectTimeoutSeconds;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getReadTimeoutSeconds() {
        return this.readTimeoutSeconds;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, ?> getConfigMap() {
        return this.configMap;
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        Configuration configuration = (Configuration) obj;
        return this.reuseGrants == configuration.reuseGrants && this.delegateToKafkaACL == configuration.delegateToKafkaACL && this.grantsRefreshPeriodSeconds == configuration.grantsRefreshPeriodSeconds && this.grantsMaxIdleTimeSeconds == configuration.grantsMaxIdleTimeSeconds && this.grantsRefreshPoolSize == configuration.grantsRefreshPoolSize && this.gcPeriodSeconds == configuration.gcPeriodSeconds && this.isKRaft == configuration.isKRaft && this.httpRetries == configuration.httpRetries && this.enableMetrics == configuration.enableMetrics && this.connectTimeoutSeconds == configuration.connectTimeoutSeconds && this.readTimeoutSeconds == configuration.readTimeoutSeconds && Objects.equals(this.clientId, configuration.clientId) && Objects.equals(this.clusterName, configuration.clusterName) && Objects.equals(this.truststore, configuration.truststore) && Objects.equals(this.truststoreData, configuration.truststoreData) && Objects.equals(this.truststorePassword, configuration.truststorePassword) && Objects.equals(this.truststoreType, configuration.truststoreType) && Objects.equals(this.prng, configuration.prng) && Objects.equals(this.certificateHostCheckAlgorithm, configuration.certificateHostCheckAlgorithm) && Objects.equals(this.superUsers, configuration.superUsers) && Objects.equals(this.tokenEndpointUrl, configuration.tokenEndpointUrl);
    }

    public int hashCode() {
        return Objects.hash(Boolean.valueOf(this.reuseGrants), this.clientId, this.clusterName, Boolean.valueOf(this.delegateToKafkaACL), Integer.valueOf(this.grantsRefreshPeriodSeconds), Integer.valueOf(this.grantsMaxIdleTimeSeconds), Integer.valueOf(this.grantsRefreshPoolSize), Integer.valueOf(this.gcPeriodSeconds), Boolean.valueOf(this.isKRaft), this.truststore, this.truststoreData, this.truststorePassword, this.truststoreType, this.prng, this.certificateHostCheckAlgorithm, this.superUsers, Integer.valueOf(this.httpRetries), Boolean.valueOf(this.enableMetrics), this.tokenEndpointUrl, Integer.valueOf(this.connectTimeoutSeconds), Integer.valueOf(this.readTimeoutSeconds));
    }
}
