package io.strimzi.kafka.oauth.server.plain;

import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.HttpException;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler;
import io.strimzi.kafka.oauth.server.OAuthKafkaPrincipal;
import io.strimzi.kafka.oauth.server.OAuthSaslAuthenticationException;
import io.strimzi.kafka.oauth.server.ServerConfig;
import io.strimzi.kafka.oauth.services.Services;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.security.plain.PlainAuthenticateCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/plain/JaasServerOauthOverPlainValidatorCallbackHandler.class */
public class JaasServerOauthOverPlainValidatorCallbackHandler extends JaasServerOauthValidatorCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger(JaasServerOauthOverPlainValidatorCallbackHandler.class);
    private URI tokenEndpointUri;
    private String scope;
    private String audience;

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"PLAIN".equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        ServerConfig parseJaasConfig = parseJaasConfig(list);
        String value = parseJaasConfig.getValue(ServerPlainConfig.OAUTH_TOKEN_ENDPOINT_URI);
        if (value != null) {
            try {
                this.tokenEndpointUri = new URI(value);
            } catch (URISyntaxException e) {
                throw new IllegalArgumentException("Invalid tokenEndpointUri: " + value, e);
            }
        }
        this.scope = parseJaasConfig.getValue("oauth.scope");
        this.audience = parseJaasConfig.getValue("oauth.audience");
        super.configure(map, "OAUTHBEARER", list);
        log.debug("Configured OAuth over PLAIN:\n    tokenEndpointUri: " + this.tokenEndpointUri + "\n    scope: " + this.scope + "\n    audience: " + this.audience);
        if (value == null) {
            log.debug("tokenEndpointUri is not configured - client_credentials will not be available, password parameter of SASL/PLAIN will automatically be treated as an access token (no '$accessToken:' prefix needed)");
        }
    }

    public void close() {
        super.close();
    }

    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        String str = null;
        String str2 = null;
        PlainAuthenticateCallback plainAuthenticateCallback = null;
        try {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    str = ((NameCallback) callback).getDefaultName();
                } else {
                    if (!(callback instanceof PlainAuthenticateCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    str2 = String.valueOf(((PlainAuthenticateCallback) callback).password());
                    plainAuthenticateCallback = (PlainAuthenticateCallback) callback;
                }
            }
            handleCallback(plainAuthenticateCallback, str, str2);
        } catch (UnsupportedCallbackException e) {
            handleErrorWithLogger(log, "Authentication failed due to misconfiguration", e);
        } catch (SaslAuthenticationException e2) {
            handleErrorWithLogger(log, e2.getMessage(), e2);
        } catch (OAuthSaslAuthenticationException e3) {
            throw e3;
        } catch (HttpException e4) {
            handleErrorWithLogger(log, "Authentication failed: Invalid clientId or secret", e4);
        } catch (Throwable th) {
            handleErrorWithLogger(log, "Authentication failed for username: [" + ((String) null) + "]", th);
        }
    }

    private void handleCallback(PlainAuthenticateCallback plainAuthenticateCallback, String str, String str2) throws Exception {
        if (plainAuthenticateCallback == null) {
            throw new IllegalArgumentException("callback == null");
        }
        if (str == null) {
            throw new IllegalArgumentException("username == null");
        }
        authenticate(str, str2);
        plainAuthenticateCallback.authenticated(true);
    }

    private void authenticate(String str, String str2) throws UnsupportedCallbackException, IOException {
        String str3;
        boolean z = false;
        if (str2 != null && str2.startsWith("$accessToken:")) {
            str3 = str2.substring("$accessToken:".length());
            z = true;
        } else if (str2 == null || this.tokenEndpointUri != null) {
            str3 = OAuthAuthenticator.loginWithClientSecret(this.tokenEndpointUri, getSocketFactory(), getVerifier(), str, str2, isJwt(), getPrincipalExtractor(), this.scope, this.audience, getConnectTimeout(), getReadTimeout()).token();
        } else {
            str3 = str2;
            z = true;
        }
        OAuthBearerValidatorCallback[] oAuthBearerValidatorCallbackArr = {new OAuthBearerValidatorCallback(str3)};
        super.handle(oAuthBearerValidatorCallbackArr);
        BearerTokenWithPayload bearerTokenWithPayload = oAuthBearerValidatorCallbackArr[0].token();
        if (bearerTokenWithPayload == null) {
            throw new RuntimeException("Authentication with OAuth token has failed (no token returned)");
        }
        if (z && !str.equals(bearerTokenWithPayload.principalName())) {
            throw new SaslAuthenticationException("Username doesn't match the token");
        }
        Services.getInstance().getCredentials().storeCredentials(str, new OAuthKafkaPrincipal("User", bearerTokenWithPayload.principalName(), bearerTokenWithPayload));
    }
}
