package io.strimzi.kafka.oauth.server;

import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.Config;
import io.strimzi.kafka.oauth.common.ConfigException;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.TimeUtil;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.CompletionStage;
import org.apache.kafka.common.Endpoint;
import org.apache.kafka.common.acl.AclBinding;
import org.apache.kafka.common.acl.AclBindingFilter;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.server.authorizer.AclCreateResult;
import org.apache.kafka.server.authorizer.AclDeleteResult;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;
import org.apache.kafka.server.authorizer.AuthorizerServerInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/OAuthSessionAuthorizer.class */
public class OAuthSessionAuthorizer implements Authorizer {
    static final Logger log = LoggerFactory.getLogger(OAuthSessionAuthorizer.class);
    static final Logger GRANT_LOG = LoggerFactory.getLogger(OAuthSessionAuthorizer.class.getName() + ".grant");
    static final Logger DENY_LOG = LoggerFactory.getLogger(OAuthSessionAuthorizer.class.getName() + ".deny");
    private Authorizer delegate;

    public void configure(Map<String, ?> map) {
        String str = (String) map.get(ServerConfig.STRIMZI_AUTHORIZER_DELEGATE_CLASS_NAME);
        if (str != null) {
            try {
                Class<?> loadClass = Thread.currentThread().getContextClassLoader().loadClass(str);
                if (!Authorizer.class.isAssignableFrom(loadClass)) {
                    throw new IllegalArgumentException("The class specified by strimzi.authorizer.delegate.class.name is not an instance of org.apache.kafka.server.authorizer.Authorizer");
                }
                this.delegate = (Authorizer) loadClass.getConstructor(new Class[0]).newInstance(new Object[0]);
                this.delegate.configure(map);
            } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
                throw new ConfigException("Failed to instantiate and configure the delegate authorizer: " + str, e);
            }
        } else {
            String str2 = (String) map.get(ServerConfig.STRIMZI_AUTHORIZER_GRANT_WHEN_NO_DELEGATE);
            if (!(str2 != null && Config.isTrue(str2))) {
                throw new ConfigException("When no 'strimzi.authorizer.delegate.class.name' is specified, 'strimzi.authorizer.grant.when.no.delegate=true' has to be specified");
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Configured OAuthSessionAuthorizer:\n\t{}: {}", ServerConfig.STRIMZI_AUTHORIZER_DELEGATE_CLASS_NAME, str);
        }
    }

    public List<AuthorizationResult> authorize(AuthorizableRequestContext authorizableRequestContext, List<Action> list) {
        KafkaPrincipal principal = authorizableRequestContext.principal();
        if (!(principal instanceof OAuthKafkaPrincipal)) {
            if (this.delegate != null) {
                return this.delegate.authorize(authorizableRequestContext, list);
            }
            if (GRANT_LOG.isDebugEnabled()) {
                GRANT_LOG.debug("Authorization GRANTED - no access token: " + String.valueOf(principal) + ", actions: " + String.valueOf(list));
            }
            return Collections.nCopies(list.size(), AuthorizationResult.ALLOWED);
        }
        BearerTokenWithPayload jwt = ((OAuthKafkaPrincipal) principal).getJwt();
        if (denyIfTokenInvalid(jwt)) {
            return Collections.nCopies(list.size(), AuthorizationResult.DENIED);
        }
        if (this.delegate != null) {
            return this.delegate.authorize(authorizableRequestContext, list);
        }
        if (GRANT_LOG.isDebugEnabled()) {
            GRANT_LOG.debug("Authorization GRANTED - access token still valid: " + String.valueOf(principal) + ", actions: " + String.valueOf(list) + ", token: " + LogUtil.mask(jwt.value()));
        }
        return Collections.nCopies(list.size(), AuthorizationResult.ALLOWED);
    }

    private boolean denyIfTokenInvalid(BearerTokenWithPayload bearerTokenWithPayload) {
        if (bearerTokenWithPayload.lifetimeMs() > System.currentTimeMillis()) {
            return false;
        }
        if (!DENY_LOG.isDebugEnabled()) {
            return true;
        }
        Logger logger = DENY_LOG;
        long lifetimeMs = bearerTokenWithPayload.lifetimeMs();
        String formatIsoDateTimeUTC = TimeUtil.formatIsoDateTimeUTC(bearerTokenWithPayload.lifetimeMs());
        LogUtil.mask(bearerTokenWithPayload.value());
        logger.debug("Authorization DENIED due to token expiry - The token expired at: " + lifetimeMs + " (" + logger + " UTC), for token: " + formatIsoDateTimeUTC);
        return true;
    }

    public void close() throws IOException {
        this.delegate.close();
    }

    public Map<Endpoint, ? extends CompletionStage<Void>> start(AuthorizerServerInfo authorizerServerInfo) {
        return this.delegate.start(authorizerServerInfo);
    }

    public List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBinding> list) {
        return this.delegate.createAcls(authorizableRequestContext, list);
    }

    public List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext authorizableRequestContext, List<AclBindingFilter> list) {
        return this.delegate.deleteAcls(authorizableRequestContext, list);
    }

    public Iterable<AclBinding> acls(AclBindingFilter aclBindingFilter) {
        return this.delegate.acls(aclBindingFilter);
    }
}
