package io.strimzi.kafka.oauth.server;

import io.strimzi.kafka.oauth.common.BearerTokenWithPayload;
import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.TokenInfo;
import io.strimzi.kafka.oauth.validator.JWTSignatureValidator;
import io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator;
import io.strimzi.kafka.oauth.validator.TokenValidationException;
import io.strimzi.kafka.oauth.validator.TokenValidator;
import java.io.IOException;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.time.format.DateTimeFormatter;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.AccessToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/server/JaasServerOauthValidatorCallbackHandler.class */
public class JaasServerOauthValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger(JaasServerOauthValidatorCallbackHandler.class);
    private TokenValidator validator;
    private ServerConfig config;
    private String usernameClaim;
    private boolean notJWT;

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        if (list.size() != 1) {
            throw new IllegalArgumentException("Exactly one jaasConfigEntry expected (size: " + list.size());
        }
        AppConfigurationEntry appConfigurationEntry = list.get(0);
        Properties properties = new Properties();
        properties.putAll(appConfigurationEntry.getOptions());
        this.config = new ServerConfig(properties);
        this.notJWT = this.config.getValueAsBoolean("oauth.tokens.not.jwt", false);
        validateConfig();
        SSLSocketFactory createSSLFactory = ConfigUtil.createSSLFactory(this.config);
        HostnameVerifier createHostnameVerifier = ConfigUtil.createHostnameVerifier(this.config);
        String value = this.config.getValue(ServerConfig.OAUTH_JWKS_ENDPOINT_URI);
        boolean valueAsBoolean = this.config.getValueAsBoolean(ServerConfig.OAUTH_CRYPTO_PROVIDER_BOUNCYCASTLE, false);
        int valueAsInt = this.config.getValueAsInt(ServerConfig.OAUTH_CRYPTO_PROVIDER_BOUNCYCASTLE_POSITION, 0);
        if (value != null) {
            this.validator = new JWTSignatureValidator(this.config.getValue(ServerConfig.OAUTH_JWKS_ENDPOINT_URI), createSSLFactory, createHostnameVerifier, this.config.getValue(ServerConfig.OAUTH_VALID_ISSUER_URI), this.config.getValueAsInt(ServerConfig.OAUTH_JWKS_REFRESH_SECONDS, 300), this.config.getValueAsInt(ServerConfig.OAUTH_JWKS_EXPIRY_SECONDS, 360), true, this.config.getValueAsBoolean(ServerConfig.OAUTH_VALIDATION_SKIP_TYPE_CHECK, false), (String) null, valueAsBoolean, valueAsInt);
        } else {
            this.validator = new OAuthIntrospectionValidator(this.config.getValue(ServerConfig.OAUTH_INTROSPECTION_ENDPOINT_URI), createSSLFactory, createHostnameVerifier, this.config.getValue(ServerConfig.OAUTH_VALID_ISSUER_URI), this.config.getValue("oauth.client.id"), this.config.getValue("oauth.client.secret"), true, (String) null);
        }
        this.usernameClaim = this.config.getValue("oauth.username.claim", "sub");
        if ("sub".equals(this.usernameClaim)) {
            this.usernameClaim = null;
        }
    }

    private void validateConfig() {
        String value = this.config.getValue(ServerConfig.OAUTH_JWKS_ENDPOINT_URI);
        String value2 = this.config.getValue(ServerConfig.OAUTH_INTROSPECTION_ENDPOINT_URI);
        if (value == null && value2 == null) {
            throw new RuntimeException("OAuth validator configuration error: either OAUTH_JWKS_ENDPOINT_URI (for fast local signature validation) or OAUTH_INTROSPECTION_ENDPOINT_URI (for using authorization server during validation) should be specified!");
        }
        if (value != null && value2 != null) {
            throw new RuntimeException("OAuth validator configuration error: only one of OAUTH_JWKS_ENDPOINT_URI (for fast local signature validation) and OAUTH_INTROSPECTION_ENDPOINT_URI (for using authorization server during validation) can be specified!");
        }
        if (value != null && this.notJWT) {
            throw new RuntimeException("OAuth validator configuration error - OAUTH_JWKS_ENDPOINT_URI (for fast local signature validation) is not compatible with OAUTH_TOKENS_NOT_JWT");
        }
    }

    public void close() {
    }

    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerValidatorCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            handleCallback((OAuthBearerValidatorCallback) callback);
        }
    }

    private void handleCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        if (oAuthBearerValidatorCallback.tokenValue() == null) {
            throw new IllegalArgumentException("Callback has null token value!");
        }
        String str = oAuthBearerValidatorCallback.tokenValue();
        debugLogToken(str);
        try {
            final TokenInfo validateToken = validateToken(str);
            oAuthBearerValidatorCallback.token(new BearerTokenWithPayload() { // from class: io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.1
                private Object payload;

                public Object getPayload() {
                    return this.payload;
                }

                public void setPayload(Object obj) {
                    this.payload = obj;
                }

                public String value() {
                    return validateToken.token();
                }

                public Set<String> scope() {
                    return validateToken.scope();
                }

                public long lifetimeMs() {
                    return validateToken.expiresAtMs();
                }

                public String principalName() {
                    if (JaasServerOauthValidatorCallbackHandler.this.usernameClaim == null) {
                        return validateToken.subject();
                    }
                    if (validateToken.payload() != null) {
                        return JSONUtil.getClaimFromJWT(JaasServerOauthValidatorCallbackHandler.this.usernameClaim, validateToken.payload());
                    }
                    throw new IllegalStateException("Username claim extraction not supported by validator: " + JaasServerOauthValidatorCallbackHandler.this.validator.getClass());
                }

                public Long startTimeMs() {
                    return Long.valueOf(validateToken.issuedAtMs());
                }
            });
        } catch (TokenValidationException e) {
            if (log.isDebugEnabled()) {
                log.debug("Validation failed for token: " + LogUtil.mask(str), e);
            }
            oAuthBearerValidatorCallback.error(e.status(), (String) null, (String) null);
        } catch (RuntimeException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Validation failed due to runtime exception (network issue or misconfiguration): ", e2);
            }
            throw new AuthenticationException("Validation failed due to runtime exception: " + getCauseMessage(e2), e2);
        } catch (Exception e3) {
            log.error("Unexpected failure during signature check:", e3);
            throw new RuntimeException("Unexpected failure during signature check:", e3);
        }
    }

    private static String getCauseMessage(Throwable th) {
        StringBuilder sb = new StringBuilder(th.toString());
        Throwable th2 = th;
        while (true) {
            Throwable cause = th2.getCause();
            th2 = cause;
            if (cause == null) {
                return sb.toString();
            }
            sb.append(", caused by: ").append(th2.toString());
        }
    }

    private TokenInfo validateToken(String str) {
        return this.validator.validate(str);
    }

    private void debugLogToken(String str) {
        if (!log.isDebugEnabled() || this.notJWT) {
            return;
        }
        try {
            log.debug("Token: {}", new JWSInput(str).readContentAsString());
            try {
                log.debug("Access token expires at (UTC): " + LocalDateTime.ofEpochSecond(((AccessToken) r0.readJsonContent(AccessToken.class)).getExpiration(), 0, ZoneOffset.UTC).format(DateTimeFormatter.ISO_DATE_TIME));
            } catch (JWSInputException e) {
                log.debug("[IGNORED] Failed to parse JWT token's payload", e);
            }
        } catch (JWSInputException e2) {
            log.debug("[IGNORED] Token doesn't seem to be JWT token: " + LogUtil.mask(str), e2);
        }
    }
}
