package org.apache.kafka.common.security.authenticator;

import java.io.Closeable;
import java.io.IOException;
import java.security.Principal;
import java.util.Objects;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.network.Authenticator;
import org.apache.kafka.common.network.TransportLayer;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.PlaintextAuthenticationContext;
import org.apache.kafka.common.security.auth.PrincipalBuilder;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;

/* JADX WARN: Classes with same name are omitted:
  input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.2.1.1.30.jar:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/authenticator/DefaultKafkaPrincipalBuilder.class
 */
/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/authenticator/DefaultKafkaPrincipalBuilder.class */
public class DefaultKafkaPrincipalBuilder implements KafkaPrincipalBuilder, Closeable {
    private final PrincipalBuilder oldPrincipalBuilder;
    private final Authenticator authenticator;
    private final TransportLayer transportLayer;
    private final KerberosShortNamer kerberosShortNamer;
    private final SslPrincipalMapper sslPrincipalMapper;

    public static DefaultKafkaPrincipalBuilder fromOldPrincipalBuilder(Authenticator authenticator, TransportLayer transportLayer, PrincipalBuilder principalBuilder, KerberosShortNamer kerberosShortNamer) {
        return new DefaultKafkaPrincipalBuilder((Authenticator) Objects.requireNonNull(authenticator), (TransportLayer) Objects.requireNonNull(transportLayer), (PrincipalBuilder) Objects.requireNonNull(principalBuilder), kerberosShortNamer, null);
    }

    private DefaultKafkaPrincipalBuilder(Authenticator authenticator, TransportLayer transportLayer, PrincipalBuilder principalBuilder, KerberosShortNamer kerberosShortNamer, SslPrincipalMapper sslPrincipalMapper) {
        this.authenticator = authenticator;
        this.transportLayer = transportLayer;
        this.oldPrincipalBuilder = principalBuilder;
        this.kerberosShortNamer = kerberosShortNamer;
        this.sslPrincipalMapper = sslPrincipalMapper;
    }

    public DefaultKafkaPrincipalBuilder(KerberosShortNamer kerberosShortNamer, SslPrincipalMapper sslPrincipalMapper) {
        this(null, null, null, kerberosShortNamer, sslPrincipalMapper);
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalBuilder
    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        if (authenticationContext instanceof PlaintextAuthenticationContext) {
            return this.oldPrincipalBuilder != null ? convertToKafkaPrincipal(this.oldPrincipalBuilder.buildPrincipal(this.transportLayer, this.authenticator)) : KafkaPrincipal.ANONYMOUS;
        }
        if (!(authenticationContext instanceof SslAuthenticationContext)) {
            if (!(authenticationContext instanceof SaslAuthenticationContext)) {
                throw new IllegalArgumentException("Unhandled authentication context type: " + authenticationContext.getClass().getName());
            }
            SaslServer server = ((SaslAuthenticationContext) authenticationContext).server();
            return "GSSAPI".equals(server.getMechanismName()) ? applyKerberosShortNamer(server.getAuthorizationID()) : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, server.getAuthorizationID());
        }
        SSLSession session = ((SslAuthenticationContext) authenticationContext).session();
        if (this.oldPrincipalBuilder != null) {
            return convertToKafkaPrincipal(this.oldPrincipalBuilder.buildPrincipal(this.transportLayer, this.authenticator));
        }
        try {
            return applySslPrincipalMapper(session.getPeerPrincipal());
        } catch (SSLPeerUnverifiedException e) {
            return KafkaPrincipal.ANONYMOUS;
        }
    }

    private KafkaPrincipal applyKerberosShortNamer(String str) {
        KerberosName parse = KerberosName.parse(str);
        try {
            return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.kerberosShortNamer.shortName(parse));
        } catch (IOException e) {
            throw new KafkaException("Failed to set name for '" + parse + "' based on Kerberos authentication rules.", e);
        }
    }

    private KafkaPrincipal applySslPrincipalMapper(Principal principal) {
        try {
            return (!(principal instanceof X500Principal) || principal == KafkaPrincipal.ANONYMOUS) ? new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName()) : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.sslPrincipalMapper.getName(principal.getName()));
        } catch (IOException e) {
            throw new KafkaException("Failed to map name for '" + principal.getName() + "' based on SSL principal mapping rules.", e);
        }
    }

    private KafkaPrincipal convertToKafkaPrincipal(Principal principal) {
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName());
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.oldPrincipalBuilder != null) {
            this.oldPrincipalBuilder.close();
        }
    }
}
