package org.apache.kafka.common.security.oauthbearer.internals;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslClientFactory;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.2.1.1.33.jar:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.class
 */
/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient.class */
public class OAuthBearerSaslClient implements SaslClient {
    static final byte BYTE_CONTROL_A = 1;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerSaslClient.class);
    private final CallbackHandler callbackHandler;
    private State state;

    /* JADX WARN: Classes with same name are omitted:
      input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.2.1.1.33.jar:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient$OAuthBearerSaslClientFactory.class
     */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient$OAuthBearerSaslClientFactory.class */
    public static class OAuthBearerSaslClientFactory implements SaslClientFactory {
        public SaslClient createSaslClient(String[] strArr, String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) {
            String[] mechanismNames = getMechanismNames(map);
            for (String str4 : strArr) {
                for (String str5 : mechanismNames) {
                    if (str5.equals(str4)) {
                        if (Objects.requireNonNull(callbackHandler) instanceof AuthenticateCallbackHandler) {
                            return new OAuthBearerSaslClient((AuthenticateCallbackHandler) callbackHandler);
                        }
                        throw new IllegalArgumentException(String.format("Callback handler must be castable to %s: %s", AuthenticateCallbackHandler.class.getName(), callbackHandler.getClass().getName()));
                    }
                }
            }
            return null;
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return OAuthBearerSaslServer.mechanismNamesCompatibleWithPolicy(map);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.2.1.1.33.jar:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient$State.class
     */
    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClient$State.class */
    public enum State {
        SEND_CLIENT_FIRST_MESSAGE,
        RECEIVE_SERVER_FIRST_MESSAGE,
        RECEIVE_SERVER_MESSAGE_AFTER_FAILURE,
        COMPLETE,
        FAILED
    }

    public OAuthBearerSaslClient(AuthenticateCallbackHandler authenticateCallbackHandler) {
        this.callbackHandler = (CallbackHandler) Objects.requireNonNull(authenticateCallbackHandler);
        setState(State.SEND_CLIENT_FIRST_MESSAGE);
    }

    public CallbackHandler callbackHandler() {
        return this.callbackHandler;
    }

    public String getMechanismName() {
        return OAuthBearerLoginModule.OAUTHBEARER_MECHANISM;
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        try {
            try {
                OAuthBearerTokenCallback oAuthBearerTokenCallback = new OAuthBearerTokenCallback();
                switch (this.state) {
                    case SEND_CLIENT_FIRST_MESSAGE:
                        if (bArr != null && bArr.length != 0) {
                            throw new SaslException("Expected empty challenge");
                        }
                        callbackHandler().handle(new Callback[]{oAuthBearerTokenCallback});
                        SaslExtensions retrieveCustomExtensions = retrieveCustomExtensions();
                        setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
                        return new OAuthBearerClientInitialResponse(oAuthBearerTokenCallback.token().value(), retrieveCustomExtensions).toBytes();
                    case RECEIVE_SERVER_FIRST_MESSAGE:
                        if (bArr == null || bArr.length == 0) {
                            callbackHandler().handle(new Callback[]{oAuthBearerTokenCallback});
                            if (log.isDebugEnabled()) {
                                log.debug("Successfully authenticated as {}", oAuthBearerTokenCallback.token().principalName());
                            }
                            setState(State.COMPLETE);
                            return null;
                        }
                        String str = new String(bArr, StandardCharsets.UTF_8);
                        if (log.isDebugEnabled()) {
                            log.debug("Sending %%x01 response to server after receiving an error: {}", str);
                        }
                        setState(State.RECEIVE_SERVER_MESSAGE_AFTER_FAILURE);
                        return new byte[]{1};
                    default:
                        throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + this.state);
                }
            } catch (IOException | UnsupportedCallbackException e) {
                setState(State.FAILED);
                throw new SaslException(e.getMessage(), e);
            }
        } catch (SaslException e2) {
            setState(State.FAILED);
            throw e2;
        }
    }

    public boolean isComplete() {
        return this.state == State.COMPLETE;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public Object getNegotiatedProperty(String str) {
        if (isComplete()) {
            return null;
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public void dispose() {
    }

    private void setState(State state) {
        log.debug("Setting SASL/{} client state to {}", OAuthBearerLoginModule.OAUTHBEARER_MECHANISM, state);
        this.state = state;
    }

    private SaslExtensions retrieveCustomExtensions() throws SaslException {
        SaslExtensionsCallback saslExtensionsCallback = new SaslExtensionsCallback();
        try {
            callbackHandler().handle(new Callback[]{saslExtensionsCallback});
        } catch (UnsupportedCallbackException e) {
            log.debug("Extensions callback is not supported by client callback handler {}, no extensions will be added", callbackHandler());
        } catch (Exception e2) {
            throw new SaslException("SASL extensions could not be obtained", e2);
        }
        return saslExtensionsCallback.extensions();
    }
}
