package org.apache.kafka.common.security.oauthbearer.internals;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.authenticator.SaslInternalConfigs;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer.class */
public class OAuthBearerSaslServer implements SaslServer {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerSaslServer.class);
    private static final String NEGOTIATED_PROPERTY_KEY_TOKEN = "OAUTHBEARER.token";
    private static final String INTERNAL_ERROR_ON_SERVER = "Authentication could not be performed due to an internal error on the server";
    private final AuthenticateCallbackHandler callbackHandler;
    private boolean complete;
    private OAuthBearerToken tokenForNegotiatedProperty = null;
    private String errorMessage = null;
    private SaslExtensions extensions;

    /* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-2.7.2.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslServer$OAuthBearerSaslServerFactory.class */
    public static class OAuthBearerSaslServerFactory implements SaslServerFactory {
        public SaslServer createSaslServer(String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) {
            for (String str4 : getMechanismNames(map)) {
                if (str4.equals(str)) {
                    return new OAuthBearerSaslServer(callbackHandler);
                }
            }
            return null;
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return OAuthBearerSaslServer.mechanismNamesCompatibleWithPolicy(map);
        }
    }

    public OAuthBearerSaslServer(CallbackHandler callbackHandler) {
        if (!(Objects.requireNonNull(callbackHandler) instanceof AuthenticateCallbackHandler)) {
            throw new IllegalArgumentException(String.format("Callback handler must be castable to %s: %s", AuthenticateCallbackHandler.class.getName(), callbackHandler.getClass().getName()));
        }
        this.callbackHandler = (AuthenticateCallbackHandler) callbackHandler;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException, SaslAuthenticationException {
        if (bArr.length == 1 && bArr[0] == 1 && this.errorMessage != null) {
            log.debug("Received %x01 response from client after it received our error");
            throw new SaslAuthenticationException(this.errorMessage);
        }
        this.errorMessage = null;
        try {
            OAuthBearerClientInitialResponse oAuthBearerClientInitialResponse = new OAuthBearerClientInitialResponse(bArr);
            return process(oAuthBearerClientInitialResponse.tokenValue(), oAuthBearerClientInitialResponse.authorizationId(), oAuthBearerClientInitialResponse.extensions());
        } catch (SaslException e) {
            log.debug(e.getMessage());
            throw e;
        }
    }

    public String getAuthorizationID() {
        if (this.complete) {
            return this.tokenForNegotiatedProperty.principalName();
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public String getMechanismName() {
        return "OAUTHBEARER";
    }

    public Object getNegotiatedProperty(String str) {
        if (this.complete) {
            return NEGOTIATED_PROPERTY_KEY_TOKEN.equals(str) ? this.tokenForNegotiatedProperty : SaslInternalConfigs.CREDENTIAL_LIFETIME_MS_SASL_NEGOTIATED_PROPERTY_KEY.equals(str) ? Long.valueOf(this.tokenForNegotiatedProperty.lifetimeMs()) : this.extensions.map().get(str);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public boolean isComplete() {
        return this.complete;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) {
        if (this.complete) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) {
        if (this.complete) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public void dispose() {
        this.complete = false;
        this.tokenForNegotiatedProperty = null;
        this.extensions = null;
    }

    private byte[] process(String str, String str2, SaslExtensions saslExtensions) throws SaslException {
        OAuthBearerValidatorCallback oAuthBearerValidatorCallback = new OAuthBearerValidatorCallback(str);
        try {
            this.callbackHandler.handle(new Callback[]{oAuthBearerValidatorCallback});
        } catch (IOException | UnsupportedCallbackException e) {
            handleCallbackError(e);
        }
        OAuthBearerToken oAuthBearerToken = oAuthBearerValidatorCallback.token();
        if (oAuthBearerToken == null) {
            this.errorMessage = jsonErrorResponse(oAuthBearerValidatorCallback.errorStatus(), oAuthBearerValidatorCallback.errorScope(), oAuthBearerValidatorCallback.errorOpenIDConfiguration());
            log.debug(this.errorMessage);
            return this.errorMessage.getBytes(StandardCharsets.UTF_8);
        }
        if (!str2.isEmpty() && !str2.equals(oAuthBearerToken.principalName())) {
            throw new SaslAuthenticationException(String.format("Authentication failed: Client requested an authorization id (%s) that is different from the token's principal name (%s)", str2, oAuthBearerToken.principalName()));
        }
        Map<String, String> processExtensions = processExtensions(oAuthBearerToken, saslExtensions);
        this.tokenForNegotiatedProperty = oAuthBearerToken;
        this.extensions = new SaslExtensions(processExtensions);
        this.complete = true;
        log.debug("Successfully authenticate User={}", oAuthBearerToken.principalName());
        return new byte[0];
    }

    private Map<String, String> processExtensions(OAuthBearerToken oAuthBearerToken, SaslExtensions saslExtensions) throws SaslException {
        OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = new OAuthBearerExtensionsValidatorCallback(oAuthBearerToken, saslExtensions);
        try {
            this.callbackHandler.handle(new Callback[]{oAuthBearerExtensionsValidatorCallback});
        } catch (IOException e) {
            handleCallbackError(e);
        } catch (UnsupportedCallbackException e2) {
        }
        if (oAuthBearerExtensionsValidatorCallback.invalidExtensions().isEmpty()) {
            return oAuthBearerExtensionsValidatorCallback.validatedExtensions();
        }
        String format = String.format("Authentication failed: %d extensions are invalid! They are: %s", Integer.valueOf(oAuthBearerExtensionsValidatorCallback.invalidExtensions().size()), Utils.mkString(oAuthBearerExtensionsValidatorCallback.invalidExtensions(), "", "", ": ", "; "));
        log.debug(format);
        throw new SaslAuthenticationException(format);
    }

    private static String jsonErrorResponse(String str, String str2, String str3) {
        String format = String.format("{\"status\":\"%s\"", str);
        if (str2 != null) {
            format = String.format("%s, \"scope\":\"%s\"", format, str2);
        }
        if (str3 != null) {
            format = String.format("%s, \"openid-configuration\":\"%s\"", format, str3);
        }
        return String.format("%s}", format);
    }

    private void handleCallbackError(Exception exc) throws SaslException {
        String format = String.format("%s: %s", INTERNAL_ERROR_ON_SERVER, exc.getMessage());
        log.debug(format, (Throwable) exc);
        throw new SaslException(format);
    }

    public static String[] mechanismNamesCompatibleWithPolicy(Map<String, ?> map) {
        return (map == null || !"true".equals(String.valueOf(map.get("javax.security.sasl.policy.noplaintext")))) ? new String[]{"OAUTHBEARER"} : new String[0];
    }
}
