package org.apache.kafka.common.security.oauthbearer.internals.unsecured;

import io.jsonwebtoken.JwsHeader;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.io.IOUtils;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;
import org.apache.pulsar.client.impl.schema.LocalDateTimeSchema;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/kafka-clients-3.4.0.jar:org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredLoginCallbackHandler.class */
public class OAuthBearerUnsecuredLoginCallbackHandler implements AuthenticateCallbackHandler {
    private static final String OPTION_PREFIX = "unsecuredLogin";
    private static final String PRINCIPAL_CLAIM_NAME_OPTION = "unsecuredLoginPrincipalClaimName";
    private static final String LIFETIME_SECONDS_OPTION = "unsecuredLoginLifetimeSeconds";
    private static final String SCOPE_CLAIM_NAME_OPTION = "unsecuredLoginScopeClaimName";
    private static final String DEFAULT_PRINCIPAL_CLAIM_NAME = "sub";
    private static final String DEFAULT_LIFETIME_SECONDS_ONE_HOUR = "3600";
    private static final String DEFAULT_SCOPE_CLAIM_NAME = "scope";
    private static final String STRING_CLAIM_PREFIX = "unsecuredLoginStringClaim_";
    private static final String NUMBER_CLAIM_PREFIX = "unsecuredLoginNumberClaim_";
    private static final String LIST_CLAIM_PREFIX = "unsecuredLoginListClaim_";
    private static final String EXTENSION_PREFIX = "unsecuredLoginExtension_";
    private static final Set<String> RESERVED_CLAIMS = Collections.unmodifiableSet(new HashSet(Arrays.asList("iat", "exp")));
    private static final String QUOTE = "\"";
    private static final Pattern DOUBLEQUOTE = Pattern.compile(QUOTE, 16);
    private static final Pattern BACKSLASH = Pattern.compile("\\", 16);
    private final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerUnsecuredLoginCallbackHandler.class);
    private Time time = Time.SYSTEM;
    private Map<String, String> moduleOptions = null;
    private boolean configured = false;

    void time(Time time) {
        this.time = (Time) Objects.requireNonNull(time);
    }

    public boolean configured() {
        return this.configured;
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        this.moduleOptions = Collections.unmodifiableMap(list.get(0).getOptions());
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (!configured()) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerTokenCallback) {
                try {
                    handleTokenCallback((OAuthBearerTokenCallback) callback);
                } catch (KafkaException e) {
                    throw new IOException(e.getMessage(), e);
                }
            } else {
                if (!(callback instanceof SaslExtensionsCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                try {
                    handleExtensionsCallback((SaslExtensionsCallback) callback);
                } catch (KafkaException e2) {
                    throw new IOException(e2.getMessage(), e2);
                }
            }
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
    }

    private void handleTokenCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) {
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had a token already");
        }
        if (this.moduleOptions.isEmpty()) {
            this.log.debug("Token not provided, this login cannot be used to establish client connections");
            oAuthBearerTokenCallback.token(null);
            return;
        }
        if (this.moduleOptions.keySet().stream().noneMatch(str -> {
            return !str.startsWith(EXTENSION_PREFIX);
        })) {
            throw new OAuthBearerConfigException("Extensions provided in login context without a token");
        }
        String optionValue = optionValue(PRINCIPAL_CLAIM_NAME_OPTION);
        String trim = Utils.isBlank(optionValue) ? "sub" : optionValue.trim();
        String optionValue2 = optionValue(SCOPE_CLAIM_NAME_OPTION);
        String trim2 = Utils.isBlank(optionValue2) ? "scope" : optionValue2.trim();
        String str2 = "{" + claimOrHeaderJsonText(JwsHeader.ALGORITHM, "none") + "}";
        try {
            String format = String.format("{%s,%s%s}", expClaimText(Long.parseLong(optionValue(LIFETIME_SECONDS_OPTION, DEFAULT_LIFETIME_SECONDS_ONE_HOUR))), claimOrHeaderJsonText("iat", Double.valueOf(this.time.milliseconds() / 1000.0d)), commaPrependedStringNumberAndListClaimsJsonText());
            try {
                Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
                OAuthBearerUnsecuredJws oAuthBearerUnsecuredJws = new OAuthBearerUnsecuredJws(String.format("%s.%s.", withoutPadding.encodeToString(str2.getBytes(StandardCharsets.UTF_8)), withoutPadding.encodeToString(format.getBytes(StandardCharsets.UTF_8))), trim, trim2);
                this.log.info("Retrieved token with principal {}", oAuthBearerUnsecuredJws.principalName());
                oAuthBearerTokenCallback.token(oAuthBearerUnsecuredJws);
            } catch (OAuthBearerIllegalTokenException e) {
                throw new OAuthBearerConfigException(e.getMessage(), e);
            }
        } catch (NumberFormatException e2) {
            throw new OAuthBearerConfigException(e2.getMessage());
        }
    }

    private void handleExtensionsCallback(SaslExtensionsCallback saslExtensionsCallback) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, String> entry : this.moduleOptions.entrySet()) {
            String key = entry.getKey();
            if (key.startsWith(EXTENSION_PREFIX)) {
                hashMap.put(key.substring(EXTENSION_PREFIX.length()), entry.getValue());
            }
        }
        SaslExtensions saslExtensions = new SaslExtensions(hashMap);
        try {
            OAuthBearerClientInitialResponse.validateExtensions(saslExtensions);
            saslExtensionsCallback.extensions(saslExtensions);
        } catch (SaslException e) {
            throw new ConfigException(e.getMessage());
        }
    }

    private String commaPrependedStringNumberAndListClaimsJsonText() throws OAuthBearerConfigException {
        StringBuilder sb = new StringBuilder();
        for (String str : this.moduleOptions.keySet()) {
            if (str.startsWith(STRING_CLAIM_PREFIX) && str.length() > STRING_CLAIM_PREFIX.length()) {
                sb.append(',').append(claimOrHeaderJsonText(confirmNotReservedClaimName(str.substring(STRING_CLAIM_PREFIX.length())), optionValue(str)));
            } else if (str.startsWith(NUMBER_CLAIM_PREFIX) && str.length() > NUMBER_CLAIM_PREFIX.length()) {
                sb.append(',').append(claimOrHeaderJsonText(confirmNotReservedClaimName(str.substring(NUMBER_CLAIM_PREFIX.length())), Double.valueOf(optionValue(str))));
            } else if (str.startsWith(LIST_CLAIM_PREFIX) && str.length() > LIST_CLAIM_PREFIX.length()) {
                sb.append(',').append(claimOrHeaderJsonArrayText(confirmNotReservedClaimName(str.substring(LIST_CLAIM_PREFIX.length())), listJsonText(optionValue(str))));
            }
        }
        return sb.toString();
    }

    private String confirmNotReservedClaimName(String str) throws OAuthBearerConfigException {
        if (RESERVED_CLAIMS.contains(str)) {
            throw new OAuthBearerConfigException(String.format("Cannot explicitly set the '%s' claim", str));
        }
        return str;
    }

    private String listJsonText(String str) {
        String str2;
        if (str.isEmpty() || str.length() <= 1) {
            return "[]";
        }
        String substring = str.substring(0, 1);
        boolean z = -1;
        switch (substring.hashCode()) {
            case 36:
                if (substring.equals("$")) {
                    z = 7;
                    break;
                }
                break;
            case 40:
                if (substring.equals(DefaultExpressionEngine.DEFAULT_INDEX_START)) {
                    z = 3;
                    break;
                }
                break;
            case 46:
                if (substring.equals(DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER)) {
                    z = true;
                    break;
                }
                break;
            case 91:
                if (substring.equals("[")) {
                    z = 2;
                    break;
                }
                break;
            case IOUtils.DIR_SEPARATOR_WINDOWS /* 92 */:
                if (substring.equals("\\")) {
                    z = false;
                    break;
                }
                break;
            case 94:
                if (substring.equals("^")) {
                    z = 6;
                    break;
                }
                break;
            case 123:
                if (substring.equals("{")) {
                    z = 4;
                    break;
                }
                break;
            case 124:
                if (substring.equals("|")) {
                    z = 5;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
            case true:
                str2 = "\\" + substring;
                break;
            default:
                str2 = substring;
                break;
        }
        String substring2 = str.substring(1);
        String[] split = substring2.split(str2);
        StringBuilder sb = new StringBuilder();
        for (String str3 : split) {
            sb.append(sb.length() == 0 ? '[' : ',');
            sb.append('\"').append(escape(str3)).append('\"');
        }
        if (substring2.startsWith(substring) || substring2.endsWith(substring) || substring2.contains(substring + substring)) {
            sb.append(",\"\"");
        }
        return sb.append(']').toString();
    }

    private String optionValue(String str) {
        return optionValue(str, null);
    }

    private String optionValue(String str, String str2) {
        String option = option(str);
        return option != null ? option : str2;
    }

    private String option(String str) {
        if (this.configured) {
            return this.moduleOptions.get(Objects.requireNonNull(str));
        }
        throw new IllegalStateException("Callback handler not configured");
    }

    private String claimOrHeaderJsonText(String str, Number number) {
        return QUOTE + escape(str) + QUOTE + LocalDateTimeSchema.DELIMITER + number;
    }

    private String claimOrHeaderJsonText(String str, String str2) {
        return QUOTE + escape(str) + QUOTE + LocalDateTimeSchema.DELIMITER + QUOTE + escape(str2) + QUOTE;
    }

    private String claimOrHeaderJsonArrayText(String str, String str2) {
        if (str2.startsWith("[") && str2.endsWith(DefaultExpressionEngine.DEFAULT_ATTRIBUTE_END)) {
            return QUOTE + escape(str) + QUOTE + LocalDateTimeSchema.DELIMITER + str2;
        }
        throw new IllegalArgumentException(String.format("Illegal JSON array: %s", str2));
    }

    private String escape(String str) {
        return BACKSLASH.matcher(DOUBLEQUOTE.matcher(str).replaceAll(Matcher.quoteReplacement("\\\""))).replaceAll(Matcher.quoteReplacement("\\\\"));
    }

    private String expClaimText(long j) {
        return claimOrHeaderJsonText("exp", Double.valueOf((this.time.milliseconds() / 1000.0d) + j));
    }
}
