package org.apache.kafka.common.security.oauthbearer.internals.unsecured;

import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.utils.Time;
import org.apache.pulsar.client.impl.auth.oauth2.ClientCredentialsFlow;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredValidatorCallbackHandler.class
 */
/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.4.0-rc-0.jar:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredValidatorCallbackHandler.class */
public class OAuthBearerUnsecuredValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerUnsecuredValidatorCallbackHandler.class);
    private static final String OPTION_PREFIX = "unsecuredValidator";
    private static final String PRINCIPAL_CLAIM_NAME_OPTION = "unsecuredValidatorPrincipalClaimName";
    private static final String SCOPE_CLAIM_NAME_OPTION = "unsecuredValidatorScopeClaimName";
    private static final String REQUIRED_SCOPE_OPTION = "unsecuredValidatorRequiredScope";
    private static final String ALLOWABLE_CLOCK_SKEW_MILLIS_OPTION = "unsecuredValidatorAllowableClockSkewMs";
    private Time time = Time.SYSTEM;
    private Map<String, String> moduleOptions = null;
    private boolean configured = false;

    void time(Time time) {
        this.time = (Time) Objects.requireNonNull(time);
    }

    public boolean configured() {
        return this.configured;
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        this.moduleOptions = Collections.unmodifiableMap(list.get(0).getOptions());
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        if (!configured()) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerValidatorCallback) {
                OAuthBearerValidatorCallback oAuthBearerValidatorCallback = (OAuthBearerValidatorCallback) callback;
                try {
                    handleCallback(oAuthBearerValidatorCallback);
                } catch (OAuthBearerIllegalTokenException e) {
                    OAuthBearerValidationResult reason = e.reason();
                    String failureScope = reason.failureScope();
                    oAuthBearerValidatorCallback.error(failureScope != null ? "insufficient_scope" : "invalid_token", failureScope, reason.failureOpenIdConfig());
                }
            } else {
                if (!(callback instanceof OAuthBearerExtensionsValidatorCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                OAuthBearerExtensionsValidatorCallback oAuthBearerExtensionsValidatorCallback = (OAuthBearerExtensionsValidatorCallback) callback;
                oAuthBearerExtensionsValidatorCallback.inputExtensions().map().forEach((str, str2) -> {
                    oAuthBearerExtensionsValidatorCallback.valid(str);
                });
            }
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
    }

    private void handleCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        String str = oAuthBearerValidatorCallback.tokenValue();
        if (str == null) {
            throw new IllegalArgumentException("Callback missing required token value");
        }
        String principalClaimName = principalClaimName();
        String scopeClaimName = scopeClaimName();
        List<String> requiredScope = requiredScope();
        int allowableClockSkewMs = allowableClockSkewMs();
        OAuthBearerUnsecuredJws oAuthBearerUnsecuredJws = new OAuthBearerUnsecuredJws(str, principalClaimName, scopeClaimName);
        long milliseconds = this.time.milliseconds();
        OAuthBearerValidationUtils.validateClaimForExistenceAndType(oAuthBearerUnsecuredJws, true, principalClaimName, String.class).throwExceptionIfFailed();
        OAuthBearerValidationUtils.validateIssuedAt(oAuthBearerUnsecuredJws, false, milliseconds, allowableClockSkewMs).throwExceptionIfFailed();
        OAuthBearerValidationUtils.validateExpirationTime(oAuthBearerUnsecuredJws, milliseconds, allowableClockSkewMs).throwExceptionIfFailed();
        OAuthBearerValidationUtils.validateTimeConsistency(oAuthBearerUnsecuredJws).throwExceptionIfFailed();
        OAuthBearerValidationUtils.validateScope(oAuthBearerUnsecuredJws, requiredScope).throwExceptionIfFailed();
        log.info("Successfully validated token with principal {}: {}", oAuthBearerUnsecuredJws.principalName(), oAuthBearerUnsecuredJws.claims().toString());
        oAuthBearerValidatorCallback.token(oAuthBearerUnsecuredJws);
    }

    private String principalClaimName() {
        String option = option(PRINCIPAL_CLAIM_NAME_OPTION);
        return (option == null || option.trim().isEmpty()) ? "sub" : option.trim();
    }

    private String scopeClaimName() {
        String option = option(SCOPE_CLAIM_NAME_OPTION);
        return (option == null || option.trim().isEmpty()) ? ClientCredentialsFlow.CONFIG_PARAM_SCOPE : option.trim();
    }

    private List<String> requiredScope() {
        String option = option(REQUIRED_SCOPE_OPTION);
        return (option == null || option.trim().isEmpty()) ? Collections.emptyList() : OAuthBearerScopeUtils.parseScope(option.trim());
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x004d  */
    /* JADX WARN: Removed duplicated region for block: B:8:0x0038  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private int allowableClockSkewMs() {
        /*
            r8 = this;
            r0 = r8
            java.lang.String r1 = "unsecuredValidatorAllowableClockSkewMs"
            java.lang.String r0 = r0.option(r1)
            r9 = r0
            r0 = 0
            r10 = r0
            r0 = r9
            if (r0 == 0) goto L17
            r0 = r9
            java.lang.String r0 = r0.trim()     // Catch: java.lang.NumberFormatException -> L26
            boolean r0 = r0.isEmpty()     // Catch: java.lang.NumberFormatException -> L26
            if (r0 == 0) goto L1b
        L17:
            r0 = 0
            goto L22
        L1b:
            r0 = r9
            java.lang.String r0 = r0.trim()     // Catch: java.lang.NumberFormatException -> L26
            int r0 = java.lang.Integer.parseInt(r0)     // Catch: java.lang.NumberFormatException -> L26
        L22:
            r10 = r0
            goto L34
        L26:
            r11 = move-exception
            org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerConfigException r0 = new org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerConfigException
            r1 = r0
            r2 = r11
            java.lang.String r2 = r2.getMessage()
            r3 = r11
            r1.<init>(r2, r3)
            throw r0
        L34:
            r0 = r10
            if (r0 >= 0) goto L4d
            org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerConfigException r0 = new org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerConfigException
            r1 = r0
            java.lang.String r2 = "Allowable clock skew millis must not be negative: %s"
            r3 = 1
            java.lang.Object[] r3 = new java.lang.Object[r3]
            r4 = r3
            r5 = 0
            r6 = r9
            r4[r5] = r6
            java.lang.String r2 = java.lang.String.format(r2, r3)
            r1.<init>(r2)
            throw r0
        L4d:
            r0 = r10
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler.allowableClockSkewMs():int");
    }

    private String option(String str) {
        if (this.configured) {
            return this.moduleOptions.get(Objects.requireNonNull(str));
        }
        throw new IllegalStateException("Callback handler not configured");
    }
}
