package org.apache.kafka.connect.rest.basic.auth.extension;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.regex.Pattern;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.connect.errors.ConnectException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter.class */
public class JaasBasicAuthFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(JaasBasicAuthFilter.class);
    private static final Pattern TASK_REQUEST_PATTERN = Pattern.compile("/?connectors/([^/]+)/tasks/?");
    private static final String CONNECT_LOGIN_MODULE = "KafkaConnect";
    static final String AUTHORIZATION = "Authorization";

    /* loaded from: input_file:org/apache/kafka/connect/rest/basic/auth/extension/JaasBasicAuthFilter$BasicAuthCallBackHandler.class */
    public static class BasicAuthCallBackHandler implements CallbackHandler {
        private static final String BASIC = "basic";
        private static final char COLON = ':';
        private static final char SPACE = ' ';
        private String username;
        private String password;

        public BasicAuthCallBackHandler(String str) {
            if (str == null) {
                JaasBasicAuthFilter.log.trace("No credentials were provided with the request");
                return;
            }
            int indexOf = str.indexOf(SPACE);
            if (indexOf <= 0) {
                JaasBasicAuthFilter.log.trace("Request credentials were malformed; no space present in value for authorization header");
                return;
            }
            String substring = str.substring(0, indexOf);
            if (!BASIC.equalsIgnoreCase(substring)) {
                JaasBasicAuthFilter.log.trace("Request credentials used {} authentication, but only {} supported; ignoring", substring, BASIC);
                return;
            }
            String str2 = new String(Base64.getDecoder().decode(str.substring(indexOf + 1)), StandardCharsets.UTF_8);
            int indexOf2 = str2.indexOf(COLON);
            if (indexOf2 <= 0) {
                JaasBasicAuthFilter.log.trace("Request credentials were malformed; no colon present between username and password");
            } else {
                this.username = str2.substring(0, indexOf2);
                this.password = str2.substring(indexOf2 + 1);
            }
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            ArrayList arrayList = new ArrayList();
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password != null ? this.password.toCharArray() : null);
                } else {
                    arrayList.add(callback);
                }
            }
            if (!arrayList.isEmpty()) {
                throw new ConnectException(String.format("Unsupported callbacks %s; request authentication will fail. This indicates the Connect worker was configured with a JAAS LoginModule that is incompatible with the %s, and will need to be corrected and restarted.", arrayList, BasicAuthSecurityRestExtension.class.getSimpleName()));
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (isInternalTaskConfigRequest(containerRequestContext)) {
            log.trace("Skipping authentication for internal request");
            return;
        }
        try {
            log.debug("Authenticating request");
            new LoginContext(CONNECT_LOGIN_MODULE, new BasicAuthCallBackHandler(containerRequestContext.getHeaderString(AUTHORIZATION))).login();
        } catch (LoginException | ConfigException e) {
            log.debug("Request failed authentication", e);
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User cannot access the resource.").build());
        }
    }

    private static boolean isInternalTaskConfigRequest(ContainerRequestContext containerRequestContext) {
        return containerRequestContext.getMethod().equals("POST") && TASK_REQUEST_PATTERN.matcher(containerRequestContext.getUriInfo().getPath()).matches();
    }
}
