package io.streamnative.pulsar.handlers.kop.security.oauth;

import io.streamnative.pulsar.handlers.kop.security.SaslAuthenticator;
import java.io.IOException;
import java.net.SocketAddress;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.naming.AuthenticationException;
import javax.net.ssl.SSLSession;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerValidationResult;
import org.apache.pulsar.broker.authentication.AuthenticationProvider;
import org.apache.pulsar.common.api.AuthData;

/* loaded from: input_file:io/streamnative/pulsar/handlers/kop/security/oauth/OauthValidatorCallbackHandler.class */
public class OauthValidatorCallbackHandler implements AuthenticateCallbackHandler {
    private ServerConfig config = null;

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(str)) {
            throw new IllegalArgumentException("Unexpected SASL mechanism: " + str);
        }
        if (((List) Objects.requireNonNull(list)).size() != 1 || list.get(0) == null) {
            throw new IllegalArgumentException(String.format("Must supply exactly 1 non-null JAAS mechanism configuration (size was %d)", Integer.valueOf(list.size())));
        }
        Map options = list.get(0).getOptions();
        if (options == null) {
            throw new IllegalArgumentException("JAAS configuration options is null");
        }
        this.config = new ServerConfig(options);
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerValidatorCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            OAuthBearerValidatorCallback oAuthBearerValidatorCallback = (OAuthBearerValidatorCallback) callback;
            try {
                handleCallback(oAuthBearerValidatorCallback);
            } catch (OAuthBearerIllegalTokenException e) {
                OAuthBearerValidationResult reason = e.reason();
                String failureScope = reason.failureScope();
                oAuthBearerValidatorCallback.error(failureScope != null ? "insufficient_scope" : "invalid_token", failureScope, reason.failureOpenIdConfig());
            }
        }
    }

    private void handleCallback(OAuthBearerValidatorCallback oAuthBearerValidatorCallback) {
        if (oAuthBearerValidatorCallback.tokenValue() == null) {
            throw new IllegalArgumentException("Callback has null token value!");
        }
        if (SaslAuthenticator.getAuthenticationService() == null) {
            throw new IllegalStateException("AuthenticationService is null during token validation");
        }
        AuthenticationProvider authenticationProvider = SaslAuthenticator.getAuthenticationService().getAuthenticationProvider(this.config.getValidateMethod());
        if (authenticationProvider == null) {
            throw new IllegalStateException("No AuthenticationProvider found for method " + this.config.getValidateMethod());
        }
        final String str = oAuthBearerValidatorCallback.tokenValue();
        try {
            final String authRole = authenticationProvider.newAuthState(AuthData.of(str.getBytes(StandardCharsets.UTF_8)), (SocketAddress) null, (SSLSession) null).getAuthRole();
            oAuthBearerValidatorCallback.token(new OAuthBearerToken() { // from class: io.streamnative.pulsar.handlers.kop.security.oauth.OauthValidatorCallbackHandler.1
                @Override // org.apache.kafka.common.security.oauthbearer.OAuthBearerToken
                public String value() {
                    return str;
                }

                @Override // org.apache.kafka.common.security.oauthbearer.OAuthBearerToken
                public Set<String> scope() {
                    return null;
                }

                @Override // org.apache.kafka.common.security.oauthbearer.OAuthBearerToken
                public long lifetimeMs() {
                    return Long.MAX_VALUE;
                }

                @Override // org.apache.kafka.common.security.oauthbearer.OAuthBearerToken
                public String principalName() {
                    return authRole;
                }

                @Override // org.apache.kafka.common.security.oauthbearer.OAuthBearerToken
                public Long startTimeMs() {
                    return Long.MAX_VALUE;
                }
            });
        } catch (AuthenticationException e) {
            throw new OAuthBearerIllegalTokenException(OAuthBearerValidationResult.newFailure(e.getMessage()));
        }
    }
}
