package io.confluent.kafkarest.security.config;

import io.confluent.common.security.auth.RestAuthType;
import io.confluent.kafkarest.KafkaRestConfig;
import io.confluent.kafkarest.SystemTime;
import io.confluent.rest.RestConfigException;
import java.util.Optional;
import java.util.Properties;
import org.apache.kafka.common.config.ConfigDef;

/* loaded from: input_file:io/confluent/kafkarest/security/config/ConfluentSecureKafkaRestConfig.class */
public final class ConfluentSecureKafkaRestConfig extends KafkaRestConfig {
    public static final String CONFLUENT_SSL_PRINCIPAL_MAPPING_RULES_CONFIG = "confluent.rest.auth.ssl.principal.mapping.rules";
    private static final String CONFLUENT_SSL_PRINCIPAL_MAPPING_RULES_DOC = "A list of rules to map from the distinguished name (DN) in the client certificate to a short name principal for authentication with the Kafka broker. Rules are tested from left to right. The first rule that matches will be applied.";
    public static final String CONFLUENT_AUTH_PROPAGATE_CONFIG_CONFIG = "confluent.rest.auth.propagate.method";
    private static final String CONFLUENT_AUTH_PROPAGATE_CONFIG_DOC = "The mechanism used to authenticate Rest Proxy requests. When broker security is enabled, the principal from this authentication mechanism is propagated to Kafka broker requests.";
    private static final String CONFLUENT_AUTH_PROPAGATE_DEFAULT = "SSL";
    public static final String CONFLUENT_LICENSE_CONFIG = "confluent.license";
    public static final String CONFLUENT_DEFAULT_LICENSE = "";
    protected static final String CONFLUENT_LICENSE_DOC = "Confluent will issue a license key to each subscriber. The license key will be a short snippet of text that you can copy and paste. Without the license key, you can use Confluent Security Plugins for a 30-day trial period. If you are a subscriber and don't have a license key, please contact Confluent Support at support@confluent.io.";
    public static final String BOOTSTRAP_METADATA_SERVER_URLS_PROP = "confluent.metadata.bootstrap.server.urls";
    private static final String BOOTSTRAP_METADATA_SERVER_URLS_DOC = "Comma separated list of bootstrap metadata servers urls to which this Rest proxy connects to. For ex: http://localhost:8080,http://localhost:8081";
    private Optional<String> jwtToken;
    private static final ConfigDef confluentConfigDef = initConfigDef();

    public boolean isTrial() {
        return getString(CONFLUENT_LICENSE_CONFIG).equals(CONFLUENT_DEFAULT_LICENSE);
    }

    public String licenseString() {
        return getString(CONFLUENT_LICENSE_CONFIG);
    }

    public ConfluentSecureKafkaRestConfig(Properties properties, Optional<String> optional) throws RestConfigException {
        super(confluentConfigDef, properties, new SystemTime());
        this.jwtToken = optional;
    }

    public void jwtToken(Optional<String> optional) {
        this.jwtToken = optional;
    }

    public Optional<String> jwtToken() {
        return this.jwtToken;
    }

    public Properties getProducerProperties() {
        Properties producerProperties = super.getProducerProperties();
        producerProperties.putAll(this.jwtToken.isPresent() ? getTokenClientProps() : SecureConfigProviderFactory.getInstance().getSecureConfigProvider(this).getProducerProperties(this));
        return producerProperties;
    }

    public Properties getConsumerProperties() {
        Properties consumerProperties = super.getConsumerProperties();
        consumerProperties.putAll(this.jwtToken.isPresent() ? getTokenClientProps() : SecureConfigProviderFactory.getInstance().getSecureConfigProvider(this).getConsumerProperties(this));
        return consumerProperties;
    }

    public Properties getAdminProperties() {
        Properties consumerProperties = super.getConsumerProperties();
        consumerProperties.putAll(this.jwtToken.isPresent() ? getTokenClientProps() : SecureConfigProviderFactory.getInstance().getSecureConfigProvider(this).getAdminProperties(this));
        return consumerProperties;
    }

    private static ConfigDef initConfigDef() {
        return baseKafkaRestConfigDef().define(CONFLUENT_AUTH_PROPAGATE_CONFIG_CONFIG, ConfigDef.Type.STRING, CONFLUENT_AUTH_PROPAGATE_DEFAULT, ConfigDef.ValidString.in((String[]) RestAuthType.NAMES.toArray(new String[RestAuthType.NAMES.size()])), ConfigDef.Importance.LOW, CONFLUENT_AUTH_PROPAGATE_CONFIG_DOC).define(CONFLUENT_LICENSE_CONFIG, ConfigDef.Type.STRING, CONFLUENT_DEFAULT_LICENSE, ConfigDef.Importance.HIGH, CONFLUENT_LICENSE_DOC).define(BOOTSTRAP_METADATA_SERVER_URLS_PROP, ConfigDef.Type.STRING, CONFLUENT_DEFAULT_LICENSE, ConfigDef.Importance.HIGH, BOOTSTRAP_METADATA_SERVER_URLS_DOC).define(CONFLUENT_SSL_PRINCIPAL_MAPPING_RULES_CONFIG, ConfigDef.Type.STRING, "DEFAULT", ConfigDef.Importance.LOW, CONFLUENT_SSL_PRINCIPAL_MAPPING_RULES_DOC);
    }

    private Properties getTokenClientProps() {
        Properties properties = new Properties();
        properties.put("sasl.mechanism", "OAUTHBEARER");
        properties.put("sasl.login.callback.handler.class", "io.confluent.kafka.clients.plugins.auth.token.TokenBearerLoginCallbackHandler");
        properties.put("sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required  authenticationToken=\"" + this.jwtToken.get() + "\" metadataServerUrls=\"" + getString(BOOTSTRAP_METADATA_SERVER_URLS_PROP) + "\";");
        properties.put("bearer.auth.credentials.source", "MDS");
        originals().entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith("confluent.metadata.");
        }).forEach(entry2 -> {
            properties.put(entry2.getKey(), entry2.getValue());
        });
        return properties;
    }
}
