package io.strimzi.kafka.oauth.client;

import io.strimzi.kafka.oauth.common.ConfigUtil;
import io.strimzi.kafka.oauth.common.JSONUtil;
import io.strimzi.kafka.oauth.common.LogUtil;
import io.strimzi.kafka.oauth.common.OAuthAuthenticator;
import io.strimzi.kafka.oauth.common.TokenInfo;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/strimzi/kafka/oauth/client/JaasClientOauthLoginCallbackHandler.class */
public class JaasClientOauthLoginCallbackHandler implements AuthenticateCallbackHandler {
    private static Logger log = LoggerFactory.getLogger(JaasClientOauthLoginCallbackHandler.class);
    private ClientConfig config = new ClientConfig();
    private String token;
    private String refreshToken;
    private String clientId;
    private String clientSecret;
    private URI tokenEndpoint;
    private String usernameClaim;
    private SSLSocketFactory socketFactory;
    private HostnameVerifier hostnameVerifier;

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException("Unexpected SASL mechanism: " + str);
        }
        for (AppConfigurationEntry appConfigurationEntry : list) {
            Properties properties = new Properties();
            properties.putAll(appConfigurationEntry.getOptions());
            this.config = new ClientConfig(properties);
        }
        this.token = this.config.getValue(ClientConfig.OAUTH_ACCESS_TOKEN);
        if (this.token == null) {
            String value = this.config.getValue(ClientConfig.OAUTH_TOKEN_ENDPOINT_URI);
            if (value == null) {
                throw new RuntimeException("Access Token not specified ('oauth.access.token'). OAuth2 Token Endpoint ('oauth.token.endpoint.uri') should then be set.");
            }
            try {
                this.tokenEndpoint = new URI(value);
                this.refreshToken = this.config.getValue(ClientConfig.OAUTH_REFRESH_TOKEN);
                this.clientId = this.config.getValue("oauth.client.id");
                this.clientSecret = this.config.getValue("oauth.client.secret");
                if (this.clientId == null) {
                    throw new RuntimeException("No client id specified ('oauth.client.id')");
                }
                if (this.refreshToken == null && this.clientSecret == null) {
                    throw new RuntimeException("No access token, refresh token, nor client secret specified");
                }
                this.socketFactory = ConfigUtil.createSSLFactory(this.config);
                this.hostnameVerifier = ConfigUtil.createHostnameVerifier(this.config);
            } catch (URISyntaxException e) {
                throw new RuntimeException("Specified token endpoint uri is invalid: " + value);
            }
        }
        this.usernameClaim = this.config.getValue("oauth.username.claim", "sub");
        if ("sub".equals(this.usernameClaim)) {
            this.usernameClaim = null;
        }
        if (log.isDebugEnabled()) {
            log.debug("Configured JaasClientOauthLoginCallbackHandler:\n    token: " + LogUtil.mask(this.token) + "\n    refreshToken: " + LogUtil.mask(this.refreshToken) + "\n    tokenEndpointUri: " + this.tokenEndpoint + "\n    clientId: " + this.clientId + "\n    clientSecret: " + LogUtil.mask(this.clientSecret) + "\n    usernameClaim: " + this.usernameClaim);
        }
    }

    public void close() {
    }

    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerTokenCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            handleCallback((OAuthBearerTokenCallback) callback);
        }
    }

    private void handleCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) throws IOException {
        TokenInfo loginWithClientSecret;
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had a token already");
        }
        if (this.token != null) {
            loginWithClientSecret = OAuthAuthenticator.loginWithAccessToken(this.token);
        } else if (this.refreshToken != null) {
            loginWithClientSecret = OAuthAuthenticator.loginWithRefreshToken(this.tokenEndpoint, this.socketFactory, this.hostnameVerifier, this.refreshToken, this.clientId, this.clientSecret);
        } else {
            if (this.clientSecret == null) {
                throw new IllegalStateException("Invalid oauth client configuration - no credentials");
            }
            loginWithClientSecret = OAuthAuthenticator.loginWithClientSecret(this.tokenEndpoint, this.socketFactory, this.hostnameVerifier, this.clientId, this.clientSecret);
        }
        final TokenInfo tokenInfo = loginWithClientSecret;
        oAuthBearerTokenCallback.token(new OAuthBearerToken() { // from class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler.1
            public String value() {
                return tokenInfo.token();
            }

            public Set<String> scope() {
                return tokenInfo.scope();
            }

            public long lifetimeMs() {
                return tokenInfo.expiresAtMs();
            }

            public String principalName() {
                return JaasClientOauthLoginCallbackHandler.this.usernameClaim != null ? JSONUtil.getClaimFromJWT(JaasClientOauthLoginCallbackHandler.this.usernameClaim, tokenInfo.payload()) : tokenInfo.subject();
            }

            public Long startTimeMs() {
                return Long.valueOf(tokenInfo.issuedAtMs());
            }
        });
    }
}
