package org.apache.kafka.common.security.oauthbearer.secured;

import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-3.2.0.jar:org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.class */
public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerLoginCallbackHandler.class);
    public static final String CLIENT_ID_CONFIG = "clientId";
    public static final String CLIENT_SECRET_CONFIG = "clientSecret";
    public static final String SCOPE_CONFIG = "scope";
    public static final String CLIENT_ID_DOC = "The OAuth/OIDC identity provider-issued client ID to uniquely identify the service account to use for authentication for this client. The value must be paired with a corresponding clientSecret value and is provided to the OAuth provider using the OAuth clientcredentials grant type.";
    public static final String CLIENT_SECRET_DOC = "The OAuth/OIDC identity provider-issued client secret serves a similar function as a password to the clientId account and identifies the service account to use for authentication for this client. The value must be paired with a corresponding clientId value and is provided to the OAuth provider using the OAuth clientcredentials grant type.";
    public static final String SCOPE_DOC = "The (optional) HTTP/HTTPS login request to the token endpoint (sasl.oauthbearer.token.endpoint.url) may need to specify an OAuth \"scope\". If so, the scope is used to provide the value to include with the login request.";
    private static final String EXTENSION_PREFIX = "extension_";
    private Map<String, Object> moduleOptions;
    private AccessTokenRetriever accessTokenRetriever;
    private AccessTokenValidator accessTokenValidator;
    private boolean isInitialized = false;

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        this.moduleOptions = JaasOptionsUtils.getOptions(str, list);
        init(AccessTokenRetrieverFactory.create(map, str, this.moduleOptions), AccessTokenValidatorFactory.create(map, str));
    }

    void init(AccessTokenRetriever accessTokenRetriever, AccessTokenValidator accessTokenValidator) {
        this.accessTokenRetriever = accessTokenRetriever;
        this.accessTokenValidator = accessTokenValidator;
        try {
            this.accessTokenRetriever.init();
            this.isInitialized = true;
        } catch (IOException e) {
            throw new KafkaException("The OAuth login configuration encountered an error when initializing the AccessTokenRetriever", e);
        }
    }

    AccessTokenRetriever getAccessTokenRetriever() {
        return this.accessTokenRetriever;
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
        if (this.accessTokenRetriever != null) {
            try {
                this.accessTokenRetriever.close();
            } catch (IOException e) {
                log.warn("The OAuth login configuration encountered an error when closing the AccessTokenRetriever", (Throwable) e);
            }
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        checkInitialized();
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerTokenCallback) {
                handleTokenCallback((OAuthBearerTokenCallback) callback);
            } else {
                if (!(callback instanceof SaslExtensionsCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                handleExtensionsCallback((SaslExtensionsCallback) callback);
            }
        }
    }

    private void handleTokenCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) throws IOException {
        checkInitialized();
        try {
            oAuthBearerTokenCallback.token(this.accessTokenValidator.validate(this.accessTokenRetriever.retrieve()));
        } catch (ValidateException e) {
            log.warn(e.getMessage(), (Throwable) e);
            oAuthBearerTokenCallback.error("invalid_token", e.getMessage(), null);
        }
    }

    private void handleExtensionsCallback(SaslExtensionsCallback saslExtensionsCallback) {
        checkInitialized();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : this.moduleOptions.entrySet()) {
            String key = entry.getKey();
            if (key.startsWith(EXTENSION_PREFIX)) {
                Object value = entry.getValue();
                hashMap.put(key.substring(EXTENSION_PREFIX.length()), value instanceof String ? (String) value : String.valueOf(value));
            }
        }
        SaslExtensions saslExtensions = new SaslExtensions(hashMap);
        try {
            OAuthBearerClientInitialResponse.validateExtensions(saslExtensions);
            saslExtensionsCallback.extensions(saslExtensions);
        } catch (SaslException e) {
            throw new ConfigException(e.getMessage());
        }
    }

    private void checkInitialized() {
        if (!this.isInitialized) {
            throw new IllegalStateException(String.format("To use %s, first call the configure or init method", getClass().getSimpleName()));
        }
    }
}
