package org.apache.kafka.common.security.oauthbearer.internals;

import java.io.IOException;
import java.security.AccessController;
import java.util.Collections;
import java.util.Comparator;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClientCallbackHandler.class
 */
/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-io-kafka-connect-adaptor-2.7.3.0.jar:META-INF/bundled-dependencies/kafka-clients-2.3.0.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerSaslClientCallbackHandler.class */
public class OAuthBearerSaslClientCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OAuthBearerSaslClientCallbackHandler.class);
    private boolean configured = false;

    public boolean configured() {
        return this.configured;
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (!OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (!configured()) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof OAuthBearerTokenCallback) {
                handleCallback((OAuthBearerTokenCallback) callback);
            } else {
                if (!(callback instanceof SaslExtensionsCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                handleCallback((SaslExtensionsCallback) callback, Subject.getSubject(AccessController.getContext()));
            }
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
    }

    private void handleCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) throws IOException {
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had a token already");
        }
        Subject subject = Subject.getSubject(AccessController.getContext());
        Set privateCredentials = subject != null ? subject.getPrivateCredentials(OAuthBearerToken.class) : Collections.emptySet();
        if (privateCredentials.size() == 0) {
            throw new IOException("No OAuth Bearer tokens in Subject's private credentials");
        }
        if (privateCredentials.size() == 1) {
            oAuthBearerTokenCallback.token((OAuthBearerToken) privateCredentials.iterator().next());
            return;
        }
        TreeSet treeSet = new TreeSet(new Comparator<OAuthBearerToken>() { // from class: org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslClientCallbackHandler.1
            @Override // java.util.Comparator
            public int compare(OAuthBearerToken oAuthBearerToken, OAuthBearerToken oAuthBearerToken2) {
                return Long.compare(oAuthBearerToken.lifetimeMs(), oAuthBearerToken2.lifetimeMs());
            }
        });
        treeSet.addAll(privateCredentials);
        log.warn("Found {} OAuth Bearer tokens in Subject's private credentials; the oldest expires at {}, will use the newest, which expires at {}", Integer.valueOf(treeSet.size()), new Date(((OAuthBearerToken) treeSet.first()).lifetimeMs()), new Date(((OAuthBearerToken) treeSet.last()).lifetimeMs()));
        oAuthBearerTokenCallback.token((OAuthBearerToken) treeSet.last());
    }

    private static void handleCallback(SaslExtensionsCallback saslExtensionsCallback, Subject subject) {
        if (subject == null || subject.getPublicCredentials(SaslExtensions.class).isEmpty()) {
            return;
        }
        saslExtensionsCallback.extensions((SaslExtensions) subject.getPublicCredentials(SaslExtensions.class).iterator().next());
    }
}
