package io.kroxylicious.proxy.filter.oauthbearer;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.github.benmanes.caffeine.cache.Caffeine;
import edu.umd.cs.findbugs.annotations.NonNull;
import io.kroxylicious.proxy.filter.FilterFactory;
import io.kroxylicious.proxy.filter.FilterFactoryContext;
import io.kroxylicious.proxy.filter.oauthbearer.sasl.ExponentialJitterBackoffStrategy;
import io.kroxylicious.proxy.plugin.Plugin;
import io.kroxylicious.proxy.plugin.PluginConfigurationException;
import io.kroxylicious.proxy.plugin.Plugins;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.time.Duration;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServerProvider;

@Plugin(configType = Config.class)
/* loaded from: input_file:io/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation.class */
public class OauthBearerValidation implements FilterFactory<Config, SharedOauthBearerValidationContext> {
    private final OAuthBearerValidatorCallbackHandler oauthHandler;

    /* loaded from: input_file:io/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config.class */
    public static final class Config extends Record {

        @JsonProperty(required = true)
        private final URI jwksEndpointUrl;

        @JsonProperty
        private final Long jwksEndpointRefreshMs;

        @JsonProperty
        private final Long jwksEndpointRetryBackoffMs;

        @JsonProperty
        private final Long jwksEndpointRetryBackoffMaxMs;

        @JsonProperty
        private final String scopeClaimName;

        @JsonProperty
        private final String subClaimName;

        @JsonProperty
        private final Long authenticateBackOffMaxMs;

        @JsonProperty
        private final Long authenticateCacheMaxSize;

        @JsonProperty
        private final String expectedAudience;

        @JsonProperty
        private final String expectedIssuer;

        public Config(@JsonProperty(required = true) URI uri, @JsonProperty Long l, @JsonProperty Long l2, @JsonProperty Long l3, @JsonProperty String str, @JsonProperty String str2, @JsonProperty Long l4, @JsonProperty Long l5, @JsonProperty String str3, @JsonProperty String str4) {
            this.jwksEndpointUrl = uri;
            this.jwksEndpointRefreshMs = l;
            this.jwksEndpointRetryBackoffMs = l2;
            this.jwksEndpointRetryBackoffMaxMs = l3;
            this.scopeClaimName = str;
            this.subClaimName = str2;
            this.authenticateBackOffMaxMs = l4;
            this.authenticateCacheMaxSize = l5;
            this.expectedAudience = str3;
            this.expectedIssuer = str4;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Config.class), Config.class, "jwksEndpointUrl;jwksEndpointRefreshMs;jwksEndpointRetryBackoffMs;jwksEndpointRetryBackoffMaxMs;scopeClaimName;subClaimName;authenticateBackOffMaxMs;authenticateCacheMaxSize;expectedAudience;expectedIssuer", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointUrl:Ljava/net/URI;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRefreshMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRetryBackoffMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRetryBackoffMaxMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->scopeClaimName:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->subClaimName:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->authenticateBackOffMaxMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->authenticateCacheMaxSize:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->expectedAudience:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->expectedIssuer:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Config.class), Config.class, "jwksEndpointUrl;jwksEndpointRefreshMs;jwksEndpointRetryBackoffMs;jwksEndpointRetryBackoffMaxMs;scopeClaimName;subClaimName;authenticateBackOffMaxMs;authenticateCacheMaxSize;expectedAudience;expectedIssuer", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointUrl:Ljava/net/URI;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRefreshMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRetryBackoffMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRetryBackoffMaxMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->scopeClaimName:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->subClaimName:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->authenticateBackOffMaxMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->authenticateCacheMaxSize:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->expectedAudience:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->expectedIssuer:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Config.class, Object.class), Config.class, "jwksEndpointUrl;jwksEndpointRefreshMs;jwksEndpointRetryBackoffMs;jwksEndpointRetryBackoffMaxMs;scopeClaimName;subClaimName;authenticateBackOffMaxMs;authenticateCacheMaxSize;expectedAudience;expectedIssuer", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointUrl:Ljava/net/URI;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRefreshMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRetryBackoffMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->jwksEndpointRetryBackoffMaxMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->scopeClaimName:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->subClaimName:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->authenticateBackOffMaxMs:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->authenticateCacheMaxSize:Ljava/lang/Long;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->expectedAudience:Ljava/lang/String;", "FIELD:Lio/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidation$Config;->expectedIssuer:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        @JsonProperty(required = true)
        public URI jwksEndpointUrl() {
            return this.jwksEndpointUrl;
        }

        @JsonProperty
        public Long jwksEndpointRefreshMs() {
            return this.jwksEndpointRefreshMs;
        }

        @JsonProperty
        public Long jwksEndpointRetryBackoffMs() {
            return this.jwksEndpointRetryBackoffMs;
        }

        @JsonProperty
        public Long jwksEndpointRetryBackoffMaxMs() {
            return this.jwksEndpointRetryBackoffMaxMs;
        }

        @JsonProperty
        public String scopeClaimName() {
            return this.scopeClaimName;
        }

        @JsonProperty
        public String subClaimName() {
            return this.subClaimName;
        }

        @JsonProperty
        public Long authenticateBackOffMaxMs() {
            return this.authenticateBackOffMaxMs;
        }

        @JsonProperty
        public Long authenticateCacheMaxSize() {
            return this.authenticateCacheMaxSize;
        }

        @JsonProperty
        public String expectedAudience() {
            return this.expectedAudience;
        }

        @JsonProperty
        public String expectedIssuer() {
            return this.expectedIssuer;
        }
    }

    public OauthBearerValidation() {
        this.oauthHandler = new OAuthBearerValidatorCallbackHandler();
    }

    public OauthBearerValidation(OAuthBearerValidatorCallbackHandler oAuthBearerValidatorCallbackHandler) {
        this.oauthHandler = oAuthBearerValidatorCallbackHandler;
    }

    public SharedOauthBearerValidationContext initialize(FilterFactoryContext filterFactoryContext, Config config) throws PluginConfigurationException {
        Plugins.requireConfig(this, config);
        Config initConfigWithDefaults = initConfigWithDefaults(config);
        this.oauthHandler.configure(createSaslConfigMap(initConfigWithDefaults), "OAUTHBEARER", createDefaultJaasConfig());
        return new SharedOauthBearerValidationContext(initConfigWithDefaults, new ExponentialJitterBackoffStrategy(Duration.ofMillis(500L), Duration.ofSeconds(5L), 2.0d, ThreadLocalRandom.current()), Caffeine.newBuilder().expireAfterWrite(initConfigWithDefaults.authenticateBackOffMaxMs().longValue(), TimeUnit.MILLISECONDS).maximumSize(initConfigWithDefaults.authenticateCacheMaxSize().longValue()).build(str -> {
            return new AtomicInteger(0);
        }), this.oauthHandler);
    }

    @NonNull
    public OauthBearerValidationFilter createFilter(FilterFactoryContext filterFactoryContext, SharedOauthBearerValidationContext sharedOauthBearerValidationContext) {
        return new OauthBearerValidationFilter(filterFactoryContext.eventLoop(), sharedOauthBearerValidationContext);
    }

    public void close(SharedOauthBearerValidationContext sharedOauthBearerValidationContext) {
        this.oauthHandler.close();
    }

    private Map<String, ?> createSaslConfigMap(Config config) {
        HashMap hashMap = new HashMap(Map.of("sasl.oauthbearer.jwks.endpoint.url", config.jwksEndpointUrl().toString(), "sasl.oauthbearer.jwks.endpoint.refresh.ms", config.jwksEndpointRefreshMs(), "sasl.oauthbearer.jwks.endpoint.retry.backoff.ms", config.jwksEndpointRetryBackoffMs(), "sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms", config.jwksEndpointRetryBackoffMaxMs(), "sasl.oauthbearer.scope.claim.name", config.scopeClaimName(), "sasl.oauthbearer.sub.claim.name", config.subClaimName()));
        if (config.expectedAudience() != null) {
            hashMap.put("sasl.oauthbearer.expected.audience", Arrays.stream(config.expectedAudience().split(",")).map((v0) -> {
                return v0.trim();
            }).filter(str -> {
                return !str.isEmpty();
            }).toList());
        }
        if (config.expectedIssuer() != null) {
            hashMap.put("sasl.oauthbearer.expected.issuer", config.expectedIssuer());
        }
        return hashMap;
    }

    private List<AppConfigurationEntry> createDefaultJaasConfig() {
        return List.of(new AppConfigurationEntry("OAuthBearerLoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, Map.of()));
    }

    private Config initConfigWithDefaults(Config config) {
        return new Config(config.jwksEndpointUrl, defaultIfNullOrNegative(config.jwksEndpointRefreshMs(), 3600000L), defaultIfNullOrNegative(config.jwksEndpointRetryBackoffMs(), 100L), defaultIfNullOrNonPositive(config.jwksEndpointRetryBackoffMaxMs(), 10000L), defaultIfNullOrEmpty(config.scopeClaimName(), "scope"), defaultIfNullOrEmpty(config.subClaimName(), "sub"), defaultIfNullOrNegative(config.authenticateBackOffMaxMs(), 60000L), defaultIfNullOrNonPositive(config.authenticateCacheMaxSize(), 1000L), defaultIfNullOrEmpty(config.expectedAudience(), null), defaultIfNullOrEmpty(config.expectedIssuer(), null));
    }

    private Long defaultIfNullOrNegative(Long l, Long l2) {
        return (l == null || l.longValue() < 0) ? l2 : l;
    }

    private Long defaultIfNullOrNonPositive(Long l, Long l2) {
        return (l == null || l.longValue() <= 0) ? l2 : l;
    }

    private String defaultIfNullOrEmpty(String str, String str2) {
        return (str == null || str.trim().isEmpty()) ? str2 : str;
    }

    static {
        OAuthBearerSaslServerProvider.initialize();
    }
}
