package software.amazon.msk.auth.iam;

import com.amazonaws.AmazonWebServiceRequest;
import com.amazonaws.DefaultRequest;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import lombok.NonNull;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.core.exception.SdkClientException;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.regions.providers.AwsRegionProvider;
import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain;
import software.amazon.msk.auth.iam.internals.AWS4SignedPayloadGenerator;
import software.amazon.msk.auth.iam.internals.AuthenticationRequestParams;
import software.amazon.msk.auth.iam.internals.MSKCredentialProvider;
import software.amazon.msk.auth.iam.internals.UserAgentUtils;

/* loaded from: input_file:software/amazon/msk/auth/iam/IAMOAuthBearerLoginCallbackHandler.class */
public class IAMOAuthBearerLoginCallbackHandler implements AuthenticateCallbackHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(IAMOAuthBearerLoginCallbackHandler.class);
    private static final String PROTOCOL = "https";
    private static final String USER_AGENT_KEY = "User-Agent";
    private AwsCredentialsProvider credentialsProvider;
    private AwsRegionProvider awsRegionProvider;
    private final AWS4SignedPayloadGenerator aws4Signer = new AWS4SignedPayloadGenerator();
    private boolean configured = false;

    public boolean configured() {
        return this.configured;
    }

    public void configure(Map<String, ?> map, @NonNull String str, @NonNull List<AppConfigurationEntry> list) {
        if (str == null) {
            throw new NullPointerException("saslMechanism is marked non-null but is null");
        }
        if (list == null) {
            throw new NullPointerException("jaasConfigEntries is marked non-null but is null");
        }
        if (!"OAUTHBEARER".equals(str)) {
            throw new IllegalArgumentException(String.format("Unexpected SASL mechanism: %s", str));
        }
        this.credentialsProvider = (AwsCredentialsProvider) list.stream().filter(appConfigurationEntry -> {
            return OAuthBearerLoginModule.class.getCanonicalName().equals(appConfigurationEntry.getLoginModuleName());
        }).findFirst().map(appConfigurationEntry2 -> {
            return new MSKCredentialProvider((Map<String, ?>) appConfigurationEntry2.getOptions());
        }).orElse(DefaultCredentialsProvider.create());
        this.awsRegionProvider = new DefaultAwsRegionProviderChain();
        this.configured = true;
    }

    public void close() {
        try {
            if (this.credentialsProvider instanceof AutoCloseable) {
                this.credentialsProvider.close();
            }
        } catch (Exception e) {
            LOGGER.warn("Error closing provider", e);
        }
    }

    public void handle(@NonNull Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (callbackArr == null) {
            throw new NullPointerException("callbacks is marked non-null but is null");
        }
        if (!configured()) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Type information for callback: " + debugClassString(callback.getClass()) + " from " + debugClassString(getClass()));
            }
            if (!(callback instanceof OAuthBearerTokenCallback)) {
                throw new UnsupportedCallbackException(callback, "Unsupported callback type: " + debugClassString(callback.getClass()) + " from " + debugClassString(getClass()));
            }
            try {
                handleCallback((OAuthBearerTokenCallback) callback);
            } catch (URISyntaxException | ParseException e) {
                throw new MalformedURLException(e.getMessage());
            }
        }
    }

    private void handleCallback(OAuthBearerTokenCallback oAuthBearerTokenCallback) throws IOException, URISyntaxException, ParseException {
        if (oAuthBearerTokenCallback.token() != null) {
            throw new IllegalArgumentException("Callback had a token already");
        }
        oAuthBearerTokenCallback.token(getOAuthBearerToken(generateTokenValue(this.credentialsProvider.resolveCredentials(), getCurrentRegion())));
    }

    private String generateTokenValue(@NonNull AwsCredentials awsCredentials, @NonNull Region region) {
        if (awsCredentials == null) {
            throw new NullPointerException("awsCredentials is marked non-null but is null");
        }
        if (region == null) {
            throw new NullPointerException("region is marked non-null but is null");
        }
        String userAgentValue = UserAgentUtils.getUserAgentValue();
        DefaultRequest presignRequest = this.aws4Signer.presignRequest(AuthenticationRequestParams.create(getHostName(region), awsCredentials, userAgentValue));
        presignRequest.addParameter(USER_AGENT_KEY, userAgentValue);
        return Base64.getUrlEncoder().withoutPadding().encodeToString(convertToSdkHttpFullRequest(presignRequest).getUri().toString().getBytes(StandardCharsets.UTF_8));
    }

    private String getHostName(Region region) {
        return String.format("kafka.%s.amazonaws.com", region.toString());
    }

    private Region getCurrentRegion() throws IOException {
        try {
            return this.awsRegionProvider.getRegion();
        } catch (SdkClientException e) {
            throw new IOException("AWS region could not be resolved.");
        }
    }

    private OAuthBearerToken getOAuthBearerToken(String str) throws URISyntaxException, ParseException {
        return new IAMOAuthBearerToken(str);
    }

    static String debugClassString(Class<?> cls) {
        return "class: " + cls.getName() + " classloader: " + cls.getClassLoader().toString();
    }

    private SdkHttpFullRequest convertToSdkHttpFullRequest(DefaultRequest<? extends AmazonWebServiceRequest> defaultRequest) {
        SdkHttpMethod valueOf = SdkHttpMethod.valueOf(defaultRequest.getHttpMethod().name());
        String uri = defaultRequest.getEndpoint().toString();
        SdkHttpFullRequest.Builder host = SdkHttpFullRequest.builder().method(valueOf).protocol(PROTOCOL).encodedPath(defaultRequest.getResourcePath()).host(uri.substring(uri.indexOf("://") + 3));
        defaultRequest.getHeaders().forEach((str, str2) -> {
            host.appendHeader(str, str2);
        });
        defaultRequest.getParameters().forEach((str3, list) -> {
            host.appendRawQueryParameter(str3, (String) list.get(0));
        });
        return host.build();
    }
}
