package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.utils.AuthUtils;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.network.CCloudTrafficType;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutesStore;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/TopicBasedPlainSaslAuthenticator.class */
public class TopicBasedPlainSaslAuthenticator extends PlainSaslAuthenticator {
    private final BaseMultiTenantSaslSecretsStore secretsLoader;
    private final String brokerSessionUuid;
    protected TrafficNetworkIdValidationMode networkIdValidationMode;
    private final CCloudTrafficType trafficType;

    public TopicBasedPlainSaslAuthenticator(Map<String, ?> map) {
        this(BaseMultiTenantSaslSecretsStore.getInstance(AuthUtils.getBrokerSessionUuid(map)), AuthUtils.getBrokerSessionUuid(map), (CCloudTrafficType) map.get("__confluent_ccloud_traffic_type"));
    }

    public TopicBasedPlainSaslAuthenticator(BaseMultiTenantSaslSecretsStore baseMultiTenantSaslSecretsStore, String str, CCloudTrafficType cCloudTrafficType) {
        super(SUCCESSFUL_AUTH_CACHE, FAILED_AUTH_CACHE);
        this.secretsLoader = baseMultiTenantSaslSecretsStore;
        this.brokerSessionUuid = str;
        this.trafficType = cCloudTrafficType;
    }

    @Override // io.confluent.kafka.server.plugins.auth.SaslAuthenticator
    public void initialize(List<AppConfigurationEntry> list) {
        this.mode = SniValidationMode.fromString(configEntryOption(list, SniValidationMode.SNI_HOST_NAME_VALIDATION_MODE_KEY, TopicBasedLoginModule.class.getName()));
        this.networkIdValidationMode = TrafficNetworkIdValidationMode.fromConfigs(this.trafficType, () -> {
            return configEntryOption(list, TrafficNetworkIdValidationMode.TRAFFIC_NETWORK_ID_VALIDATION_MODE_KEY, TopicBasedLoginModule.class.getName());
        });
        this.log.debug("TopicBasedPlainSaslAuthenticator initialized with mode: {}, networkIdValidationMode:{}.", this.mode.getText(), this.networkIdValidationMode.name());
    }

    boolean verifyNetworkId(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, Optional<String> optional) {
        return new TrafficNetworkIdAuthenticator(TrafficNetworkIdRoutesStore.getRoutes(this.brokerSessionUuid), this.networkIdValidationMode, str2 -> {
            throwAuthException(multiTenantSaslConfigEntry, str, str2 + " for user name: " + str);
        }).authenticate(optional, multiTenantSaslConfigEntry.logicalClusterId);
    }

    @Override // io.confluent.kafka.server.plugins.auth.PlainSaslAuthenticator
    protected void pluginAuthenticate(MultiTenantSaslConfigEntry multiTenantSaslConfigEntry, String str, Optional<String> optional) {
        verifyNetworkId(multiTenantSaslConfigEntry, str, optional);
    }

    @Override // io.confluent.kafka.server.plugins.auth.PlainSaslAuthenticator
    protected MultiTenantSaslSecrets loadSecrets() {
        return this.secretsLoader.load();
    }
}
