package io.confluent.kafka.multitenant;

import com.damnhandy.uri.template.UriTemplate;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yammer.metrics.core.Meter;
import com.yammer.metrics.core.MetricName;
import io.confluent.kafka.common.multitenant.oauth.OAuthBearerJwsToken;
import io.confluent.kafka.common.multitenant.oauth.OauthMayActClaim;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.multitenant.utils.AuthUtils;
import io.confluent.kafka.server.plugins.auth.DefaultUserMetaDataStore;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.auth.mtls.CertIdentityPool;
import io.confluent.security.auth.mtls.CertIdentityPoolExternalIdentifier;
import io.confluent.security.auth.store.data.CaCertificatesKey;
import io.confluent.security.authentication.oauthbearer.JwtAuthenticationConfig;
import io.confluent.security.mtls.CertificateMetadata;
import io.confluent.security.trustservice.store.data.IdentityPool;
import java.nio.ByteBuffer;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.errors.SerializationException;
import org.apache.kafka.common.message.DefaultPrincipalData;
import org.apache.kafka.common.protocol.ByteBufferAccessor;
import org.apache.kafka.common.protocol.MessageUtil;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.IdentityMetadata;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.KafkaPrincipalSerde;
import org.apache.kafka.common.security.auth.PlaintextAuthenticationContext;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer;
import org.apache.kafka.server.metrics.KafkaYammerMetrics;
import org.apache.kafka.server.multitenant.LogicalClusterMetadata;
import org.codehaus.plexus.util.LineOrientedInterpolatingReader;
import org.codehaus.plexus.util.SelectorUtils;
import org.jose4j.json.internal.json_simple.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/multitenant/MultiTenantPrincipalBuilder.class */
public class MultiTenantPrincipalBuilder implements KafkaPrincipalBuilder, KafkaPrincipalSerde, Configurable {
    private static final String CONFLUENT_ISSUER = "Confluent";
    private static final String OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY = "OAUTHBEARER.token";
    public static final String CCLOUD_INTERNAL_USER = "0";
    private static final String RESOURCE_ID_SERVICE_ACCOUNT_PREFIX = "sa-";
    private static final String ORG0_UUID = "00000000-0000-0000-0000-000000000000";
    private BasePhysicalClusterMetadata<?> physicalClusterMetadata;
    private DefaultUserMetaDataStore userMetaDataStore;
    private AuthStore store;
    private String brokerUuid;
    private String confluentSpireIssuerSuffix;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MultiTenantPrincipalBuilder.class);
    public static final String METRIC_GROUP = "kafka.multitenant";
    private static final MetricName ORG_PROPS_METRIC_NAME = KafkaYammerMetrics.getMetricName(METRIC_GROUP, MultiTenantPrincipalBuilder.class.getSimpleName(), "org-props-missing-rate");
    private static final Meter ORG_PROPS_MISSING_METER = KafkaYammerMetrics.defaultRegistry().newMeter(ORG_PROPS_METRIC_NAME, "org-props-missing", TimeUnit.SECONDS);
    private static final Map<String, Meter> AUTHENTICATION_SUBTYPE_REQUEST_METER = new HashMap();
    private final DefaultKafkaPrincipalBuilder defaultKafkaPrincipalBuilder = new DefaultKafkaPrincipalBuilder(null, null);
    private final SpiffeIdPrincipalExtractor spiffeIdPrincipalExtractor = new SpiffeIdPrincipalExtractor();
    private boolean mTlsBuildClientCertChain = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/multitenant/MultiTenantPrincipalBuilder$AuthenticationSubtype.class */
    public enum AuthenticationSubtype {
        OAUTH,
        DPAT,
        FDPAT,
        AUPM
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) {
        this.physicalClusterMetadata = BasePhysicalClusterMetadata.getInstance(AuthUtils.getBrokerSessionUuid(map));
        this.brokerUuid = AuthUtils.getBrokerSessionUuid(map);
        this.store = AuthStore.getInstance(this.brokerUuid);
        this.spiffeIdPrincipalExtractor.configure(map);
        this.confluentSpireIssuerSuffix = (String) map.get(JwtAuthenticationConfig.CONFLUENT_SPIRE_ISSUER_SUFFIX_PROP);
        if (this.confluentSpireIssuerSuffix == null || this.confluentSpireIssuerSuffix.isEmpty()) {
            this.confluentSpireIssuerSuffix = JwtAuthenticationConfig.CONFLUENT_SPIRE_ISSUER_SUFFIX;
        }
        this.mTlsBuildClientCertChain = ConfluentConfigs.getMTlsEnable(map) && ConfluentConfigs.getMTlsBuildClientCertChain(map);
    }

    private void initializeUserMetaDataStore() {
        if (this.userMetaDataStore == null) {
            this.userMetaDataStore = DefaultUserMetaDataStore.getInstance(this.brokerUuid);
        }
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalBuilder
    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        if (authenticationContext instanceof SaslAuthenticationContext) {
            return createKafkaPrincipalfromSaslContext((SaslAuthenticationContext) authenticationContext);
        }
        if (authenticationContext instanceof SslAuthenticationContext) {
            return createKafkaPrincipalfromSslContext((SslAuthenticationContext) authenticationContext);
        }
        if (authenticationContext instanceof PlaintextAuthenticationContext) {
            return createKafkaPrincipalPlain();
        }
        throw new IllegalArgumentException("Unhandled authentication context type: " + authenticationContext.getClass().getName());
    }

    private KafkaPrincipal createKafkaPrincipalPlain() {
        return KafkaPrincipal.ANONYMOUS;
    }

    private KafkaPrincipal createKafkaPrincipalfromSslContext(SslAuthenticationContext sslAuthenticationContext) {
        try {
            return new KafkaPrincipal("User", sslAuthenticationContext.session().getPeerPrincipal().getName());
        } catch (SSLPeerUnverifiedException e) {
            return KafkaPrincipal.ANONYMOUS;
        }
    }

    private KafkaPrincipal createKafkaPrincipalfromSaslContext(SaslAuthenticationContext saslAuthenticationContext) {
        SaslServer server = saslAuthenticationContext.server();
        if (server == null && saslAuthenticationContext.isMTlsSession()) {
            return createKafkaPrincipalForMTlsClient(saslAuthenticationContext);
        }
        String authorizationID = server.getAuthorizationID();
        if (server instanceof MultiTenantSaslServer) {
            MultiTenantSaslServer multiTenantSaslServer = (MultiTenantSaslServer) server;
            TenantMetadata tenantMetadata = multiTenantSaslServer.tenantMetadata();
            updateTenantMetadata(tenantMetadata.clusterId, tenantMetadata, authorizationID);
            return new MultiTenantPrincipal(authorizationID, multiTenantSaslServer.authenticationId(), multiTenantSaslServer.networkId(), tenantMetadata, new IdentityMetadata((String) null, "Confluent", tenantMetadata.userResourceId, (String) null, (String) null, (List) null));
        }
        if (!(server instanceof OAuthBearerSaslServer)) {
            return new KafkaPrincipal("User", authorizationID);
        }
        OAuthBearerSaslServer oAuthBearerSaslServer = (OAuthBearerSaslServer) server;
        OAuthBearerJwsToken oAuthBearerJwsToken = (OAuthBearerJwsToken) oAuthBearerSaslServer.getNegotiatedProperty(OAUTH_NEGOTIATED_TOKEN_PROPERTY_KEY);
        String str = (String) oAuthBearerSaslServer.getNegotiatedProperty(OAuthBearerJwsToken.OAUTH_NEGOTIATED_LOGICAL_CLUSTER_PROPERTY_KEY);
        String str2 = (String) oAuthBearerSaslServer.getNegotiatedProperty("identityPoolId-azp");
        String str3 = (String) oAuthBearerSaslServer.getNegotiatedProperty("identityPoolId-sub");
        String str4 = (String) oAuthBearerSaslServer.getNegotiatedProperty("identityPoolId");
        if ((str2 == null) ^ (str3 == null)) {
            throw new IllegalArgumentException("Unhandled identity pool context: authorizedPartyClaim = " + str2 + ", subjectClaim = " + str3);
        }
        TenantMetadata build = new TenantMetadata.Builder(str, str3 == null ? userResourceId(oAuthBearerJwsToken) : str3).serviceAccount(str3 != null || isServiceAccount(oAuthBearerJwsToken)).apiKeyAuthenticated(false).build();
        IdentityMetadata.Builder builder = new IdentityMetadata.Builder();
        builder.poolId(str4);
        List<String> authorizationIdsBasedOnIssuer = authorizationIdsBasedOnIssuer(oAuthBearerJwsToken, builder);
        if (authorizationIdsBasedOnIssuer.size() == 0) {
            authorizationIdsBasedOnIssuer = Collections.singletonList(build.userResourceId);
        }
        String authIdBasedOnIssuer = authIdBasedOnIssuer(oAuthBearerJwsToken, str3, authorizationIdsBasedOnIssuer);
        if (str4 != null) {
            IdentityPool identityPool = this.store.trustCache().identityPool(str4);
            builder.providerId((identityPool.providerId() == null || !identityPool.providerId().isEmpty()) ? identityPool.providerId() : null);
            builder.identity(str2);
            authorizationIdsBasedOnIssuer = Collections.singletonList(str4);
        }
        builder.externalIdentityId(oauthClaim(oAuthBearerJwsToken, OAuthBearerJwsToken.OAUTH_EXTERNAL_IDENTITY_ID));
        builder.issuer(oAuthBearerJwsToken.issuer());
        Object obj = oAuthBearerJwsToken.jwtClaims().get("aud");
        if (obj instanceof String) {
            builder.audience(Collections.singletonList(obj.toString()));
        } else if (obj instanceof List) {
            builder.audience((List) ((List) obj).stream().map(obj2 -> {
                return Objects.toString(obj2, null);
            }).collect(Collectors.toList()));
        }
        IdentityMetadata build2 = builder.build();
        updateTenantMetadata(str, build, authIdBasedOnIssuer);
        recordAuthenticationSubtypeMetric(authorizationIdsBasedOnIssuer, oAuthBearerJwsToken.principalName(), oAuthBearerJwsToken.issuer());
        return new MultiTenantPrincipal(authIdBasedOnIssuer, str2 == null ? oAuthBearerJwsToken.principalName() : str2, oAuthBearerSaslServer.networkId(), build, build2, authorizationIdsBasedOnIssuer);
    }

    private KafkaPrincipal createKafkaPrincipalForMTlsClient(SaslAuthenticationContext saslAuthenticationContext) {
        if (!saslAuthenticationContext.sslSession().isPresent()) {
            throw new IllegalArgumentException("SSL session is required to build a principal for mTLS authenticated client");
        }
        LogicalClusterMetadata tenantMetadataForDedicatedCluster = getTenantMetadataForDedicatedCluster();
        if (tenantMetadataForDedicatedCluster == null) {
            throw new IllegalStateException("Building principal for mTLS authenticated clients on multi-tenant clusters is not supported");
        }
        String organizationId = tenantMetadataForDedicatedCluster.organizationId();
        TenantMetadata build = new TenantMetadata.Builder(tenantMetadataForDedicatedCluster.logicalClusterId(), (String) null).organizationId(tenantMetadataForDedicatedCluster.organizationId()).environmentId(tenantMetadataForDedicatedCluster.environmentId()).serviceAccount(false).apiKeyAuthenticated(false).healthcheckTenant(tenantMetadataForDedicatedCluster.isHealthcheckLogicalCluster()).build();
        try {
            Certificate[] peerCertificates = saslAuthenticationContext.sslSession().get().getPeerCertificates();
            X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
            if (this.mTlsBuildClientCertChain && !this.store.authCache().isCompleteCertChain(peerCertificates, organizationId)) {
                log.warn("{} is incomplete, attempting to build full chain from AuthCache", certChainToString(peerCertificates));
                peerCertificates = this.store.authCache().getCertChain(peerCertificates, organizationId);
            }
            CertificateMetadata certificateMetadata = new CertificateMetadata(x509Certificate);
            Collection<CaCertificatesKey> findCertIdentityProviders = this.store.authCache().findCertIdentityProviders(peerCertificates, organizationId);
            if (findCertIdentityProviders == null || findCertIdentityProviders.size() != 1) {
                throw new AuthenticationException(String.format("Must be only one matching identity provider found when building principal for mTLS authenticated client of orgId %s, found %s, %s", organizationId, findCertIdentityProviders, certChainToString(peerCertificates)));
            }
            String providerId = findCertIdentityProviders.iterator().next().providerId();
            if (this.store.authCache().isRevoked(peerCertificates, organizationId, providerId)) {
                throw new AuthenticationException(String.format("Either the client certificate or some certificate on the certification path is found to be revoked.Cannot build a principal for client of orgId %s and providerId %s", organizationId, providerId));
            }
            Collection<CertIdentityPool> findCertIdentityPools = this.store.authCache().findCertIdentityPools(certificateMetadata.getCelVars(), organizationId, providerId);
            if (findCertIdentityPools.isEmpty()) {
                throw new AuthenticationException(String.format("No matching identity pools found when building principal for mTLS authenticated client of orgId %s and providerId %s", organizationId, providerId));
            }
            return new MultiTenantPrincipal(externalIdBasedOnSSLCert(certificateMetadata, CertIdentityPoolExternalIdentifier.findExternalIdentifierFromIdentityPools(findCertIdentityPools)), MultiTenantPrincipal.mTlsAuthenticationId(organizationId, providerId, certificateMetadata.getIssuerDn(), certificateMetadata.getSnid()), Optional.empty(), build, (IdentityMetadata) null, (List) findCertIdentityPools.stream().map((v0) -> {
                return v0.poolId();
            }).collect(Collectors.toList()));
        } catch (IndexOutOfBoundsException | SSLPeerUnverifiedException e) {
            throw new IllegalArgumentException("Attempt to build MultiTenantPrincipal for unauthenticated SSL peer when mTLS is enabled");
        }
    }

    private static String certChainToString(Certificate[] certificateArr) {
        StringBuilder sb = new StringBuilder();
        sb.append("Certificate chain = [");
        for (Certificate certificate : certificateArr) {
            sb.append(certToString(certificate)).append(";");
        }
        sb.append(SelectorUtils.PATTERN_HANDLER_SUFFIX);
        return sb.toString();
    }

    private static String certToString(Certificate certificate) {
        StringBuilder sb = new StringBuilder();
        sb.append("{");
        try {
            if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                sb.append("subjectDN=").append(x509Certificate.getSubjectX500Principal().getName()).append(UriTemplate.DEFAULT_SEPARATOR);
                sb.append("issuerDN=").append(x509Certificate.getIssuerX500Principal().getName()).append(UriTemplate.DEFAULT_SEPARATOR);
                sb.append("serialNumber=").append(x509Certificate.getSerialNumber().toString(16)).append(UriTemplate.DEFAULT_SEPARATOR);
                sb.append("notBefore=").append(x509Certificate.getNotBefore()).append(UriTemplate.DEFAULT_SEPARATOR);
                sb.append("notAfter=").append(x509Certificate.getNotAfter());
            } else if (certificate == null) {
                sb.append("isNull=true");
            } else {
                sb.append("type=").append(certificate.getType());
            }
        } catch (Exception e) {
            sb.append("error=").append(e.getMessage());
        }
        sb.append(LineOrientedInterpolatingReader.DEFAULT_END_DELIM);
        return sb.toString();
    }

    private String authIdBasedOnIssuer(OAuthBearerJwsToken oAuthBearerJwsToken, String str, List<String> list) {
        Optional<String> empty = Optional.empty();
        initializeUserMetaDataStore();
        if (oAuthBearerJwsToken.issuer() != null && oAuthBearerJwsToken.issuer().equals("Confluent") && this.userMetaDataStore != null) {
            for (String str2 : list) {
                if (str2.startsWith("u-") || str2.startsWith(RESOURCE_ID_SERVICE_ACCOUNT_PREFIX)) {
                    empty = this.userMetaDataStore.userResourceIdToUserId(str2);
                    if (!empty.isPresent()) {
                        log.warn("Missing userIntegerId for userResourceId: {} present in token", str2);
                    }
                }
            }
        }
        if (!empty.isPresent()) {
            empty = Optional.of(str == null ? oAuthBearerJwsToken.principalName() : str);
        }
        return empty.get();
    }

    private List<String> authorizationIdsBasedOnIssuer(OAuthBearerJwsToken oAuthBearerJwsToken, IdentityMetadata.Builder builder) {
        if (oAuthBearerJwsToken.issuer() == null || !oAuthBearerJwsToken.issuer().equals("Confluent")) {
            return (oAuthBearerJwsToken.issuer() == null || !oAuthBearerJwsToken.issuer().contains(this.confluentSpireIssuerSuffix)) ? Collections.emptyList() : this.spiffeIdPrincipalExtractor.extractPrincipals(oAuthBearerJwsToken.principalName());
        }
        builder.providerId("Confluent");
        builder.identity(userResourceId(oAuthBearerJwsToken));
        return authorizationIds(oAuthBearerJwsToken);
    }

    private List<String> authorizationIds(OAuthBearerJwsToken oAuthBearerJwsToken) {
        if (!oAuthBearerJwsToken.jwtClaims().containsKey(OAuthBearerJwsToken.OAUTH_MAY_ACT_CLAIM)) {
            return Arrays.asList(userResourceId(oAuthBearerJwsToken));
        }
        try {
            return ((OauthMayActClaim) new ObjectMapper().readValue(new JSONObject((Map) oAuthBearerJwsToken.jwtClaims().get(OAuthBearerJwsToken.OAUTH_MAY_ACT_CLAIM)).toJSONString(), OauthMayActClaim.class)).principals();
        } catch (JsonProcessingException e) {
            log.error("Unable to parse the may_act claim");
            throw new IllegalArgumentException("Unable to parse the may_act claim");
        }
    }

    static String externalIdBasedOnSSLCert(CertificateMetadata certificateMetadata, CertIdentityPoolExternalIdentifier certIdentityPoolExternalIdentifier) {
        String dn = certificateMetadata.getDn();
        String cn = certificateMetadata.getCn();
        String snid = certificateMetadata.getSnid();
        String truncate = truncate(certificateMetadata.getSan(), 255);
        String str = dn;
        switch (certIdentityPoolExternalIdentifier) {
            case CN:
                str = cn;
                break;
            case DN:
                str = dn;
                break;
            case SNID:
                str = snid;
                break;
            case CN_SNID:
                str = String.format("%s, %s", cn, snid);
                break;
            case SAN:
                str = truncate;
                break;
            case SAN_SNID:
                str = String.format("%s, %s", truncate, snid);
                break;
            case SHA1:
                str = certificateMetadata.getSha1();
                break;
            default:
                log.warn("Unknown external identifier claim {} found while building multi-tenant principal for mTLS client, defaulting to DN", certIdentityPoolExternalIdentifier);
                break;
        }
        return str;
    }

    protected void recordAuthenticationSubtypeMetric(List<String> list, String str, String str2) {
        if (str2 == null || !str2.equals("Confluent")) {
            AUTHENTICATION_SUBTYPE_REQUEST_METER.get(AuthenticationSubtype.OAUTH.name()).mark();
            return;
        }
        if (str.contains("pool")) {
            AUTHENTICATION_SUBTYPE_REQUEST_METER.get(AuthenticationSubtype.FDPAT.name()).mark();
        } else if (list.size() > 1) {
            AUTHENTICATION_SUBTYPE_REQUEST_METER.get(AuthenticationSubtype.AUPM.name()).mark();
        } else {
            AUTHENTICATION_SUBTYPE_REQUEST_METER.get(AuthenticationSubtype.DPAT.name()).mark();
        }
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [org.apache.kafka.server.multitenant.LogicalClusterMetadata] */
    private void updateTenantMetadata(String str, TenantMetadata tenantMetadata, String str2) {
        boolean z = false;
        if (this.physicalClusterMetadata == null) {
            tenantMetadata.isHealthcheckTenant = false;
        } else {
            ?? metadata = this.physicalClusterMetadata.metadata(str);
            z = metadata != 0;
            tenantMetadata.isHealthcheckTenant = z && metadata.isHealthcheckLogicalCluster();
            if (z && metadata.organizationId() != null && metadata.environmentId() != null) {
                tenantMetadata.updateOrgProperties(metadata.organizationId(), metadata.environmentId());
            } else if (z) {
                ORG_PROPS_MISSING_METER.mark();
                log.warn("Org Properties is missing for user {}, userResourceId {} and clusterId {}", str2, tenantMetadata.userResourceId, str);
            }
        }
        if (z) {
            return;
        }
        ORG_PROPS_MISSING_METER.mark();
        log.warn("LKC Metadata is unavailable due to " + (this.physicalClusterMetadata == null ? "physicalClusterMetadata=null" : "no metadata for cluster " + str));
    }

    private LogicalClusterMetadata getTenantMetadataForDedicatedCluster() {
        List list = (List) this.physicalClusterMetadata.kafkaLogicalClusterIds().stream().map(str -> {
            return this.physicalClusterMetadata.metadata(str);
        }).filter(logicalClusterMetadata -> {
            return logicalClusterMetadata.isActive() && !ORG0_UUID.equals(logicalClusterMetadata.organizationId());
        }).collect(Collectors.toList());
        if (list.size() == 1) {
            return (LogicalClusterMetadata) list.get(0);
        }
        return null;
    }

    private boolean isServiceAccount(OAuthBearerJwsToken oAuthBearerJwsToken) {
        String userResourceId = userResourceId(oAuthBearerJwsToken);
        return userResourceId != null && userResourceId.startsWith(RESOURCE_ID_SERVICE_ACCOUNT_PREFIX);
    }

    public String userResourceId(OAuthBearerJwsToken oAuthBearerJwsToken) {
        return oauthClaim(oAuthBearerJwsToken, "userResourceId");
    }

    public String oauthClaim(OAuthBearerJwsToken oAuthBearerJwsToken, String str) {
        Object obj = oAuthBearerJwsToken.jwtClaims().get(str);
        if (obj != null) {
            return obj.toString();
        }
        return null;
    }

    private static String truncate(String str, int i) {
        return str.substring(0, Math.min(str.length(), i));
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public byte[] serialize(KafkaPrincipal kafkaPrincipal) throws SerializationException {
        if (!(kafkaPrincipal instanceof MultiTenantPrincipal)) {
            return this.defaultKafkaPrincipalBuilder.serialize(kafkaPrincipal);
        }
        DefaultPrincipalData defaultPrincipalData = new DefaultPrincipalData();
        MultiTenantPrincipal multiTenantPrincipal = (MultiTenantPrincipal) kafkaPrincipal;
        TenantMetadata tenantMetadata = multiTenantPrincipal.tenantMetadata();
        Optional maybeGetIdentityMetadata = multiTenantPrincipal.maybeGetIdentityMetadata();
        defaultPrincipalData.setType(multiTenantPrincipal.getPrincipalType()).setName(multiTenantPrincipal.getName().substring(tenantMetadata.tenantName.length() + "_".length())).setSaslAuthenticationId(multiTenantPrincipal.authenticationId()).setTenantName(tenantMetadata.tenantName).setClusterId(tenantMetadata.clusterId).setOrganizationId(tenantMetadata.organizationId).setEnvironmentId(tenantMetadata.environmentId).setServiceAccount(tenantMetadata.isServiceAccount).setApiKeyAuthenticated(tenantMetadata.isApiKeyAuthenticated).setHealthcheckTenant(tenantMetadata.isHealthcheckTenant).setUserResourceId(tenantMetadata.userResourceId).setIdentity((String) maybeGetIdentityMetadata.map((v0) -> {
            return v0.identity();
        }).orElse(null)).setPoolId((String) maybeGetIdentityMetadata.map((v0) -> {
            return v0.poolId();
        }).orElse(null)).setProviderId((String) maybeGetIdentityMetadata.map((v0) -> {
            return v0.providerId();
        }).orElse(null)).setAuthorizationIds(multiTenantPrincipal.authorizationIds()).setExternalIdentityId((String) maybeGetIdentityMetadata.map((v0) -> {
            return v0.externalIdentityId();
        }).orElse(null)).setIssuer((String) maybeGetIdentityMetadata.map((v0) -> {
            return v0.issuer();
        }).orElse(null)).setAudience((List) maybeGetIdentityMetadata.map((v0) -> {
            return v0.audience();
        }).orElse(null));
        return MessageUtil.toVersionPrefixedBytes((short) 0, defaultPrincipalData);
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public KafkaPrincipal deserialize(byte[] bArr) throws SerializationException {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        short s = wrap.getShort();
        if (s < 0 || s > 0) {
            throw new SerializationException("Invalid principal data version " + ((int) s));
        }
        try {
            DefaultPrincipalData defaultPrincipalData = new DefaultPrincipalData(new ByteBufferAccessor(wrap), s);
            if (wrap.hasRemaining()) {
                throw new SerializationException("Failed to deserialize principal: " + wrap.remaining() + " bytes remaining after parsing");
            }
            String type = defaultPrincipalData.type();
            if (type.equals("User")) {
                return this.defaultKafkaPrincipalBuilder.deserialize(bArr);
            }
            if (!type.equals("TenantUser")) {
                throw new SerializationException(String.format("Invalid principal type '%s', expected '%s' or '%s'", type, "User", "TenantUser"));
            }
            String tenantName = defaultPrincipalData.tenantName();
            String name = defaultPrincipalData.name();
            return (defaultPrincipalData.authorizationIds() == null || defaultPrincipalData.authorizationIds().isEmpty()) ? new MultiTenantPrincipal(name, defaultPrincipalData.saslAuthenticationId(), Optional.empty(), new TenantMetadata(tenantName, defaultPrincipalData.clusterId(), defaultPrincipalData.organizationId(), defaultPrincipalData.environmentId(), defaultPrincipalData.userResourceId(), defaultPrincipalData.serviceAccount(), defaultPrincipalData.apiKeyAuthenticated(), defaultPrincipalData.healthcheckTenant()), new IdentityMetadata(defaultPrincipalData.poolId(), defaultPrincipalData.providerId(), defaultPrincipalData.identity(), defaultPrincipalData.externalIdentityId(), defaultPrincipalData.issuer(), defaultPrincipalData.audience())) : new MultiTenantPrincipal(name, defaultPrincipalData.saslAuthenticationId(), Optional.empty(), new TenantMetadata(tenantName, defaultPrincipalData.clusterId(), defaultPrincipalData.organizationId(), defaultPrincipalData.environmentId(), defaultPrincipalData.userResourceId(), defaultPrincipalData.serviceAccount(), defaultPrincipalData.apiKeyAuthenticated(), defaultPrincipalData.healthcheckTenant()), new IdentityMetadata(defaultPrincipalData.poolId(), defaultPrincipalData.providerId(), defaultPrincipalData.identity(), defaultPrincipalData.externalIdentityId(), defaultPrincipalData.issuer(), defaultPrincipalData.audience()), defaultPrincipalData.authorizationIds());
        } catch (Throwable th) {
            throw new SerializationException("Failed to deserialize principal", th);
        }
    }

    static {
        for (AuthenticationSubtype authenticationSubtype : AuthenticationSubtype.values()) {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("subtype", authenticationSubtype.name());
            AUTHENTICATION_SUBTYPE_REQUEST_METER.put(authenticationSubtype.name(), KafkaYammerMetrics.defaultRegistry().newMeter(KafkaYammerMetrics.getMetricName(METRIC_GROUP, MultiTenantPrincipalBuilder.class.getSimpleName(), "authentication-subtype-rate", linkedHashMap), "authentication-subtype", TimeUnit.SECONDS));
        }
    }
}
