package io.confluent.kafka.clients.plugins.auth.token;

import io.confluent.security.auth.client.RestClientConfig;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;

/* loaded from: input_file:io/confluent/kafka/clients/plugins/auth/token/AbstractTokenLoginCallbackHandler.class */
public abstract class AbstractTokenLoginCallbackHandler implements AuthenticateCallbackHandler {
    private boolean configured = false;
    static final String LOGIN_SERVER_OPTION = "metadataServerUrls";
    static final String TOKEN_OPTION = "authenticationToken";
    static final String USER_OPTION = "username";
    static final String PASSWORD_OPTION = "password";

    public abstract void configure(Map<String, ?> map);

    abstract void attachAuthToken(OAuthBearerTokenCallback oAuthBearerTokenCallback);

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        Map<String, String> jaasConfigDef = jaasConfigDef(str, list);
        String orDefault = jaasConfigDef.getOrDefault(LOGIN_SERVER_OPTION, "");
        String orDefault2 = jaasConfigDef.getOrDefault(TOKEN_OPTION, "");
        String orDefault3 = jaasConfigDef.getOrDefault("username", "");
        String orDefault4 = jaasConfigDef.getOrDefault("password", "");
        validateHaveCredentials(orDefault3, orDefault4, orDefault2);
        if (orDefault == null || orDefault.isEmpty()) {
            throw new ConfigException(String.format("Missing required configuration %s which has no default value.", LOGIN_SERVER_OPTION));
        }
        HashMap hashMap = new HashMap(map);
        hashMap.put(LOGIN_SERVER_OPTION, orDefault);
        hashMap.put("username", orDefault3);
        hashMap.put("password", orDefault4);
        hashMap.put(TOKEN_OPTION, orDefault2);
        hashMap.put(RestClientConfig.BOOTSTRAP_METADATA_SERVER_URLS_PROP, orDefault);
        configure(hashMap);
        this.configured = true;
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (!this.configured) {
            throw new IllegalStateException("Callback handler not configured");
        }
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerTokenCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            try {
                attachAuthToken((OAuthBearerTokenCallback) callback);
            } catch (KafkaException e) {
                throw new IOException(e.getMessage(), e);
            }
        }
    }

    @Override // org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
    public void close() {
    }

    private Map<String, String> jaasConfigDef(String str, List<AppConfigurationEntry> list) {
        JaasOptionsUtils.validateOAuthMechanismAndNonNullJaasConfig(str, list);
        return Collections.unmodifiableMap(list.get(0).getOptions());
    }

    private void validateHaveCredentials(String str, String str2, String str3) throws ConfigException {
        if (str.isEmpty() && str3.isEmpty()) {
            throw new ConfigException("Must supply either a user or token credentials");
        }
        if (!str.isEmpty() && str2.isEmpty()) {
            throw new ConfigException("Option username specified with an empty password");
        }
    }
}
