package org.apache.kafka.common.security.authenticator;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Principal;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.x500.X500Principal;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.errors.SerializationException;
import org.apache.kafka.common.message.DefaultPrincipalData;
import org.apache.kafka.common.protocol.ByteBufferAccessor;
import org.apache.kafka.common.protocol.MessageUtil;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.KafkaPrincipalSerde;
import org.apache.kafka.common.security.auth.PlaintextAuthenticationContext;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.ssl.SslPrincipalMapper;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-3.8.1.jar:org/apache/kafka/common/security/authenticator/DefaultKafkaPrincipalBuilder.class */
public class DefaultKafkaPrincipalBuilder implements KafkaPrincipalBuilder, KafkaPrincipalSerde {
    private final KerberosShortNamer kerberosShortNamer;
    private final SslPrincipalMapper sslPrincipalMapper;

    public DefaultKafkaPrincipalBuilder(KerberosShortNamer kerberosShortNamer, SslPrincipalMapper sslPrincipalMapper) {
        this.kerberosShortNamer = kerberosShortNamer;
        this.sslPrincipalMapper = sslPrincipalMapper;
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalBuilder
    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        if (authenticationContext instanceof PlaintextAuthenticationContext) {
            return KafkaPrincipal.ANONYMOUS;
        }
        if (authenticationContext instanceof SslAuthenticationContext) {
            try {
                return applySslPrincipalMapper(((SslAuthenticationContext) authenticationContext).session().getPeerPrincipal());
            } catch (SSLPeerUnverifiedException e) {
                return KafkaPrincipal.ANONYMOUS;
            }
        }
        if (!(authenticationContext instanceof SaslAuthenticationContext)) {
            throw new IllegalArgumentException("Unhandled authentication context type: " + authenticationContext.getClass().getName());
        }
        SaslServer server = ((SaslAuthenticationContext) authenticationContext).server();
        return "GSSAPI".equals(server.getMechanismName()) ? applyKerberosShortNamer(server.getAuthorizationID()) : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, server.getAuthorizationID());
    }

    private KafkaPrincipal applyKerberosShortNamer(String str) {
        KerberosName parse = KerberosName.parse(str);
        try {
            return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.kerberosShortNamer.shortName(parse));
        } catch (IOException e) {
            throw new KafkaException("Failed to set name for '" + parse + "' based on Kerberos authentication rules.", e);
        }
    }

    private KafkaPrincipal applySslPrincipalMapper(Principal principal) {
        try {
            return (!(principal instanceof X500Principal) || principal == KafkaPrincipal.ANONYMOUS) ? new KafkaPrincipal(KafkaPrincipal.USER_TYPE, principal.getName()) : new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.sslPrincipalMapper.getName(principal.getName()));
        } catch (IOException e) {
            throw new KafkaException("Failed to map name for '" + principal.getName() + "' based on SSL principal mapping rules.", e);
        }
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public byte[] serialize(KafkaPrincipal kafkaPrincipal) {
        return MessageUtil.toVersionPrefixedBytes((short) 0, new DefaultPrincipalData().setType(kafkaPrincipal.getPrincipalType()).setName(kafkaPrincipal.getName()).setTokenAuthenticated(kafkaPrincipal.tokenAuthenticated()));
    }

    @Override // org.apache.kafka.common.security.auth.KafkaPrincipalSerde
    public KafkaPrincipal deserialize(byte[] bArr) {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        short s = wrap.getShort();
        if (s < 0 || s > 0) {
            throw new SerializationException("Invalid principal data version " + ((int) s));
        }
        DefaultPrincipalData defaultPrincipalData = new DefaultPrincipalData(new ByteBufferAccessor(wrap), s);
        return new KafkaPrincipal(defaultPrincipalData.type(), defaultPrincipalData.name(), defaultPrincipalData.tokenAuthenticated());
    }
}
