package com.azure.spring.cloud.service.implementation.kafka;

import com.azure.core.credential.TokenCredential;
import com.azure.core.credential.TokenRequestContext;
import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.spring.cloud.core.credential.AzureCredentialResolver;
import com.azure.spring.cloud.core.implementation.credential.resolver.AzureTokenCredentialResolver;
import com.azure.spring.cloud.core.implementation.factory.credential.DefaultAzureCredentialBuilderFactory;
import com.azure.spring.cloud.core.properties.AzureProperties;
import com.azure.spring.cloud.service.implementation.passwordless.AzurePasswordlessProperties;
import java.net.URI;
import java.time.Duration;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import reactor.core.publisher.Mono;

/* loaded from: input_file:com/azure/spring/cloud/service/implementation/kafka/KafkaOAuth2AuthenticateCallbackHandler.class */
public class KafkaOAuth2AuthenticateCallbackHandler implements AuthenticateCallbackHandler {
    private static final Duration ACCESS_TOKEN_REQUEST_BLOCK_TIME = Duration.ofSeconds(30);
    private static final String TOKEN_AUDIENCE_FORMAT = "%s://%s/.default";
    private final AzurePasswordlessProperties properties;
    private final AzureCredentialResolver<TokenCredential> externalTokenCredentialResolver;
    private AzureCredentialResolver<TokenCredential> tokenCredentialResolver;
    private Function<TokenCredential, Mono<AzureOAuthBearerToken>> resolveToken;

    /* loaded from: input_file:com/azure/spring/cloud/service/implementation/kafka/KafkaOAuth2AuthenticateCallbackHandler$InternalCredentialResolver.class */
    private static class InternalCredentialResolver implements AzureCredentialResolver<TokenCredential> {
        private final AzureCredentialResolver<TokenCredential> delegated;
        private final Map<String, ?> configs;
        private TokenCredential credential;

        InternalCredentialResolver(AzureCredentialResolver<TokenCredential> azureCredentialResolver, Map<String, ?> map) {
            this.delegated = azureCredentialResolver;
            this.configs = map;
        }

        /* renamed from: resolve, reason: merged with bridge method [inline-methods] */
        public TokenCredential m15resolve(AzureProperties azureProperties) {
            if (this.credential == null) {
                this.credential = (TokenCredential) this.configs.get(AzureKafkaPropertiesUtils.AZURE_TOKEN_CREDENTIAL);
                if (this.credential == null) {
                    this.credential = (TokenCredential) this.delegated.resolve(azureProperties);
                    if (this.credential == null) {
                        this.credential = ((DefaultAzureCredentialBuilder) new DefaultAzureCredentialBuilderFactory(azureProperties).build()).build();
                    }
                }
            }
            return this.credential;
        }

        public boolean isResolvable(AzureProperties azureProperties) {
            return true;
        }
    }

    public KafkaOAuth2AuthenticateCallbackHandler() {
        this(null, null);
    }

    public KafkaOAuth2AuthenticateCallbackHandler(AzurePasswordlessProperties azurePasswordlessProperties, AzureCredentialResolver<TokenCredential> azureCredentialResolver) {
        this.properties = azurePasswordlessProperties == null ? new AzurePasswordlessProperties() : azurePasswordlessProperties;
        this.externalTokenCredentialResolver = azureCredentialResolver == null ? new AzureTokenCredentialResolver<>() : azureCredentialResolver;
    }

    public void configure(Map<String, ?> map, String str, List<AppConfigurationEntry> list) {
        if (map.get("sasl.jaas.config") instanceof Password) {
            AzureKafkaPropertiesUtils.copyJaasPropertyToAzureProperties(((Password) map.get("sasl.jaas.config")).value(), this.properties);
        }
        TokenRequestContext buildTokenRequestContext = buildTokenRequestContext(map);
        this.resolveToken = tokenCredential -> {
            return tokenCredential.getToken(buildTokenRequestContext).map(AzureOAuthBearerToken::new);
        };
        this.tokenCredentialResolver = new InternalCredentialResolver(this.externalTokenCredentialResolver, map);
    }

    private TokenRequestContext buildTokenRequestContext(Map<String, ?> map) {
        String buildTokenAudience = buildTokenAudience(buildEventHubsServerUri(map));
        TokenRequestContext tokenRequestContext = new TokenRequestContext();
        tokenRequestContext.addScopes(new String[]{buildTokenAudience});
        tokenRequestContext.setTenantId(this.properties.m29getProfile().getTenantId());
        return tokenRequestContext;
    }

    private URI buildEventHubsServerUri(Map<String, ?> map) {
        List list = (List) map.get("bootstrap.servers");
        if (list == null || list.size() != 1) {
            throw new IllegalArgumentException("Invalid bootstrap servers configured for Azure Event Hubs for Kafka! Must supply exactly 1 non-null bootstrap server configuration, with the format as {YOUR.EVENTHUBS.FQDN}:9093.");
        }
        String str = (String) list.get(0);
        if (str == null || !str.endsWith(":9093")) {
            throw new IllegalArgumentException("Invalid bootstrap server configured for Azure Event Hubs for Kafka! The format should be {YOUR.EVENTHUBS.FQDN}:9093.");
        }
        return URI.create("https://" + str);
    }

    private String buildTokenAudience(URI uri) {
        return String.format(TOKEN_AUDIENCE_FORMAT, uri.getScheme(), uri.getHost());
    }

    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (!(callback instanceof OAuthBearerTokenCallback)) {
                throw new UnsupportedCallbackException(callback);
            }
            OAuthBearerTokenCallback oAuthBearerTokenCallback = (OAuthBearerTokenCallback) callback;
            Mono<AzureOAuthBearerToken> apply = this.resolveToken.apply((TokenCredential) this.tokenCredentialResolver.resolve(this.properties));
            Objects.requireNonNull(oAuthBearerTokenCallback);
            apply.doOnNext((v1) -> {
                r1.token(v1);
            }).doOnError(th -> {
                oAuthBearerTokenCallback.error("invalid_grant", th.getMessage(), (String) null);
            }).block(ACCESS_TOKEN_REQUEST_BLOCK_TIME);
        }
    }

    public void close() {
    }
}
