package com.opencore.kafka;

import java.lang.reflect.InvocationTargetException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.GroupMappingServiceProvider;
import org.apache.hadoop.security.ShellBasedUnixGroupsMapping;
import org.apache.kafka.common.Configurable;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticationContext;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipalBuilder;
import org.apache.kafka.common.security.auth.SaslAuthenticationContext;
import org.apache.kafka.common.security.auth.SslAuthenticationContext;
import org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.utils.Java;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:com/opencore/kafka/HadoopGroupMappingPrincipalBuilder.class */
public class HadoopGroupMappingPrincipalBuilder implements KafkaPrincipalBuilder, Configurable {
    private Logger principalLogger;
    private GroupMappingServiceProvider groupMapper;
    private DefaultKafkaPrincipalBuilder principalBuilder;
    private String certificateUserField = "CN";

    public KafkaPrincipal build(AuthenticationContext authenticationContext) {
        ComplexKafkaPrincipal complexKafkaPrincipal = new ComplexKafkaPrincipal(this.principalBuilder.build(authenticationContext));
        if (authenticationContext instanceof SaslAuthenticationContext) {
            complexKafkaPrincipal.allPrincipals = getGroups(complexKafkaPrincipal.getName());
        } else if (authenticationContext instanceof SslAuthenticationContext) {
            complexKafkaPrincipal.allPrincipals = getGroups(getUserFromCertificate(complexKafkaPrincipal.getName()));
        }
        return complexKafkaPrincipal;
    }

    private List<KafkaPrincipal> getGroups(String str) {
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add(new KafkaPrincipal("User", str));
            this.principalLogger.fine("Resolving groups for user: " + str);
            List<String> groups = this.groupMapper.getGroups(str);
            this.principalLogger.fine("Got list of groups for user " + str + ": " + Utils.join(groups, ", "));
            Iterator<String> it = groups.iterator();
            while (it.hasNext()) {
                arrayList.add(new KafkaPrincipal("Group", it.next()));
            }
        } catch (Exception e) {
            this.principalLogger.warning("Groups for user " + str + " could not be resolved, proceeding with authorization based on username only: " + e.getMessage());
        }
        return arrayList;
    }

    private String getUserFromCertificate(String str) {
        try {
            for (Rdn rdn : new LdapName(str).getRdns()) {
                if (rdn.getType().equalsIgnoreCase(this.certificateUserField)) {
                    str = rdn.getValue().toString();
                }
            }
        } catch (InvalidNameException e) {
            this.principalLogger.warning("Error extracting username from String " + str + ": " + e.getMessage());
        }
        return str;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v37, types: [java.util.Map] */
    public void configure(Map<String, ?> map) {
        this.principalLogger = Logger.getLogger("kafka.authorizer.logger");
        HashMap hashMap = map.containsKey("principal.builder.options") ? (Map) map.get("principal.builder.options") : new HashMap();
        if (hashMap.containsKey("mapper.implementation")) {
            try {
                Class<?> cls = Class.forName((String) hashMap.get("mapper.implementation"));
                if (!cls.isAssignableFrom(GroupMappingServiceProvider.class)) {
                    throw new ConfigException("Mapper class must implement org.apache.hadoop.security.GroupMappingServiceProvider");
                }
                this.groupMapper = (GroupMappingServiceProvider) Utils.newInstance(cls);
                if (cls.isAssignableFrom(org.apache.hadoop.conf.Configurable.class)) {
                    Configuration configuration = new Configuration();
                    for (String str : hashMap.keySet()) {
                        if (!str.equals("mapper.implementation")) {
                            configuration.set(str, (String) hashMap.get(str));
                        }
                    }
                    ((org.apache.hadoop.conf.Configurable) this.groupMapper).setConf(configuration);
                }
            } catch (ClassNotFoundException e) {
                throw new ConfigException("Couldn't instantiate mapper class for principalbuilder: " + e.getMessage());
            }
        } else {
            this.groupMapper = new ShellBasedUnixGroupsMapping();
        }
        this.principalBuilder = new DefaultKafkaPrincipalBuilder(getKerberosShortNamer(map));
    }

    private KerberosShortNamer getKerberosShortNamer(Map<String, ?> map) {
        List list = (List) map.get("sasl.kerberos.principal.to.local.rules");
        KerberosShortNamer kerberosShortNamer = null;
        if (list != null) {
            try {
                kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(defaultKerberosRealm(), list);
            } catch (ClassNotFoundException | IllegalAccessException | NoSuchMethodException | InvocationTargetException e) {
            }
        }
        return kerberosShortNamer;
    }

    private String defaultKerberosRealm() throws ClassNotFoundException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException {
        Class<?> cls = Java.isIbmJdk() ? Class.forName("com.ibm.security.krb5.internal.Config") : Class.forName("sun.security.krb5.Config");
        return (String) cls.getDeclaredMethod("getDefaultRealm", new Class[0]).invoke(cls.getMethod("getInstance", new Class[0]).invoke(cls, new Object[0]), new Object[0]);
    }
}
