package com.linkedin.kafka.cruisecontrol.servlet.security.trustedproxy;

import com.linkedin.kafka.cruisecontrol.servlet.parameters.ParameterUtils;
import com.linkedin.kafka.cruisecontrol.servlet.security.spnego.SpnegoLoginServiceWithAuthServiceLifecycle;
import java.nio.file.Path;
import java.util.Collections;
import java.util.List;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.eclipse.jetty.security.ConfigurableSpnegoLoginService;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.SpnegoUserIdentity;
import org.eclipse.jetty.security.SpnegoUserPrincipal;
import org.eclipse.jetty.security.authentication.AuthorizationService;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.component.LifeCycle;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/linkedin/kafka/cruisecontrol/servlet/security/trustedproxy/TrustedProxyLoginService.class */
public class TrustedProxyLoginService extends ContainerLifeCycle implements LoginService {
    private static final Logger LOG = LoggerFactory.getLogger(TrustedProxyLoginService.class);
    public static final boolean READ_ONLY_SUBJECT = true;
    private final AuthorizationService _endUserAuthorizer;
    private final ConfigurableSpnegoLoginService _delegateSpnegoLoginService;

    public TrustedProxyLoginService(String str, AuthorizationService authorizationService, List<String> list, String str2) {
        this._delegateSpnegoLoginService = new SpnegoLoginServiceWithAuthServiceLifecycle(str, new TrustedProxyAuthorizationService(list, str2));
        this._endUserAuthorizer = authorizationService;
    }

    TrustedProxyLoginService(ConfigurableSpnegoLoginService configurableSpnegoLoginService, AuthorizationService authorizationService) {
        this._delegateSpnegoLoginService = configurableSpnegoLoginService;
        this._endUserAuthorizer = authorizationService;
    }

    public void setServiceName(String str) {
        this._delegateSpnegoLoginService.setServiceName(str);
    }

    public void setHostName(String str) {
        this._delegateSpnegoLoginService.setHostName(str);
    }

    public void setKeyTabPath(Path path) {
        this._delegateSpnegoLoginService.setKeyTabPath(path);
    }

    public String getName() {
        return this._delegateSpnegoLoginService.getName();
    }

    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        if (!(servletRequest instanceof HttpServletRequest)) {
            return null;
        }
        SpnegoUserIdentity login = this._delegateSpnegoLoginService.login(str, obj, servletRequest);
        SpnegoUserPrincipal userPrincipal = login.getUserPrincipal();
        String parameter = servletRequest.getParameter(ParameterUtils.DO_AS);
        LOG.info("Authorizing proxy user {} from {} service", parameter, userPrincipal.getName());
        UserIdentity userIdentity = null;
        if (parameter != null && !parameter.isEmpty()) {
            userIdentity = this._endUserAuthorizer.getUserIdentity((HttpServletRequest) servletRequest, parameter);
        }
        SpnegoUserPrincipal trustedProxyPrincipal = new TrustedProxyPrincipal(parameter, userPrincipal);
        Subject subject = new Subject(true, Collections.singleton(trustedProxyPrincipal), Collections.emptySet(), Collections.emptySet());
        if (!login.isEstablished()) {
            LOG.info("Service user {} isn't authorized as a trusted proxy", userPrincipal.getName());
            return new SpnegoUserIdentity(subject, trustedProxyPrincipal, (UserIdentity) null);
        }
        if (userIdentity == null) {
            LOG.info("Couldn't authorize user {}", parameter);
        }
        return new SpnegoUserIdentity(subject, trustedProxyPrincipal, userIdentity);
    }

    public boolean validate(UserIdentity userIdentity) {
        return this._delegateSpnegoLoginService.validate(userIdentity);
    }

    public IdentityService getIdentityService() {
        return this._delegateSpnegoLoginService.getIdentityService();
    }

    public void setIdentityService(IdentityService identityService) {
        this._delegateSpnegoLoginService.setIdentityService(identityService);
    }

    public void logout(UserIdentity userIdentity) {
        this._delegateSpnegoLoginService.logout(userIdentity);
    }

    protected void doStart() throws Exception {
        if (this._endUserAuthorizer instanceof LifeCycle) {
            this._endUserAuthorizer.start();
        }
        this._delegateSpnegoLoginService.start();
        super.doStart();
    }

    protected void doStop() throws Exception {
        super.doStop();
        this._delegateSpnegoLoginService.stop();
        if (this._endUserAuthorizer instanceof LifeCycle) {
            this._endUserAuthorizer.stop();
        }
    }
}
