package com.linkedin.kafka.cruisecontrol.servlet.security.spnego;

import com.linkedin.kafka.cruisecontrol.config.KafkaCruiseControlConfig;
import com.linkedin.kafka.cruisecontrol.config.constants.WebServerConfig;
import com.linkedin.kafka.cruisecontrol.servlet.security.DefaultRoleSecurityProvider;
import java.nio.file.Paths;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.authentication.AuthorizationService;
import org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator;

/* loaded from: input_file:com/linkedin/kafka/cruisecontrol/servlet/security/spnego/SpnegoSecurityProvider.class */
public class SpnegoSecurityProvider extends DefaultRoleSecurityProvider {
    protected String _privilegesFilePath;
    protected String _keyTabPath;
    protected KerberosName _spnegoPrincipal;

    @Override // com.linkedin.kafka.cruisecontrol.servlet.security.DefaultRoleSecurityProvider, com.linkedin.kafka.cruisecontrol.servlet.security.SecurityProvider
    public void init(KafkaCruiseControlConfig kafkaCruiseControlConfig) {
        super.init(kafkaCruiseControlConfig);
        this._privilegesFilePath = kafkaCruiseControlConfig.getString(WebServerConfig.WEBSERVER_AUTH_CREDENTIALS_FILE_CONFIG);
        this._keyTabPath = kafkaCruiseControlConfig.getString(WebServerConfig.SPNEGO_KEYTAB_FILE_CONFIG);
        this._spnegoPrincipal = KerberosName.parse(kafkaCruiseControlConfig.getString(WebServerConfig.SPNEGO_PRINCIPAL_CONFIG));
    }

    @Override // com.linkedin.kafka.cruisecontrol.servlet.security.SecurityProvider
    public LoginService loginService() {
        SpnegoLoginServiceWithAuthServiceLifecycle spnegoLoginServiceWithAuthServiceLifecycle = new SpnegoLoginServiceWithAuthServiceLifecycle(this._spnegoPrincipal.realm(), authorizationService());
        spnegoLoginServiceWithAuthServiceLifecycle.setServiceName(this._spnegoPrincipal.serviceName());
        spnegoLoginServiceWithAuthServiceLifecycle.setHostName(this._spnegoPrincipal.hostName());
        spnegoLoginServiceWithAuthServiceLifecycle.setKeyTabPath(Paths.get(this._keyTabPath, new String[0]));
        return spnegoLoginServiceWithAuthServiceLifecycle;
    }

    @Override // com.linkedin.kafka.cruisecontrol.servlet.security.SecurityProvider
    public Authenticator authenticator() {
        return new ConfigurableSpnegoAuthenticator();
    }

    public AuthorizationService authorizationService() {
        return new SpnegoUserStoreAuthorizationService(this._privilegesFilePath);
    }
}
