package org.apache.kafka.tools;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import net.sourceforge.argparse4j.ArgumentParsers;
import net.sourceforge.argparse4j.impl.Arguments;
import net.sourceforge.argparse4j.inf.Argument;
import net.sourceforge.argparse4j.inf.ArgumentParser;
import net.sourceforge.argparse4j.inf.ArgumentParserException;
import net.sourceforge.argparse4j.inf.Namespace;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetrieverFactory;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorFactory;
import org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver;
import org.apache.kafka.common.security.oauthbearer.internals.secured.VerificationKeyResolverFactory;
import org.apache.kafka.common.utils.Exit;

/* loaded from: input_file:org/apache/kafka/tools/OAuthCompatibilityTool.class */
public class OAuthCompatibilityTool {

    /* loaded from: input_file:org/apache/kafka/tools/OAuthCompatibilityTool$ArgsHandler.class */
    private static class ArgsHandler {
        private static final String DESCRIPTION = String.format("This tool is used to verify OAuth/OIDC provider compatibility.%n%nRun the following script to determine the configuration options:%n%n    ./bin/kafka-run-class.sh %s --help", OAuthCompatibilityTool.class.getName());
        private final ArgumentParser parser;

        private ArgsHandler() {
            this.parser = ArgumentParsers.newArgumentParser("oauth-compatibility-tool").defaultHelp(true).description(DESCRIPTION);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Namespace parseArgs(String[] strArr) throws ArgumentParserException {
            addArgument("sasl.login.connect.timeout.ms", "The (optional) value in milliseconds for the external authentication provider connection timeout. Currently applies only to OAUTHBEARER.", Integer.class);
            addArgument("sasl.login.read.timeout.ms", "The (optional) value in milliseconds for the external authentication provider read timeout. Currently applies only to OAUTHBEARER.", Integer.class);
            addArgument("sasl.login.retry.backoff.max.ms", "The (optional) value in milliseconds for the maximum wait between login attempts to the external authentication provider. Login uses an exponential backoff algorithm with an initial wait based on the sasl.login.retry.backoff.ms setting and will double in wait length between attempts up to a maximum wait length specified by the sasl.login.retry.backoff.max.ms setting. Currently applies only to OAUTHBEARER.", Long.class);
            addArgument("sasl.login.retry.backoff.ms", "The (optional) value in milliseconds for the initial wait between login attempts to the external authentication provider. Login uses an exponential backoff algorithm with an initial wait based on the sasl.login.retry.backoff.ms setting and will double in wait length between attempts up to a maximum wait length specified by the sasl.login.retry.backoff.max.ms setting. Currently applies only to OAUTHBEARER.", Long.class);
            addArgument("sasl.oauthbearer.clock.skew.seconds", "The (optional) value in seconds to allow for differences between the time of the OAuth/OIDC identity provider and the broker.", Integer.class);
            addArgument("sasl.oauthbearer.expected.audience", "The (optional) comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences. The JWT will be inspected for the standard OAuth \"aud\" claim and if this value is set, the broker will match the value from JWT's \"aud\" claim  to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail.").action(Arguments.append());
            addArgument("sasl.oauthbearer.expected.issuer", "The (optional) setting for the broker to use to verify that the JWT was created by the expected issuer. The JWT will be inspected for the standard OAuth \"iss\" claim and if this value is set, the broker will match it exactly against what is in the JWT's \"iss\" claim. If there is no match, the broker will reject the JWT and authentication will fail.");
            addArgument("sasl.oauthbearer.jwks.endpoint.refresh.ms", "The (optional) value in milliseconds for the broker to wait between refreshing its JWKS (JSON Web Key Set) cache that contains the keys to verify the signature of the JWT.", Long.class);
            addArgument("sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms", "The (optional) value in milliseconds for the maximum wait between attempts to retrieve the JWKS (JSON Web Key Set) from the external authentication provider. JWKS retrieval uses an exponential backoff algorithm with an initial wait based on the sasl.oauthbearer.jwks.endpoint.retry.backoff.ms setting and will double in wait length between attempts up to a maximum wait length specified by the sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms setting.", Long.class);
            addArgument("sasl.oauthbearer.jwks.endpoint.retry.backoff.ms", "The (optional) value in milliseconds for the initial wait between JWKS (JSON Web Key Set) retrieval attempts from the external authentication provider. JWKS retrieval uses an exponential backoff algorithm with an initial wait based on the sasl.oauthbearer.jwks.endpoint.retry.backoff.ms setting and will double in wait length between attempts up to a maximum wait length specified by the sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms setting.", Long.class);
            addArgument("sasl.oauthbearer.jwks.endpoint.url", "The OAuth/OIDC provider URL from which the provider's <a href=\"https://datatracker.ietf.org/doc/html/rfc7517#section-5\">JWKS (JSON Web Key Set)</a> can be retrieved. The URL can be HTTP(S)-based or file-based. If the URL is HTTP(S)-based, the JWKS data will be retrieved from the OAuth/OIDC provider via the configured URL on broker startup. All then-current keys will be cached on the broker for incoming requests. If an authentication request is received for a JWT that includes a \"kid\" header claim value that isn't yet in the cache, the JWKS endpoint will be queried again on demand. However, the broker polls the URL every sasl.oauthbearer.jwks.endpoint.refresh.ms milliseconds to refresh the cache with any forthcoming keys before any JWT requests that include them are received. If the URL is file-based, the broker will load the JWKS file from a configured location on startup. In the event that the JWT includes a \"kid\" header value that isn't in the JWKS file, the broker will reject the JWT and authentication will fail.");
            addArgument("sasl.oauthbearer.scope.claim.name", "The OAuth claim for the scope is often named \"scope\", but this (optional) setting can provide a different name to use for the scope included in the JWT payload's claims if the OAuth/OIDC provider uses a different name for that claim.");
            addArgument("sasl.oauthbearer.sub.claim.name", "The OAuth claim for the subject is often named \"sub\", but this (optional) setting can provide a different name to use for the subject included in the JWT payload's claims if the OAuth/OIDC provider uses a different name for that claim.");
            addArgument("sasl.oauthbearer.token.endpoint.url", "The URL for the OAuth/OIDC identity provider. If the URL is HTTP(S)-based, it is the issuer's token endpoint URL to which requests will be made to login based on the configuration in sasl.jaas.config. If the URL is file-based, it specifies a file containing an access token (in JWT serialized form) issued by the OAuth/OIDC identity provider to use for authorization.");
            addArgument("ssl.cipher.suites", "A list of cipher suites. This is a named combination of authentication, encryption, MAC and key exchange algorithm used to negotiate the security settings for a network connection using TLS or SSL network protocol. By default all the available cipher suites are supported.").action(Arguments.append());
            addArgument("ssl.enabled.protocols", "The list of protocols enabled for SSL connections. The default is 'TLSv1.2,TLSv1.3' when running with Java 11 or newer, 'TLSv1.2' otherwise. With the default value for Java 11, clients and servers will prefer TLSv1.3 if both support it and fallback to TLSv1.2 otherwise (assuming both support at least TLSv1.2). This default should be fine for most cases. Also see the config documentation for `ssl.protocol`.").action(Arguments.append());
            addArgument("ssl.endpoint.identification.algorithm", "The endpoint identification algorithm to validate server hostname using server certificate. ");
            addArgument("ssl.engine.factory.class", "The class of type org.apache.kafka.common.security.auth.SslEngineFactory to provide SSLEngine objects. Default value is org.apache.kafka.common.security.ssl.DefaultSslEngineFactory");
            addArgument("ssl.keymanager.algorithm", "The algorithm used by key manager factory for SSL connections. Default value is the key manager factory algorithm configured for the Java Virtual Machine.");
            addArgument("ssl.keystore.certificate.chain", "Certificate chain in the format specified by 'ssl.keystore.type'. Default SSL engine factory supports only PEM format with a list of X.509 certificates");
            addArgument("ssl.keystore.key", "Private key in the format specified by 'ssl.keystore.type'. Default SSL engine factory supports only PEM format with PKCS#8 keys. If the key is encrypted, key password must be specified using 'ssl.key.password'");
            addArgument("ssl.keystore.location", "The location of the key store file. This is optional for client and can be used for two-way authentication for client.");
            addArgument("ssl.keystore.password", "The store password for the key store file. This is optional for client and only needed if 'ssl.keystore.location' is configured. Key store password is not supported for PEM format.");
            addArgument("ssl.keystore.type", "The file format of the key store file. This is optional for client. The values currently supported by the default `ssl.engine.factory.class` are [JKS, PKCS12, PEM].");
            addArgument("ssl.key.password", "The password of the private key in the key store file or the PEM key specified in 'ssl.keystore.key'.");
            addArgument("ssl.protocol", "The SSL protocol used to generate the SSLContext. The default is 'TLSv1.3' when running with Java 11 or newer, 'TLSv1.2' otherwise. This value should be fine for most use cases. Allowed values in recent JVMs are 'TLSv1.2' and 'TLSv1.3'. 'TLS', 'TLSv1.1', 'SSL', 'SSLv2' and 'SSLv3' may be supported in older JVMs, but their usage is discouraged due to known security vulnerabilities. With the default value for this config and 'ssl.enabled.protocols', clients will downgrade to 'TLSv1.2' if the server does not support 'TLSv1.3'. If this config is set to 'TLSv1.2', clients will not use 'TLSv1.3' even if it is one of the values in ssl.enabled.protocols and the server only supports 'TLSv1.3'.");
            addArgument("ssl.provider", "The name of the security provider used for SSL connections. Default value is the default security provider of the JVM.");
            addArgument("ssl.secure.random.implementation", "The SecureRandom PRNG implementation to use for SSL cryptography operations. ");
            addArgument("ssl.trustmanager.algorithm", "The algorithm used by trust manager factory for SSL connections. Default value is the trust manager factory algorithm configured for the Java Virtual Machine.");
            addArgument("ssl.truststore.certificates", "Trusted certificates in the format specified by 'ssl.truststore.type'. Default SSL engine factory supports only PEM format with X.509 certificates.");
            addArgument("ssl.truststore.location", "The location of the trust store file.");
            addArgument("ssl.truststore.password", "The password for the trust store file. If a password is not set, trust store file configured will still be used, but integrity checking is disabled. Trust store password is not supported for PEM format.");
            addArgument("ssl.truststore.type", "The file format of the trust store file. The values currently supported by the default `ssl.engine.factory.class` are [JKS, PKCS12, PEM].");
            addArgument("clientId", "The OAuth/OIDC identity provider-issued client ID to uniquely identify the service account to use for authentication for this client. The value must be paired with a corresponding clientSecret value and is provided to the OAuth provider using the OAuth clientcredentials grant type.");
            addArgument("clientSecret", "The OAuth/OIDC identity provider-issued client secret serves a similar function as a password to the clientId account and identifies the service account to use for authentication for this client. The value must be paired with a corresponding clientId value and is provided to the OAuth provider using the OAuth clientcredentials grant type.");
            addArgument("scope", "The (optional) HTTP/HTTPS login request to the token endpoint (sasl.oauthbearer.token.endpoint.url) may need to specify an OAuth \"scope\". If so, the scope is used to provide the value to include with the login request.");
            try {
                return this.parser.parseArgs(strArr);
            } catch (ArgumentParserException e) {
                this.parser.handleError(e);
                throw e;
            }
        }

        private Argument addArgument(String str, String str2) {
            return addArgument(str, str2, String.class);
        }

        private Argument addArgument(String str, String str2, Class<?> cls) {
            return this.parser.addArgument(new String[]{"--" + str}).type(cls).metavar(new String[]{str}).dest(str).help(str2);
        }
    }

    /* loaded from: input_file:org/apache/kafka/tools/OAuthCompatibilityTool$ConfigHandler.class */
    private static class ConfigHandler {
        private final Namespace namespace;

        private ConfigHandler(Namespace namespace) {
            this.namespace = namespace;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Map<String, ?> getConfigs() {
            HashMap hashMap = new HashMap();
            maybeAddInt(hashMap, "sasl.login.connect.timeout.ms");
            maybeAddInt(hashMap, "sasl.login.read.timeout.ms");
            maybeAddLong(hashMap, "sasl.login.retry.backoff.ms");
            maybeAddLong(hashMap, "sasl.login.retry.backoff.max.ms");
            maybeAddString(hashMap, "sasl.oauthbearer.scope.claim.name");
            maybeAddString(hashMap, "sasl.oauthbearer.sub.claim.name");
            maybeAddString(hashMap, "sasl.oauthbearer.token.endpoint.url");
            maybeAddString(hashMap, "sasl.oauthbearer.jwks.endpoint.url");
            maybeAddLong(hashMap, "sasl.oauthbearer.jwks.endpoint.refresh.ms");
            maybeAddLong(hashMap, "sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms");
            maybeAddLong(hashMap, "sasl.oauthbearer.jwks.endpoint.retry.backoff.ms");
            maybeAddInt(hashMap, "sasl.oauthbearer.clock.skew.seconds");
            maybeAddStringList(hashMap, "sasl.oauthbearer.expected.audience");
            maybeAddString(hashMap, "sasl.oauthbearer.expected.issuer");
            ConfigDef configDef = new ConfigDef();
            SaslConfigs.addClientSaslSupport(configDef);
            SslConfigs.addClientSslSupport(configDef);
            return new AbstractConfig(configDef, hashMap).values();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Map<String, Object> getJaasOptions() {
            HashMap hashMap = new HashMap();
            maybeAddString(hashMap, "clientId");
            maybeAddString(hashMap, "clientSecret");
            maybeAddString(hashMap, "scope");
            maybeAddStringList(hashMap, "ssl.cipher.suites");
            maybeAddStringList(hashMap, "ssl.enabled.protocols");
            maybeAddString(hashMap, "ssl.endpoint.identification.algorithm");
            maybeAddClass(hashMap, "ssl.engine.factory.class");
            maybeAddString(hashMap, "ssl.keymanager.algorithm");
            maybeAddPassword(hashMap, "ssl.keystore.certificate.chain");
            maybeAddPassword(hashMap, "ssl.keystore.key");
            maybeAddString(hashMap, "ssl.keystore.location");
            maybeAddPassword(hashMap, "ssl.keystore.password");
            maybeAddString(hashMap, "ssl.keystore.type");
            maybeAddPassword(hashMap, "ssl.key.password");
            maybeAddString(hashMap, "ssl.protocol");
            maybeAddString(hashMap, "ssl.provider");
            maybeAddString(hashMap, "ssl.secure.random.implementation");
            maybeAddString(hashMap, "ssl.trustmanager.algorithm");
            maybeAddPassword(hashMap, "ssl.truststore.certificates");
            maybeAddString(hashMap, "ssl.truststore.location");
            maybeAddPassword(hashMap, "ssl.truststore.password");
            maybeAddString(hashMap, "ssl.truststore.type");
            return hashMap;
        }

        private void maybeAddInt(Map<String, Object> map, String str) {
            Integer num = this.namespace.getInt(str);
            if (num != null) {
                map.put(str, num);
            }
        }

        private void maybeAddLong(Map<String, Object> map, String str) {
            Long l = this.namespace.getLong(str);
            if (l != null) {
                map.put(str, l);
            }
        }

        private void maybeAddString(Map<String, Object> map, String str) {
            String string = this.namespace.getString(str);
            if (string != null) {
                map.put(str, string);
            }
        }

        private void maybeAddPassword(Map<String, Object> map, String str) {
            String string = this.namespace.getString(str);
            if (string != null) {
                map.put(str, new Password(string));
            }
        }

        private void maybeAddClass(Map<String, Object> map, String str) {
            String string = this.namespace.getString(str);
            if (string != null) {
                try {
                    map.put(str, Class.forName(string));
                } catch (ClassNotFoundException e) {
                    throw new KafkaException("Could not find class for " + str, e);
                }
            }
        }

        private void maybeAddStringList(Map<String, Object> map, String str) {
            List list = this.namespace.getList(str);
            if (list != null) {
                map.put(str, list);
            }
        }
    }

    public static void main(String[] strArr) {
        String retrieve;
        CloseableVerificationKeyResolver create;
        Throwable th;
        ArgsHandler argsHandler = new ArgsHandler();
        try {
            ConfigHandler configHandler = new ConfigHandler(argsHandler.parseArgs(strArr));
            Map configs = configHandler.getConfigs();
            Map jaasOptions = configHandler.getJaasOptions();
            try {
                AccessTokenRetriever create2 = AccessTokenRetrieverFactory.create(configs, jaasOptions);
                Throwable th2 = null;
                try {
                    try {
                        create2.init();
                        AccessTokenValidator create3 = AccessTokenValidatorFactory.create(configs);
                        System.out.println("PASSED 1/5: client configuration");
                        retrieve = create2.retrieve();
                        System.out.println("PASSED 2/5: client JWT retrieval");
                        create3.validate(retrieve);
                        System.out.println("PASSED 3/5: client JWT validation");
                        if (create2 != null) {
                            if (0 != 0) {
                                try {
                                    create2.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                create2.close();
                            }
                        }
                        create = VerificationKeyResolverFactory.create(configs, jaasOptions);
                        th = null;
                    } catch (Throwable th4) {
                        th2 = th4;
                        throw th4;
                    }
                    try {
                        try {
                            create.init();
                            AccessTokenValidator create4 = AccessTokenValidatorFactory.create(configs, create);
                            System.out.println("PASSED 4/5: broker configuration");
                            create4.validate(retrieve);
                            System.out.println("PASSED 5/5: broker JWT validation");
                            if (create != null) {
                                if (0 != 0) {
                                    try {
                                        create.close();
                                    } catch (Throwable th5) {
                                        th.addSuppressed(th5);
                                    }
                                } else {
                                    create.close();
                                }
                            }
                            System.out.println("SUCCESS");
                            Exit.exit(0);
                        } catch (Throwable th6) {
                            th = th6;
                            throw th6;
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (Throwable th7) {
                System.out.println("FAILED:");
                th7.printStackTrace();
                if (th7 instanceof ConfigException) {
                    System.out.printf("%n", new Object[0]);
                    argsHandler.parser.printHelp();
                }
                Exit.exit(1);
            }
        } catch (ArgumentParserException e) {
            Exit.exit(1);
        }
    }
}
