package org.apache.kafka.common.security.oauthbearer.internals;

import java.nio.charset.StandardCharsets;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.sasl.SaslException;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.utils.Utils;

/* loaded from: input_file:WEB-INF/lib/kafka-clients-2.8.2.jar:org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponse.class */
public class OAuthBearerClientInitialResponse {
    public static final String AUTH_KEY = "auth";
    private final String tokenValue;
    private final String authorizationId;
    private SaslExtensions saslExtensions;
    private static final String KEY = "[A-Za-z]+";
    private static final String VALUE = "[\\x21-\\x7E \t\r\n]+";
    static final String SEPARATOR = "\u0001";
    private static final String KVPAIRS = String.format("(%s=%s%s)*", KEY, VALUE, SEPARATOR);
    private static final Pattern AUTH_PATTERN = Pattern.compile("(?<scheme>[\\w]+)[ ]+(?<token>[-_\\.a-zA-Z0-9]+)");
    private static final String SASLNAME = "(?:[\\x01-\\x7F&&[^=,]]|=2C|=3D)+";
    private static final Pattern CLIENT_INITIAL_RESPONSE_PATTERN = Pattern.compile(String.format("n,(a=(?<authzid>%s))?,%s(?<kvpairs>%s)%s", SASLNAME, SEPARATOR, KVPAIRS, SEPARATOR));
    public static final Pattern EXTENSION_KEY_PATTERN = Pattern.compile(KEY);
    public static final Pattern EXTENSION_VALUE_PATTERN = Pattern.compile(VALUE);

    public OAuthBearerClientInitialResponse(byte[] bArr) throws SaslException {
        Matcher matcher = CLIENT_INITIAL_RESPONSE_PATTERN.matcher(new String(bArr, StandardCharsets.UTF_8));
        if (!matcher.matches()) {
            throw new SaslException("Invalid OAUTHBEARER client first message");
        }
        String group = matcher.group("authzid");
        this.authorizationId = group == null ? "" : group;
        Map<String, String> parseMap = Utils.parseMap(matcher.group("kvpairs"), "=", SEPARATOR);
        String str = parseMap.get(AUTH_KEY);
        if (str == null) {
            throw new SaslException("Invalid OAUTHBEARER client first message: 'auth' not specified");
        }
        parseMap.remove(AUTH_KEY);
        SaslExtensions saslExtensions = new SaslExtensions(parseMap);
        validateExtensions(saslExtensions);
        this.saslExtensions = saslExtensions;
        Matcher matcher2 = AUTH_PATTERN.matcher(str);
        if (!matcher2.matches()) {
            throw new SaslException("Invalid OAUTHBEARER client first message: invalid 'auth' format");
        }
        if (!"bearer".equalsIgnoreCase(matcher2.group("scheme"))) {
            throw new SaslException(String.format("Invalid scheme in OAUTHBEARER client first message: %s", matcher.group("scheme")));
        }
        this.tokenValue = matcher2.group("token");
    }

    public OAuthBearerClientInitialResponse(String str, SaslExtensions saslExtensions) throws SaslException {
        this(str, "", saslExtensions);
    }

    public OAuthBearerClientInitialResponse(String str, String str2, SaslExtensions saslExtensions) throws SaslException {
        this.tokenValue = (String) Objects.requireNonNull(str, "token value must not be null");
        this.authorizationId = str2 == null ? "" : str2;
        validateExtensions(saslExtensions);
        this.saslExtensions = saslExtensions != null ? saslExtensions : SaslExtensions.NO_SASL_EXTENSIONS;
    }

    public SaslExtensions extensions() {
        return this.saslExtensions;
    }

    public byte[] toBytes() {
        String str = this.authorizationId.isEmpty() ? "" : "a=" + this.authorizationId;
        String extensionsMessage = extensionsMessage();
        if (extensionsMessage.length() > 0) {
            extensionsMessage = SEPARATOR + extensionsMessage;
        }
        return String.format("n,%s,%sauth=Bearer %s%s%s%s", str, SEPARATOR, this.tokenValue, extensionsMessage, SEPARATOR, SEPARATOR).getBytes(StandardCharsets.UTF_8);
    }

    public String tokenValue() {
        return this.tokenValue;
    }

    public String authorizationId() {
        return this.authorizationId;
    }

    public static void validateExtensions(SaslExtensions saslExtensions) throws SaslException {
        if (saslExtensions == null) {
            return;
        }
        if (saslExtensions.map().containsKey(AUTH_KEY)) {
            throw new SaslException("Extension name auth is invalid");
        }
        for (Map.Entry<String, String> entry : saslExtensions.map().entrySet()) {
            String key = entry.getKey();
            String value = entry.getValue();
            if (!EXTENSION_KEY_PATTERN.matcher(key).matches()) {
                throw new SaslException("Extension name " + key + " is invalid");
            }
            if (!EXTENSION_VALUE_PATTERN.matcher(value).matches()) {
                throw new SaslException("Extension value (" + value + ") for extension " + key + " is invalid");
            }
        }
    }

    private String extensionsMessage() {
        return Utils.mkString(this.saslExtensions.map(), "", "", "=", SEPARATOR);
    }
}
