package org.apache.qpid.server.security.auth.sasl.oauth2;

import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.Map;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;

/* loaded from: input_file:org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator.class */
public class OAuth2Negotiator implements SaslNegotiator {
    public static final String MECHANISM = "XOAUTH2";
    private static final String BEARER_PREFIX = "Bearer ";
    private final NamedAddressSpace _addressSpace;
    private OAuth2AuthenticationProvider<?> _authenticationProvider;
    private volatile State _state = State.INITIAL;

    /* loaded from: input_file:org/apache/qpid/server/security/auth/sasl/oauth2/OAuth2Negotiator$State.class */
    enum State {
        INITIAL,
        CHALLENGE_SENT,
        COMPLETE
    }

    public OAuth2Negotiator(OAuth2AuthenticationProvider<?> oAuth2AuthenticationProvider, NamedAddressSpace namedAddressSpace) {
        this._authenticationProvider = oAuth2AuthenticationProvider;
        this._addressSpace = namedAddressSpace;
    }

    @Override // org.apache.qpid.server.security.auth.sasl.SaslNegotiator
    public AuthenticationResult handleResponse(byte[] bArr) {
        if (this._state == State.COMPLETE) {
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new IllegalStateException("Multiple Authentications not permitted."));
        }
        if (this._state == State.INITIAL && (bArr == null || bArr.length == 0)) {
            this._state = State.CHALLENGE_SENT;
            return new AuthenticationResult(new byte[0], AuthenticationResult.AuthenticationStatus.CONTINUE);
        }
        this._state = State.COMPLETE;
        if (bArr == null || bArr.length == 0) {
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new IllegalArgumentException("Invalid OAuth2 client response."));
        }
        String str = splitResponse(bArr).get("auth");
        return str != null ? str.startsWith(BEARER_PREFIX) ? this._authenticationProvider.authenticateViaAccessToken(str.substring(BEARER_PREFIX.length()), this._addressSpace) : new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new IllegalArgumentException("The 'auth' part of response does not not begin with the expected prefix")) : new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, new IllegalArgumentException("The mandatory 'auth' part of the response was absent."));
    }

    @Override // org.apache.qpid.server.security.auth.sasl.SaslNegotiator
    public void dispose() {
    }

    @Override // org.apache.qpid.server.security.auth.sasl.SaslNegotiator
    public String getAttemptedAuthenticationId() {
        return null;
    }

    private Map<String, String> splitResponse(byte[] bArr) {
        String[] split = new String(bArr, StandardCharsets.US_ASCII).split("\u0001");
        HashMap hashMap = new HashMap(split.length);
        for (String str : split) {
            if (str.length() > 0) {
                String[] split2 = str.split("=", 2);
                if (split2.length == 2) {
                    hashMap.put(split2[0], split2[1]);
                }
            }
        }
        return hashMap;
    }
}
