package com.pinterest.doctorkafka.security;

import com.pinterest.doctorkafka.config.DoctorKafkaConfig;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.ext.Provider;
import jersey.repackaged.com.google.common.collect.Sets;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

@Provider
@Priority(1000)
/* loaded from: input_file:com/pinterest/doctorkafka/security/SampleAuthorizationFilter.class */
public class SampleAuthorizationFilter implements DrKafkaAuthorizationFilter {
    private static final String GROUPS_HEADER = "GROUPS";
    private static final String USER_HEADER = "USER";
    private Set<String> allowedAdminGroups = new HashSet();
    private static final Logger LOG = LogManager.getLogger(SampleAuthorizationFilter.class);
    private static final Set<String> ADMIN_ROLE_SET = new HashSet(Arrays.asList(DoctorKafkaConfig.DRKAFKA_ADMIN_ROLE));
    private static final Set<String> EMPTY_ROLE_SET = new HashSet();

    @Override // com.pinterest.doctorkafka.security.DrKafkaAuthorizationFilter
    public void configure(DoctorKafkaConfig doctorKafkaConfig) throws Exception {
        List<String> drKafkaAdminGroups = doctorKafkaConfig.getDrKafkaAdminGroups();
        if (drKafkaAdminGroups != null) {
            this.allowedAdminGroups.addAll(drKafkaAdminGroups);
            LOG.info("Following groups will be allowed admin access:" + this.allowedAdminGroups);
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        String headerString = containerRequestContext.getHeaderString(USER_HEADER);
        String headerString2 = containerRequestContext.getHeaderString(GROUPS_HEADER);
        if (headerString != null && headerString2 != null) {
            if (Sets.intersection(this.allowedAdminGroups, new HashSet(Arrays.asList(headerString2.split(",")))).size() > 0) {
                DrKafkaSecurityContext drKafkaSecurityContext = new DrKafkaSecurityContext(new UserPrincipal(headerString), ADMIN_ROLE_SET);
                containerRequestContext.setSecurityContext(drKafkaSecurityContext);
                LOG.info("Received authenticated request, created context:" + drKafkaSecurityContext);
                return;
            }
        }
        containerRequestContext.setSecurityContext(new DrKafkaSecurityContext(new UserPrincipal(headerString), EMPTY_ROLE_SET));
        LOG.info("Received annonymous request, bypassing authorizer");
    }
}
