package io.confluent.connect.security;

import io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider;
import io.confluent.connect.security.permissions.PermissionsResource;
import io.confluent.connect.security.util.Version;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.ConfigDef;
import org.apache.kafka.connect.health.ConnectClusterState;
import org.apache.kafka.connect.rest.ConnectRestExtension;
import org.apache.kafka.connect.rest.ConnectRestExtensionContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/connect/security/ConnectSecurityExtension.class */
public class ConnectSecurityExtension implements ConnectRestExtension {
    public static final String CONNECT_CLUSTER_TYPE = "connect-cluster";
    private static final Logger log = LoggerFactory.getLogger(ConnectSecurityExtension.class);
    private static final String STANDALONE_CLUSTER = "STANDALONE";
    private Map<String, ?> configs;
    private RestAuthorizer restAuthorizer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/connect/security/ConnectSecurityExtension$ConfigProviderConfig.class */
    public static class ConfigProviderConfig extends AbstractConfig {
        private static final ConfigDef CONFIG_DEF = new ConfigDef().define("config.providers", ConfigDef.Type.LIST, Collections.emptyList(), ConfigDef.Importance.LOW, "");

        public ConfigProviderConfig(Map<?, ?> map) {
            super(CONFIG_DEF, map);
        }

        public List<String> configProviders() {
            return getList("config.providers");
        }
    }

    public void configure(Map<String, ?> map) {
        this.configs = map;
    }

    public void register(ConnectRestExtensionContext connectRestExtensionContext) {
        Scope determineScope = determineScope(this.configs, connectRestExtensionContext.clusterState());
        log.info("Registering RBAC authorizer on cluster with scope '{}'", determineScope);
        this.restAuthorizer = new RestAuthorizer();
        this.restAuthorizer.configure(this.configs);
        ConnectSecurityFilter connectSecurityFilter = new ConnectSecurityFilter(determineScope, this.restAuthorizer, connectRestExtensionContext.clusterState());
        PermissionsResource permissionsResource = new PermissionsResource(determineScope, this.restAuthorizer, connectRestExtensionContext.clusterState());
        String secretProviderName = secretProviderName();
        if (secretProviderName != null) {
            connectRestExtensionContext.configurable().register(new ConnectorSecretConfigFilter(secretProviderName));
        }
        connectRestExtensionContext.configurable().register(connectSecurityFilter);
        connectRestExtensionContext.configurable().register(permissionsResource);
    }

    public void close() {
        if (this.restAuthorizer != null) {
            try {
                this.restAuthorizer.close();
            } catch (IOException e) {
                log.error("Error while closing REST authorizer", e);
            } finally {
                this.restAuthorizer = null;
            }
        }
    }

    public String version() {
        return Version.getVersion();
    }

    private String secretProviderName() {
        ConfigProviderConfig configProviderConfig = new ConfigProviderConfig(this.configs);
        for (String str : configProviderConfig.configProviders()) {
            if (InternalSecretConfigProvider.class.getName().equals((String) configProviderConfig.originalsStrings().get(String.format("%s.%s.class", "config.providers", str)))) {
                return str;
            }
        }
        return null;
    }

    static Scope determineScope(Map<String, ?> map, ConnectClusterState connectClusterState) {
        String kafkaClusterId = connectClusterState.clusterDetails().kafkaClusterId();
        Object obj = map.get("group.id");
        return new Scope.Builder(new String[0]).withKafkaCluster(kafkaClusterId).withCluster(CONNECT_CLUSTER_TYPE, obj != null ? obj.toString() : STANDALONE_CLUSTER).build();
    }
}
