package io.confluent.connect.security;

import io.confluent.connect.security.permissions.PermissionsResource;
import io.confluent.connect.security.util.Version;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.util.Map;
import org.apache.kafka.connect.health.ConnectClusterState;
import org.apache.kafka.connect.rest.ConnectRestExtension;
import org.apache.kafka.connect.rest.ConnectRestExtensionContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/connect/security/ConnectSecurityExtension.class */
public class ConnectSecurityExtension implements ConnectRestExtension {
    public static final String CONNECT_CLUSTER_TYPE = "connect-cluster";
    public static final String UNKNOWN_KAFKA_CLUSTER_ID = "UNKNOWN";
    private static final String InternalSecretConfigProvider_FQCN = "io.confluent.connect.secretregistry.rbac.config.provider.InternalSecretConfigProvider";
    private static final Logger log = LoggerFactory.getLogger(ConnectSecurityExtension.class);
    private ConnectSecurityExtensionConfig config;
    private RestAuthorizer restAuthorizer;

    public void configure(Map<String, ?> map) {
        this.config = new ConnectSecurityExtensionConfig(map);
    }

    public void register(ConnectRestExtensionContext connectRestExtensionContext) {
        Scope scope = scope(this.config.connectClusterId(), connectRestExtensionContext.clusterState());
        log.info("Registering RBAC authorizer on cluster with scope '{}'", scope);
        this.restAuthorizer = new RestAuthorizer();
        this.restAuthorizer.configure(this.config.originals());
        ConnectSecurityFilter connectSecurityFilter = new ConnectSecurityFilter(this.config, scope, this.restAuthorizer, connectRestExtensionContext.clusterState());
        PermissionsResource permissionsResource = new PermissionsResource(scope, this.restAuthorizer, connectRestExtensionContext.clusterState());
        String secretProviderName = secretProviderName();
        if (secretProviderName != null) {
            connectRestExtensionContext.configurable().register(new ConnectorSecretConfigFilter(secretProviderName));
        }
        connectRestExtensionContext.configurable().register(connectSecurityFilter);
        connectRestExtensionContext.configurable().register(permissionsResource);
    }

    public void close() {
        if (this.restAuthorizer != null) {
            try {
                this.restAuthorizer.close();
            } catch (IOException e) {
                log.error("Error while closing REST authorizer", e);
            } finally {
                this.restAuthorizer = null;
            }
        }
    }

    public String version() {
        return Version.getVersion();
    }

    private String secretProviderName() {
        for (String str : this.config.configProviders()) {
            if (InternalSecretConfigProvider_FQCN.equals(this.config.originals().get(String.format("%s.%s.class", "config.providers", str)).toString())) {
                return str;
            }
        }
        return null;
    }

    private static Scope scope(String str, ConnectClusterState connectClusterState) {
        String kafkaClusterId = connectClusterState.clusterDetails().kafkaClusterId();
        if (kafkaClusterId == null) {
            kafkaClusterId = UNKNOWN_KAFKA_CLUSTER_ID;
        }
        return new Scope.Builder(new String[0]).withKafkaCluster(kafkaClusterId).withCluster(CONNECT_CLUSTER_TYPE, str).build();
    }
}
