package io.confluent.connect.security;

import com.fasterxml.jackson.core.type.TypeReference;
import io.confluent.connect.security.util.ConnectRestUtils;
import jakarta.ws.rs.container.ContainerRequestContext;
import jakarta.ws.rs.container.ContainerRequestFilter;
import jakarta.ws.rs.container.ResourceInfo;
import jakarta.ws.rs.core.Context;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.lang.reflect.Method;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import org.apache.kafka.connect.errors.ConnectException;
import org.apache.kafka.connect.runtime.rest.entities.CreateConnectorRequest;
import org.apache.kafka.connect.runtime.rest.resources.ConnectorsResource;

/* loaded from: input_file:io/confluent/connect/security/ConnectorSecretConfigFilter.class */
public class ConnectorSecretConfigFilter implements ContainerRequestFilter {
    private static final Map<Method, Function<ContainerRequestContext, ConnectorAndConfig>> CONFIG_EXTRACTORS;
    private final Pattern secretPathReference;

    @Context
    private ResourceInfo resourceInfo;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/connect/security/ConnectorSecretConfigFilter$ConnectorAndConfig.class */
    public static class ConnectorAndConfig {
        public final String name;
        public final Map<String, String> config;

        public ConnectorAndConfig(String str, Map<String, String> map) {
            this.name = str;
            this.config = map;
        }
    }

    public ConnectorSecretConfigFilter(String str) {
        this.secretPathReference = Pattern.compile("\\$\\{" + Pattern.quote(str) + ":(([^}]*?):)?([^}]*?)\\}");
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        ConnectorAndConfig extractConnectorConfig = extractConnectorConfig(this.resourceInfo.getResourceMethod(), containerRequestContext);
        if (extractConnectorConfig == null) {
            return;
        }
        Iterator<String> it = extractConnectorConfig.config.values().iterator();
        while (it.hasNext()) {
            Stream<String> stream = secretPaths(it.next()).stream();
            String str = extractConnectorConfig.name;
            Objects.requireNonNull(str);
            if (!stream.allMatch((v1) -> {
                return r1.equals(v1);
            })) {
                ConnectRestUtils.abortRequest(containerRequestContext, Response.Status.FORBIDDEN, "All secret requests must include a path that matches the name of the connector");
                return;
            }
        }
    }

    Set<String> secretPaths(String str) {
        Matcher matcher = this.secretPathReference.matcher(str);
        HashSet hashSet = new HashSet();
        while (matcher.find()) {
            String group = matcher.group(2);
            hashSet.add(group != null ? group : "");
        }
        return hashSet;
    }

    static ConnectorAndConfig extractConnectorConfig(Method method, ContainerRequestContext containerRequestContext) {
        Function<ContainerRequestContext, ConnectorAndConfig> function = CONFIG_EXTRACTORS.get(method);
        if (function != null) {
            return function.apply(containerRequestContext);
        }
        return null;
    }

    static ConnectorAndConfig extractNewConfig(ContainerRequestContext containerRequestContext) {
        try {
            CreateConnectorRequest createConnectorRequest = (CreateConnectorRequest) ConnectRestUtils.readEntity(containerRequestContext, CreateConnectorRequest.class);
            return new ConnectorAndConfig(createConnectorRequest.name(), createConnectorRequest.config());
        } catch (IOException e) {
            throw new ConnectException("Failed to parse request entity", e);
        }
    }

    static ConnectorAndConfig extractAlteredConfig(ContainerRequestContext containerRequestContext) {
        try {
            return new ConnectorAndConfig(ConnectRestUtils.connectorName(containerRequestContext), (Map) ConnectRestUtils.readEntity(containerRequestContext, new TypeReference<Map<String, String>>() { // from class: io.confluent.connect.security.ConnectorSecretConfigFilter.1
            }));
        } catch (IOException e) {
            throw new ConnectException("Failed to parse request entity", e);
        }
    }

    static {
        try {
            Method method = ConnectorsResource.class.getMethod("createConnector", Boolean.class, HttpHeaders.class, CreateConnectorRequest.class);
            Method method2 = ConnectorsResource.class.getMethod("putConnectorConfig", String.class, HttpHeaders.class, Boolean.class, Map.class, Boolean.class);
            HashMap hashMap = new HashMap();
            hashMap.put(method, ConnectorSecretConfigFilter::extractNewConfig);
            hashMap.put(method2, ConnectorSecretConfigFilter::extractAlteredConfig);
            CONFIG_EXTRACTORS = Collections.unmodifiableMap(hashMap);
        } catch (NoSuchMethodException e) {
            throw new ConnectException("Failed to initialize Secret Registry RBAC filter", e);
        }
    }
}
