package io.confluent.ksql.security.authorizer;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.rest.server.resources.ServerInfoResource;
import io.confluent.ksql.rest.server.security.KsqlAuthorizer;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.HttpBearerCredentialProvider;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Stream;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlRestAuthorizer.class */
public class KsqlRestAuthorizer implements KsqlAuthorizer {
    private final RestAuthorizer restAuthorizer;
    private final ResourceActionsMapping resourceActionsMapping;

    public KsqlRestAuthorizer(RestAuthorizer restAuthorizer, ResourceActionsMapping resourceActionsMapping) {
        this.restAuthorizer = restAuthorizer;
        this.resourceActionsMapping = resourceActionsMapping;
    }

    public boolean hasAccess(Principal principal, Class cls, String str) {
        JwtPrincipal jwtPrincipal = KsqlSecurityUtils.toJwtPrincipal(principal);
        if (isServerInfoEndpoint(cls)) {
            return true;
        }
        Optional<Action> optional = this.resourceActionsMapping.get(cls, str);
        if (!optional.isPresent()) {
            return false;
        }
        List authorize = this.restAuthorizer.authorize(toBearerCredentials(jwtPrincipal), toKafkaUserPrincipal(jwtPrincipal), (String) null, Collections.singletonList(optional.get()));
        if (authorize.isEmpty()) {
            return false;
        }
        Stream stream = authorize.stream();
        AuthorizeResult authorizeResult = AuthorizeResult.ALLOWED;
        authorizeResult.getClass();
        return stream.allMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    private boolean isServerInfoEndpoint(Class cls) {
        return cls == ServerInfoResource.class;
    }

    private static HttpBearerCredentialProvider toBearerCredentials(JwtPrincipal jwtPrincipal) {
        return new HttpBearerCredentialProvider(jwtPrincipal.getJwt());
    }

    private static KafkaPrincipal toKafkaUserPrincipal(JwtPrincipal jwtPrincipal) {
        return new KafkaPrincipal("User", jwtPrincipal.getName());
    }
}
