package io.confluent.ksql.security.filter;

import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.rest.entity.KsqlErrorMessage;
import io.confluent.ksql.rest.server.context.KsqlRestContext;
import io.confluent.ksql.rest.server.resources.Errors;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Response;

@Priority(5000)
/* loaded from: input_file:io/confluent/ksql/security/filter/KsqlSecurityRestContextFilter.class */
public class KsqlSecurityRestContextFilter implements ContainerRequestFilter {
    private String metadataServerUrl;

    public KsqlSecurityRestContextFilter(String str) {
        this.metadataServerUrl = str;
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        try {
            JwtPrincipal jwtPrincipal = KsqlSecurityUtils.toJwtPrincipal(containerRequestContext.getSecurityContext().getUserPrincipal());
            KsqlRestContext.set(containerRequestContext, new KsqlRestContext(KsqlSecurityUtils.getKafkaClientSupplierOAuthProperties(this.metadataServerUrl, jwtPrincipal), KsqlSecurityUtils.getSchemaRegistryClientHttpHeaders(jwtPrincipal)));
        } catch (Exception e) {
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(new KsqlErrorMessage(Errors.ERROR_CODE_UNAUTHORIZED, e.getMessage())).build());
        }
    }
}
