package io.confluent.ksql.security.filter;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.ksql.rest.entity.KsqlErrorMessage;
import io.confluent.ksql.rest.server.resources.Errors;
import io.confluent.ksql.rest.server.security.KsqlAuthorizer;
import java.io.IOException;
import java.security.Principal;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.kafka.common.errors.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(2000)
/* loaded from: input_file:io/confluent/ksql/security/filter/KsqlAuthorizationFilter.class */
public class KsqlAuthorizationFilter implements ContainerRequestFilter {

    @Context
    private ResourceInfo resourceInfo;
    private final KsqlAuthorizer ksqlAuthorizer;
    private static final Logger log = LoggerFactory.getLogger(KsqlAuthorizationFilter.class);
    private static final KsqlErrorMessage UNAUTHORIZED_ERROR_MESSAGE = new KsqlErrorMessage(Errors.ERROR_CODE_UNAUTHORIZED, new AuthorizationException("Cannot authorize without supplying OAuth security credentials."));
    private static final KsqlErrorMessage FORBIDDEN_ERROR_MESSAGE = new KsqlErrorMessage(Errors.ERROR_CODE_FORBIDDEN, new AuthorizationException("You are forbidden from using this cluster."));

    public KsqlAuthorizationFilter(KsqlAuthorizer ksqlAuthorizer) {
        this.ksqlAuthorizer = ksqlAuthorizer;
    }

    @VisibleForTesting
    void setResourceInfo(ResourceInfo resourceInfo) {
        this.resourceInfo = resourceInfo;
    }

    private String toString(ResourceInfo resourceInfo) {
        return resourceInfo.getResourceClass().getName() + "#" + resourceInfo.getResourceMethod().getName();
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        if (userPrincipal == null || !(userPrincipal instanceof JwtPrincipal)) {
            containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity(UNAUTHORIZED_ERROR_MESSAGE).build());
            return;
        }
        try {
            if (!this.ksqlAuthorizer.hasAccess(userPrincipal, this.resourceInfo.getResourceClass(), this.resourceInfo.getResourceMethod().getName())) {
                containerRequestContext.abortWith(Response.status(Response.Status.FORBIDDEN).entity(FORBIDDEN_ERROR_MESSAGE).build());
            }
        } catch (Throwable th) {
            log.error("Could not authorize access to method: {}", toString(this.resourceInfo), th);
            containerRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(new KsqlErrorMessage(Errors.ERROR_CODE_SERVER_ERROR, th)).build());
        }
    }
}
