package io.confluent.ksql.security;

import io.confluent.kafka.schemaregistry.client.SchemaRegistryClient;
import io.confluent.ksql.rest.server.context.ConfiguredKafkaClientSupplier;
import io.confluent.ksql.rest.server.security.KsqlAuthorizer;
import io.confluent.ksql.rest.server.security.KsqlSecurityExtension;
import io.confluent.ksql.schema.registry.KsqlSchemaRegistryClientFactory;
import io.confluent.ksql.security.authorizer.KsqlResourceActionsMapping;
import io.confluent.ksql.security.authorizer.KsqlRestAuthorizer;
import io.confluent.ksql.security.filter.KsqlAuthorizationFilter;
import io.confluent.ksql.security.filter.KsqlSecurityRestContextFilter;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import io.confluent.ksql.util.KsqlConfig;
import io.confluent.ksql.util.KsqlException;
import io.confluent.security.auth.client.RestAuthorizer;
import java.security.Principal;
import java.util.function.Supplier;
import javax.ws.rs.core.Configurable;
import org.apache.kafka.streams.KafkaClientSupplier;
import org.apache.kafka.streams.processor.internals.DefaultKafkaClientSupplier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/security/KsqlConfluentSecurityExtension.class */
public class KsqlConfluentSecurityExtension implements KsqlSecurityExtension {
    private static final Logger log = LoggerFactory.getLogger(KsqlConfluentSecurityExtension.class);
    private KsqlConfig ksqlConfig;
    private RestAuthorizer restAuthorizer;
    private KsqlAuthorizer ksqlAuthorizer;

    private void initialize(KsqlConfig ksqlConfig) {
        this.ksqlConfig = ksqlConfig;
        this.restAuthorizer = new RestAuthorizer();
        this.restAuthorizer.configure(ksqlConfig.originals());
        this.ksqlAuthorizer = new KsqlRestAuthorizer(this.restAuthorizer, new KsqlResourceActionsMapping(ksqlConfig.getString("ksql.service.id"), KsqlSecurityUtils.getKafkaClusterId(ksqlConfig)));
        log.info("KSQL security extension registered.");
    }

    public KsqlAuthorizer getAuthorizer() {
        return this.ksqlAuthorizer;
    }

    public void register(Configurable<?> configurable, KsqlConfig ksqlConfig) {
        initialize(ksqlConfig);
        configurable.register(createAuthorizationFilter());
        configurable.register(createRestContextFilter());
        log.info("KSQL REST endpoints registered.");
    }

    public KafkaClientSupplier getKafkaClientSupplier(Principal principal) {
        return new ConfiguredKafkaClientSupplier(new DefaultKafkaClientSupplier(), KsqlSecurityUtils.getKafkaClientSupplierOAuthProperties(getMetadataServerUrl(), KsqlSecurityUtils.toJwtPrincipal(principal)));
    }

    public Supplier<SchemaRegistryClient> getSchemaRegistryClientSupplier(Principal principal) {
        KsqlSchemaRegistryClientFactory ksqlSchemaRegistryClientFactory = new KsqlSchemaRegistryClientFactory(this.ksqlConfig, KsqlSecurityUtils.getSchemaRegistryClientHttpHeaders(KsqlSecurityUtils.toJwtPrincipal(principal)));
        ksqlSchemaRegistryClientFactory.getClass();
        return ksqlSchemaRegistryClientFactory::get;
    }

    private KsqlAuthorizationFilter createAuthorizationFilter() {
        return new KsqlAuthorizationFilter(this.ksqlAuthorizer);
    }

    private KsqlSecurityRestContextFilter createRestContextFilter() {
        return new KsqlSecurityRestContextFilter(getMetadataServerUrl());
    }

    private String getMetadataServerUrl() {
        return (String) this.ksqlConfig.originals().getOrDefault("confluent.metadata.bootstrap.server.urls", "");
    }

    public void close() {
        if (this.restAuthorizer != null) {
            try {
                this.restAuthorizer.close();
                this.restAuthorizer = null;
            } catch (Exception e) {
                throw new KsqlException("Failed to close the security rest authorizer", e);
            }
        }
        log.info("KSQL security extension deregistered.");
    }
}
