package io.confluent.ksql.security;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.ksql.security.authorizer.KsqlResourceActionsMapping;
import io.confluent.ksql.security.authorizer.KsqlRestAuthorizer;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import io.confluent.ksql.util.KsqlConfig;
import io.confluent.ksql.util.KsqlException;
import io.confluent.security.auth.client.RestAuthorizer;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/security/KsqlConfluentSecurityExtension.class */
public class KsqlConfluentSecurityExtension implements KsqlSecurityExtension {
    private static final Logger log = LoggerFactory.getLogger(KsqlConfluentSecurityExtension.class);
    private static final String SASL_PREFIX = "SASL_";
    private RestAuthorizer restAuthorizer;
    private KsqlAuthorizationProvider authorizationProvider;
    private KsqlUserContextProvider userContextProvider;
    private final Supplier<RestAuthorizer> restAuthBuilder;
    private final Function<KsqlConfig, String> kafkaClusterIdSupplier;

    public KsqlConfluentSecurityExtension() {
        this(RestAuthorizer::new, KsqlSecurityUtils::getKafkaClusterId);
    }

    @VisibleForTesting
    KsqlConfluentSecurityExtension(Supplier<RestAuthorizer> supplier, Function<KsqlConfig, String> function) {
        this.restAuthBuilder = (Supplier) Objects.requireNonNull(supplier, "restAuthBuilder");
        this.kafkaClusterIdSupplier = (Function) Objects.requireNonNull(function, "kafkaClusterIdSupplier");
    }

    public void initialize(KsqlConfig ksqlConfig) {
        checkInvalidConfiguration(ksqlConfig);
        this.restAuthorizer = this.restAuthBuilder.get();
        this.restAuthorizer.configure(ksqlConfig.originals());
        this.authorizationProvider = new KsqlRestAuthorizer(this.restAuthorizer, new KsqlResourceActionsMapping(ksqlConfig.getString("ksql.service.id"), this.kafkaClusterIdSupplier.apply(ksqlConfig)));
        this.userContextProvider = new KsqlUserContextProviderImpl(ksqlConfig);
        log.info("KSQL security extension registered.");
    }

    private void checkInvalidConfiguration(KsqlConfig ksqlConfig) {
        String str = (String) ksqlConfig.getKsqlAdminClientConfigProps().getOrDefault("security.protocol", "");
        if (str.isEmpty()) {
            throwInitializationException(String.format("'%s' is empty. Only SASL_PLAINTEXT and SASL_SSL are allowed.", "security.protocol"));
        }
        try {
            SecurityProtocol forName = SecurityProtocol.forName(str);
            if (forName != SecurityProtocol.SASL_PLAINTEXT && forName != SecurityProtocol.SASL_SSL) {
                throwInitializationException(String.format("Unsupported '%s' value (%s). Only SASL_PLAINTEXT and SASL_SSL are allowed.", "security.protocol", str));
            }
        } catch (IllegalArgumentException e) {
            throwInitializationException(String.format("Unknown '%s' value (%s). Only SASL_PLAINTEXT and SASL_SSL are allowed.", "security.protocol", str));
        }
    }

    private void throwInitializationException(String str) {
        throw new KsqlException(String.format("Failed to initialize Confluent RBAC: %s", str));
    }

    public Optional<KsqlAuthorizationProvider> getAuthorizationProvider() {
        return Optional.of(this.authorizationProvider);
    }

    public Optional<KsqlUserContextProvider> getUserContextProvider() {
        return Optional.of(this.userContextProvider);
    }

    public void close() {
        if (this.restAuthorizer != null) {
            try {
                this.restAuthorizer.close();
                this.restAuthorizer = null;
            } catch (Exception e) {
                throw new KsqlException("Failed to close the security rest authorizer", e);
            }
        }
        log.info("KSQL security extension deregistered.");
    }
}
