package io.confluent.ksql.security.authorizer;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
import io.confluent.ksql.exception.KsqlSchemaAuthorizationException;
import io.confluent.ksql.security.KsqlSecurityContext;
import io.confluent.ksql.security.clients.KsqlSchemaRegistryPermissionsClient;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import io.confluent.ksql.util.KsqlConfig;
import io.confluent.ksql.util.KsqlException;
import java.io.IOException;
import java.util.Collection;
import java.util.Map;
import java.util.Objects;
import java.util.function.BiFunction;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.common.acl.AclOperation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlSchemaRegistryPermissionsValidator.class */
public class KsqlSchemaRegistryPermissionsValidator {
    private static final Logger log = LoggerFactory.getLogger(KsqlSchemaRegistryPermissionsValidator.class);
    private final KsqlConfig ksqlConfig;
    private final BiFunction<KsqlConfig, Map<String, String>, KsqlSchemaRegistryPermissionsClient> srPermissionsClientFactory;

    public KsqlSchemaRegistryPermissionsValidator(KsqlConfig ksqlConfig) {
        this(ksqlConfig, KsqlSchemaRegistryPermissionsClient::new);
    }

    @VisibleForTesting
    KsqlSchemaRegistryPermissionsValidator(KsqlConfig ksqlConfig, BiFunction<KsqlConfig, Map<String, String>, KsqlSchemaRegistryPermissionsClient> biFunction) {
        this.ksqlConfig = (KsqlConfig) Objects.requireNonNull(ksqlConfig, "ksqlConfig");
        this.srPermissionsClientFactory = (BiFunction) Objects.requireNonNull(biFunction, "srPermissionsClientFactory");
    }

    public static boolean isSchemaRegistryPermissionsEnabled(KsqlConfig ksqlConfig) {
        return isSchemaRegistryPermissionsEnabled(ksqlConfig, KsqlSchemaRegistryPermissionsClient::new);
    }

    @VisibleForTesting
    static boolean isSchemaRegistryPermissionsEnabled(KsqlConfig ksqlConfig, BiFunction<KsqlConfig, Map<String, String>, KsqlSchemaRegistryPermissionsClient> biFunction) {
        if (ksqlConfig.getString("ksql.schema.registry.url").trim().isEmpty()) {
            return false;
        }
        log.info("Checking if Schema Registry /permissions is configured");
        try {
            biFunction.apply(ksqlConfig, ImmutableMap.of()).permissions();
            log.info("Schema Registry /permissions endpoint found");
            return true;
        } catch (IOException | RestClientException e) {
            if (!(e instanceof RestClientException) || e.getStatus() != 404) {
                throw new KsqlException("Unable to check /permissions endpoint on SchemaRegistry: " + e.getMessage(), e);
            }
            log.info("Schema Registry /permissions endpoint not found");
            return false;
        }
    }

    public void checkSubjectAccess(KsqlSecurityContext ksqlSecurityContext, String str, AclOperation aclOperation) {
        try {
            Collection<String> permissions = this.srPermissionsClientFactory.apply(this.ksqlConfig, getHttpHeaders(ksqlSecurityContext)).permissions(str);
            if (permissions.contains(StringUtils.capitalize(aclOperation.name().toLowerCase()))) {
                return;
            }
            log.debug("KsqlSchemaAuthorizationException. Permitted operations ({}) do not contain Operation ({})", permissions, aclOperation.name().toLowerCase());
            throw new KsqlSchemaAuthorizationException(aclOperation, str);
        } catch (IOException | RestClientException e) {
            throw new KsqlException("Unable to check /permissions endpoint on SchemaRegistry: " + e.getMessage(), e);
        }
    }

    private Map<String, String> getHttpHeaders(KsqlSecurityContext ksqlSecurityContext) {
        return (Map) ksqlSecurityContext.getUserPrincipal().map((v0) -> {
            return KsqlSecurityUtils.toJwtPrincipal(v0);
        }).map(KsqlSecurityUtils::getSchemaRegistryClientHttpHeaders).orElse(ImmutableMap.of());
    }
}
