package io.confluent.ksql.security.authorizer;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.common.security.auth.JwtPrincipal;
import io.confluent.common.security.util.JwtUtils;
import io.confluent.ksql.security.utils.KsqlSecurityUtils;
import io.confluent.ksql.util.KsqlConfig;
import io.confluent.security.auth.client.RestAuthorizer;
import io.confluent.security.auth.client.provider.HttpBearerCredentialProvider;
import io.confluent.security.authorizer.Action;
import io.confluent.security.authorizer.AuthorizeResult;
import io.confluent.security.authorizer.Operation;
import io.confluent.security.authorizer.ResourceType;
import io.confluent.security.authorizer.Scope;
import java.io.IOException;
import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import org.apache.kafka.common.security.auth.ConfluentPrincipal;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/ksql/security/authorizer/MdsRestAuthorizationDecisionMaker.class */
public class MdsRestAuthorizationDecisionMaker implements AuthorizationDecisionMaker {
    private static final String KSQL_CLUSTER_TYPE = "ksql-cluster";
    private static final ResourceType KSQL_RESOURCE_TYPE = new ResourceType("KsqlCluster");
    private final RestAuthorizer mdsRestAuthorizer;
    private final Function<KsqlConfig, String> kafkaClusterIdSupplier;
    private Scope scope;

    public MdsRestAuthorizationDecisionMaker() {
        this(RestAuthorizer::new, KsqlSecurityUtils::getKafkaClusterId);
    }

    @VisibleForTesting
    MdsRestAuthorizationDecisionMaker(Supplier<RestAuthorizer> supplier, Function<KsqlConfig, String> function) {
        this.mdsRestAuthorizer = (RestAuthorizer) ((Supplier) Objects.requireNonNull(supplier, "restAuthorizerSupplier")).get();
        this.kafkaClusterIdSupplier = (Function) Objects.requireNonNull(function, "kafkaClusterIdSupplier");
    }

    @Override // io.confluent.ksql.security.authorizer.AuthorizationDecisionMaker
    public void initialize(KsqlConfig ksqlConfig) {
        this.mdsRestAuthorizer.configure(ksqlConfig.originals());
        String string = ksqlConfig.getString("ksql.service.id");
        this.scope = new Scope.Builder(new String[0]).withCluster(KSQL_CLUSTER_TYPE, string).withKafkaCluster(this.kafkaClusterIdSupplier.apply(ksqlConfig)).build();
    }

    @Override // io.confluent.ksql.security.authorizer.AuthorizationDecisionMaker
    public void close() throws IOException {
        this.mdsRestAuthorizer.close();
    }

    @Override // io.confluent.ksql.security.authorizer.AuthorizationDecisionMaker
    public AuthorizeResult checkAuthorization(Principal principal, String str, String str2, String str3) {
        JwtPrincipal jwtPrincipal = (JwtPrincipal) KsqlSecurityUtils.toPrincipalType(principal, JwtPrincipal.class);
        List authorize = this.mdsRestAuthorizer.authorize(toBearerCredentials(jwtPrincipal), toKafkaUserPrincipal(jwtPrincipal), (String) null, Collections.singletonList(new Action(this.scope, new ResourceType(str), KSQL_CLUSTER_TYPE, new Operation(str3))));
        if (authorize.size() != 1) {
            throw new IllegalStateException("MDS returned unexpected results. Expected 1, got " + authorize.size());
        }
        return (AuthorizeResult) authorize.get(0);
    }

    private HttpBearerCredentialProvider toBearerCredentials(JwtPrincipal jwtPrincipal) {
        return new HttpBearerCredentialProvider(jwtPrincipal.getJwt());
    }

    private KafkaPrincipal toKafkaUserPrincipal(JwtPrincipal jwtPrincipal) {
        Set groupsFromJwtPrincipal = JwtUtils.getGroupsFromJwtPrincipal(jwtPrincipal);
        return !groupsFromJwtPrincipal.isEmpty() ? new ConfluentPrincipal("User", jwtPrincipal.getName(), jwtPrincipal.getName(), Optional.empty(), false, groupsFromJwtPrincipal) : new KafkaPrincipal("User", jwtPrincipal.getName());
    }
}
