package io.confluent.ksql.security.authorizer;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import io.confluent.ksql.security.AuthObjectType;
import io.confluent.ksql.security.KsqlAccessValidator;
import io.confluent.ksql.security.KsqlAuthorizationProvider;
import io.confluent.ksql.security.KsqlBackendAccessValidator;
import io.confluent.ksql.security.KsqlSecurityContext;
import io.confluent.security.authorizer.AuthorizeResult;
import java.security.Principal;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.errors.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlAuthorizationProviderImpl.class */
public class KsqlAuthorizationProviderImpl implements KsqlAuthorizationProvider {
    private static final String CONTRIBUTE = "Contribute";
    private final AuthorizationDecisionMaker authorizationDecisionMaker;
    private final KsqlAccessValidator kafkaPermissionsValidator;
    private final Optional<KsqlSchemaRegistryPermissionsValidator> schemaRegistryPermissionsValidator;
    private static final Logger LOG = LoggerFactory.getLogger(KsqlAuthorizationProviderImpl.class);
    private static final KsqlAccessValidator KAFKA_BACKEND_VALIDATOR = new KsqlBackendAccessValidator();
    private static final String TERMINATE = "Terminate";
    private static final Map<String, String> ENDPOINT_OPERATION_MAP = new ImmutableMap.Builder().put("/ksql/terminate", TERMINATE).build();

    /* renamed from: io.confluent.ksql.security.authorizer.KsqlAuthorizationProviderImpl$1, reason: invalid class name */
    /* loaded from: input_file:io/confluent/ksql/security/authorizer/KsqlAuthorizationProviderImpl$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$confluent$ksql$security$AuthObjectType = new int[AuthObjectType.values().length];

        static {
            try {
                $SwitchMap$io$confluent$ksql$security$AuthObjectType[AuthObjectType.TOPIC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$confluent$ksql$security$AuthObjectType[AuthObjectType.SUBJECT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public KsqlAuthorizationProviderImpl(AuthorizationDecisionMaker authorizationDecisionMaker, Optional<KsqlSchemaRegistryPermissionsValidator> optional) {
        this(authorizationDecisionMaker, KAFKA_BACKEND_VALIDATOR, optional);
    }

    @VisibleForTesting
    KsqlAuthorizationProviderImpl(AuthorizationDecisionMaker authorizationDecisionMaker, KsqlAccessValidator ksqlAccessValidator, Optional<KsqlSchemaRegistryPermissionsValidator> optional) {
        this.authorizationDecisionMaker = authorizationDecisionMaker;
        this.kafkaPermissionsValidator = ksqlAccessValidator;
        this.schemaRegistryPermissionsValidator = optional;
    }

    @VisibleForTesting
    public Optional<KsqlSchemaRegistryPermissionsValidator> getSchemaRegistryPermissionsValidator() {
        return this.schemaRegistryPermissionsValidator;
    }

    public void checkEndpointAccess(Principal principal, String str, String str2) {
        if (isServerInfoEndpoint(str2)) {
            return;
        }
        String orDefault = ENDPOINT_OPERATION_MAP.getOrDefault(str2.toLowerCase(), CONTRIBUTE);
        LOG.debug("Checking authorization for principal '{}' to perform '{}' on endpoint '{}'", new Object[]{principal.getName(), orDefault, str2});
        if (this.authorizationDecisionMaker.checkAuthorization(principal, "KsqlCluster", "", orDefault) != AuthorizeResult.ALLOWED) {
            LOG.warn("User:{} is Denied operation = {} on endpoint = \"{} {}\"", new Object[]{principal.getName(), orDefault, str, str2});
            throw new AuthorizationException("You are forbidden from using this cluster.");
        }
        LOG.info("User:{} is Allowed operation = {} on endpoint = \"{} {}\"", new Object[]{principal.getName(), orDefault, str, str2});
    }

    public void checkPrivileges(KsqlSecurityContext ksqlSecurityContext, AuthObjectType authObjectType, String str, List<AclOperation> list) {
        switch (AnonymousClass1.$SwitchMap$io$confluent$ksql$security$AuthObjectType[authObjectType.ordinal()]) {
            case 1:
                list.forEach(aclOperation -> {
                    this.kafkaPermissionsValidator.checkTopicAccess(ksqlSecurityContext, str, aclOperation);
                });
                return;
            case 2:
                this.schemaRegistryPermissionsValidator.ifPresent(ksqlSchemaRegistryPermissionsValidator -> {
                    list.forEach(aclOperation2 -> {
                        ksqlSchemaRegistryPermissionsValidator.checkSubjectAccess(ksqlSecurityContext, str, aclOperation2);
                    });
                });
                return;
            default:
                return;
        }
    }

    private boolean isServerInfoEndpoint(String str) {
        return str.equals("/info");
    }
}
