package io.confluent.kafka.schemaregistry.security.authorizer.topicacl;

import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import jersey.repackaged.com.google.common.collect.ImmutableMap;
import kafka.network.RequestChannel;
import kafka.security.auth.Operation;
import kafka.security.auth.Read$;
import kafka.security.auth.Resource;
import kafka.security.auth.SimpleAclAuthorizer;
import kafka.security.auth.Write$;
import org.apache.kafka.common.security.auth.KafkaPrincipal;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/topicacl/SimpleTopicAclAuthorizer.class */
public class SimpleTopicAclAuthorizer extends AbstractSchemaRegistryAuthorizer {
    private SimpleAclAuthorizer simpleAclAuthorizer = new SimpleAclAuthorizer();
    private Set<String> superUsers = new HashSet();
    private static final Map<SchemaRegistryResourceOperation, Operation> OPERATION_MAP = new HashMap();

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer, io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public void configure(SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) throws AuthorizerException {
        super.configure(schemaRegistryConfig, schemaRegistry);
        this.superUsers.addAll(Arrays.asList(schemaRegistryConfig.getString(SecureSchemaRegistryConfig.CONFLUENT_TOPIC_ACL_SUPER_USERS_CONFIG).split(";")));
        this.superUsers.remove("");
        this.simpleAclAuthorizer.configure(ImmutableMap.of("zookeeper.connect", schemaRegistryConfig.getString("kafkastore.connection.url"), "allow.everyone.if.no.acl.found", false, "super.users", createUserString(this.superUsers)));
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeGlobalOperation(String str, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        return this.superUsers.contains(str);
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeSubjectOperation(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        return this.simpleAclAuthorizer.authorize(new RequestChannel.Session(new KafkaPrincipal("User", str), getClientAddress(authorizeRequest.getHttpServletRequest())), OPERATION_MAP.get(schemaRegistryResourceOperation), Resource.fromString("Topic:" + getAuthorizationSubject(str2)));
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public String getAuthorizationSubject(String str) {
        return removeSuffix(removeSuffix(str, "-key"), "-value");
    }

    private String removeSuffix(String str, String str2) {
        if (str.endsWith(str2)) {
            str = str.substring(0, str.length() - str2.length());
        }
        return str;
    }

    InetAddress getClientAddress(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("X-FORWARDED-FOR");
        if (header == null) {
            header = httpServletRequest.getRemoteAddr();
        }
        if (header == null) {
            return null;
        }
        try {
            return InetAddress.getByName(header);
        } catch (UnknownHostException e) {
            return null;
        }
    }

    private String createUserString(Set<String> set) {
        StringBuffer stringBuffer = new StringBuffer();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (stringBuffer.length() != 0) {
                stringBuffer.append(";");
            }
            stringBuffer.append("User:" + ((Object) it.next()));
        }
        return stringBuffer.toString();
    }

    static {
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_READ, Read$.MODULE$);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_READ, Read$.MODULE$);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SCHEMA_READ, Read$.MODULE$);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE, Write$.MODULE$);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_WRITE, Write$.MODULE$);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_DELETE, Write$.MODULE$);
    }
}
