package io.confluent.kafka.schemaregistry.security.filter;

import io.confluent.kafka.schemaregistry.rest.exceptions.RestSchemaRegistryException;
import io.confluent.kafka.schemaregistry.rest.resources.CompatibilityResource;
import io.confluent.kafka.schemaregistry.rest.resources.ConfigResource;
import io.confluent.kafka.schemaregistry.rest.resources.RootResource;
import io.confluent.kafka.schemaregistry.rest.resources.SchemasResource;
import io.confluent.kafka.schemaregistry.rest.resources.SubjectVersionsResource;
import io.confluent.kafka.schemaregistry.rest.resources.SubjectsResource;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(2000)
/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/filter/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(AuthorizationFilter.class);
    private static final Map<SchemaRegistryResourceActionKey, SchemaRegistryResourceOperation> schemaRegistryResourceActionMap = new HashMap();
    private SchemaRegistryAuthorizer authorizer;

    @Context
    ResourceInfo resourceInfo;

    @Context
    UriInfo uriInfo;

    @Context
    HttpServletRequest httpServletRequest;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/security/filter/AuthorizationFilter$SchemaRegistryResourceActionKey.class */
    public static class SchemaRegistryResourceActionKey {
        private Class resourceClass;
        private String restMethod;
        private boolean subjectRequest;

        public SchemaRegistryResourceActionKey(Class cls, String str, boolean z) {
            this.resourceClass = cls;
            this.restMethod = str;
            this.subjectRequest = z;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            SchemaRegistryResourceActionKey schemaRegistryResourceActionKey = (SchemaRegistryResourceActionKey) obj;
            if (this.subjectRequest == schemaRegistryResourceActionKey.subjectRequest && this.resourceClass.equals(schemaRegistryResourceActionKey.resourceClass)) {
                return this.restMethod.equals(schemaRegistryResourceActionKey.restMethod);
            }
            return false;
        }

        public int hashCode() {
            return (31 * ((31 * this.resourceClass.hashCode()) + this.restMethod.hashCode())) + (this.subjectRequest ? 1 : 0);
        }
    }

    private static void initializeSchemaRegistryResourceActionMap() {
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectVersionsResource.class, "GET", true), SchemaRegistryResourceOperation.SUBJECT_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectVersionsResource.class, "POST", true), SchemaRegistryResourceOperation.SUBJECT_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectVersionsResource.class, "DELETE", true), SchemaRegistryResourceOperation.SUBJECT_DELETE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectsResource.class, "POST", true), SchemaRegistryResourceOperation.SUBJECT_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectsResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_SUBJECTS_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectsResource.class, "DELETE", true), SchemaRegistryResourceOperation.SUBJECT_DELETE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SchemasResource.class, "GET", false), SchemaRegistryResourceOperation.SCHEMA_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "GET", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "PUT", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "PUT", false), SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(CompatibilityResource.class, "POST", true), SchemaRegistryResourceOperation.SUBJECT_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(RootResource.class, "POST", false), SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(RootResource.class, "GET", false), SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED);
    }

    public AuthorizationFilter(SecureSchemaRegistryConfig secureSchemaRegistryConfig, SchemaRegistry schemaRegistry) {
        String string = secureSchemaRegistryConfig.getString(SecureSchemaRegistryConfig.CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CONFIG);
        if (StringUtil.isNotBlank(string)) {
            try {
                this.authorizer = (SchemaRegistryAuthorizer) Class.forName(string).newInstance();
                this.authorizer.configure(secureSchemaRegistryConfig, schemaRegistry);
            } catch (AuthorizerException e) {
                throw new RestSchemaRegistryException("Unable to initialize the authorizer " + string, e);
            } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e2) {
                throw new RestSchemaRegistryException("Unable to load resource extension class " + string + ". Check your classpath and that the configured class implements the SchemaRegistryAuthorizer interface.");
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (this.authorizer != null) {
            Class resourceClass = this.resourceInfo.getResourceClass();
            String method = containerRequestContext.getMethod();
            String str = (String) this.uriInfo.getPathParameters().getFirst("subject");
            SchemaRegistryResourceOperation schemaRegistryResourceOperation = schemaRegistryResourceActionMap.get(new SchemaRegistryResourceActionKey(resourceClass, method, StringUtil.isNotBlank(str)));
            if (SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED.equals(schemaRegistryResourceOperation)) {
                return;
            }
            if (schemaRegistryResourceOperation == null) {
                log.error(String.format("Couldn't find a corresponding operation to authorize for  %s:%s.Possibly using an older version of plugin ", this.resourceInfo.getResourceClass(), this.resourceInfo.getResourceMethod()));
                containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User cannot access the resource.").build());
            }
            try {
                if (!this.authorizer.authorize(new AuthorizeRequest(containerRequestContext.getSecurityContext().getUserPrincipal(), str, schemaRegistryResourceOperation, containerRequestContext, this.httpServletRequest))) {
                    containerRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).entity("User cannot access the resource.").build());
                }
            } catch (AuthorizerException e) {
                containerRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("error authorizing the resource").build());
            }
        }
    }

    public void shutdown() {
        this.authorizer.shutdown();
    }

    static {
        initializeSchemaRegistryResourceActionMap();
    }
}
