package io.confluent.kafka.schemaregistry.security.authorizer.topicacl;

import com.google.common.collect.ImmutableMap;
import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import kafka.security.authorizer.AclAuthorizer;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.acl.AclOperation;
import org.apache.kafka.common.resource.PatternType;
import org.apache.kafka.common.resource.ResourcePattern;
import org.apache.kafka.common.resource.ResourceType;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.server.authorizer.Action;
import org.apache.kafka.server.authorizer.AuthorizableRequestContext;
import org.apache.kafka.server.authorizer.AuthorizationResult;
import org.apache.kafka.server.authorizer.Authorizer;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/topicacl/SimpleTopicAclAuthorizer.class */
public class SimpleTopicAclAuthorizer extends AbstractSchemaRegistryAuthorizer {
    private Authorizer simpleAclAuthorizer = new AclAuthorizer();
    private Set<String> superUsers = new HashSet();
    private static final Map<SchemaRegistryResourceOperation, AclOperation> OPERATION_MAP = new HashMap();

    /* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/topicacl/SimpleTopicAclAuthorizer$RequestContext.class */
    protected static class RequestContext implements AuthorizableRequestContext {
        private KafkaPrincipal principal;
        private String host;

        public RequestContext(String str, String str2) {
            this.principal = new KafkaPrincipal("User", str);
            this.host = str2;
        }

        public String listenerName() {
            return null;
        }

        public SecurityProtocol securityProtocol() {
            return null;
        }

        public KafkaPrincipal principal() {
            return this.principal;
        }

        public InetAddress clientAddress() {
            try {
                return InetAddress.getByName(this.host);
            } catch (UnknownHostException e) {
                throw new KafkaException(e);
            }
        }

        public int requestType() {
            return -1;
        }

        public int requestVersion() {
            return -1;
        }

        public String clientId() {
            return null;
        }

        public int correlationId() {
            return -1;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            RequestContext requestContext = (RequestContext) obj;
            return Objects.equals(this.principal, requestContext.principal) && Objects.equals(this.host, requestContext.host);
        }

        public int hashCode() {
            return Objects.hash(this.principal, this.host);
        }
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer, io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer
    public void configure(SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) throws AuthorizerException {
        super.configure(schemaRegistryConfig, schemaRegistry);
        this.superUsers.addAll(Arrays.asList(schemaRegistryConfig.getString(SecureSchemaRegistryConfig.CONFLUENT_TOPIC_ACL_SUPER_USERS_CONFIG).split(";")));
        this.superUsers.remove("");
        Map map = (Map) schemaRegistryConfig.originalsWithPrefix(SecureSchemaRegistryConfig.CONFLUENT_TOPIC_ACL_PREFIX).entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith("authorizer.");
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        map.putAll(ImmutableMap.of("zookeeper.connect", schemaRegistryConfig.getString("kafkastore.connection.url"), "allow.everyone.if.no.acl.found", false, "super.users", createUserString(this.superUsers)));
        this.simpleAclAuthorizer.configure(map);
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeGlobalOperation(String str, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        return this.superUsers.contains(str);
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public boolean authorizeSubjectOperation(String str, String str2, SchemaRegistryResourceOperation schemaRegistryResourceOperation, AuthorizeRequest authorizeRequest) {
        InetAddress clientAddress = getClientAddress(authorizeRequest.getHttpServletRequest());
        List authorize = this.simpleAclAuthorizer.authorize(new RequestContext(str, clientAddress != null ? clientAddress.getHostAddress() : ""), Collections.singletonList(new Action(OPERATION_MAP.get(schemaRegistryResourceOperation), new ResourcePattern(ResourceType.TOPIC, getAuthorizationSubject(str2), PatternType.LITERAL), 1, false, false)));
        return !authorize.isEmpty() && authorize.get(0) == AuthorizationResult.ALLOWED;
    }

    @Override // io.confluent.kafka.schemaregistry.security.authorizer.AbstractSchemaRegistryAuthorizer
    public String getAuthorizationSubject(String str) {
        return removeSuffix(removeSuffix(str, "-key"), "-value");
    }

    private String removeSuffix(String str, String str2) {
        if (str.endsWith(str2)) {
            str = str.substring(0, str.length() - str2.length());
        }
        return str;
    }

    InetAddress getClientAddress(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("X-FORWARDED-FOR");
        if (header == null) {
            header = httpServletRequest.getRemoteAddr();
        }
        if (header == null) {
            return null;
        }
        try {
            return InetAddress.getByName(header);
        } catch (UnknownHostException e) {
            return null;
        }
    }

    private String createUserString(Set<String> set) {
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            if (sb.length() != 0) {
                sb.append(";");
            }
            sb.append("User:" + it.next());
        }
        return sb.toString();
    }

    static {
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_READ, AclOperation.READ);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_READ, AclOperation.READ);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SCHEMA_READ, AclOperation.READ);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE, AclOperation.WRITE);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_WRITE, AclOperation.WRITE);
        OPERATION_MAP.put(SchemaRegistryResourceOperation.SUBJECT_DELETE, AclOperation.WRITE);
    }
}
