package io.confluent.kafka.schemaregistry.security.filter;

import com.google.common.collect.ImmutableMap;
import io.confluent.common.security.util.StreamUtils;
import io.confluent.kafka.schemaregistry.client.rest.entities.Schema;
import io.confluent.kafka.schemaregistry.rest.exceptions.RestSchemaRegistryException;
import io.confluent.kafka.schemaregistry.rest.resources.CompatibilityResource;
import io.confluent.kafka.schemaregistry.rest.resources.ConfigResource;
import io.confluent.kafka.schemaregistry.rest.resources.ContextsResource;
import io.confluent.kafka.schemaregistry.rest.resources.ModeResource;
import io.confluent.kafka.schemaregistry.rest.resources.RootResource;
import io.confluent.kafka.schemaregistry.rest.resources.SchemasResource;
import io.confluent.kafka.schemaregistry.rest.resources.ServerMetadataResource;
import io.confluent.kafka.schemaregistry.rest.resources.SubjectVersionsResource;
import io.confluent.kafka.schemaregistry.rest.resources.SubjectsResource;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.authorizer.rbac.SchemaRegistryOperations;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.permissions.PermissionsResource;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Priority;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.container.ResourceInfo;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.apache.kafka.common.config.ConfigException;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(2000)
/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/filter/AuthorizationFilter.class */
public class AuthorizationFilter implements ContainerRequestFilter, ContainerResponseFilter {
    private static final int OPERATION_FORBIDDEN_ERROR_CODE = 40301;
    private static final Logger log = LoggerFactory.getLogger(AuthorizationFilter.class);
    private static final Map<SchemaRegistryResourceActionKey, SchemaRegistryResourceOperation> schemaRegistryResourceActionMap = new HashMap();
    private SchemaRegistryAuthorizer authorizer;

    @Context
    ResourceInfo resourceInfo;

    @Context
    UriInfo uriInfo;

    @Context
    HttpServletRequest httpServletRequest;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/security/filter/AuthorizationFilter$SchemaRegistryResourceActionKey.class */
    public static class SchemaRegistryResourceActionKey {
        private Class resourceClass;
        private String restMethod;
        private boolean subjectRequest;

        public SchemaRegistryResourceActionKey(Class cls, String str, boolean z) {
            this.resourceClass = cls;
            this.restMethod = str;
            this.subjectRequest = z;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            SchemaRegistryResourceActionKey schemaRegistryResourceActionKey = (SchemaRegistryResourceActionKey) obj;
            if (this.subjectRequest == schemaRegistryResourceActionKey.subjectRequest && this.resourceClass.equals(schemaRegistryResourceActionKey.resourceClass)) {
                return this.restMethod.equals(schemaRegistryResourceActionKey.restMethod);
            }
            return false;
        }

        public int hashCode() {
            return (31 * ((31 * this.resourceClass.hashCode()) + this.restMethod.hashCode())) + (this.subjectRequest ? 1 : 0);
        }
    }

    private static void initializeSchemaRegistryResourceActionMap() {
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ContextsResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectVersionsResource.class, "GET", true), SchemaRegistryResourceOperation.SUBJECT_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectVersionsResource.class, "POST", true), SchemaRegistryResourceOperation.SUBJECT_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectVersionsResource.class, "DELETE", true), SchemaRegistryResourceOperation.SUBJECT_DELETE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectsResource.class, "POST", true), SchemaRegistryResourceOperation.SUBJECT_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectsResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SubjectsResource.class, "DELETE", true), SchemaRegistryResourceOperation.SUBJECT_DELETE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SchemasResource.class, "GET", true), SchemaRegistryResourceOperation.SCHEMA_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(SchemasResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "GET", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "PUT", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "DELETE", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ConfigResource.class, "PUT", false), SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ModeResource.class, "GET", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ModeResource.class, "PUT", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ModeResource.class, "DELETE", true), SchemaRegistryResourceOperation.SUBJECT_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ModeResource.class, "GET", false), SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ModeResource.class, "PUT", false), SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(CompatibilityResource.class, "POST", true), SchemaRegistryResourceOperation.SUBJECT_WRITE);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(RootResource.class, "POST", false), SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(RootResource.class, "GET", false), SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(PermissionsResource.class, "GET", false), SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED);
        schemaRegistryResourceActionMap.put(new SchemaRegistryResourceActionKey(ServerMetadataResource.class, "GET", false), SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED);
    }

    public AuthorizationFilter(SecureSchemaRegistryConfig secureSchemaRegistryConfig, SchemaRegistry schemaRegistry) {
        String string = secureSchemaRegistryConfig.getString(SecureSchemaRegistryConfig.CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CONFIG);
        if (!StringUtil.isNotBlank(string)) {
            throw new ConfigException(String.format("No authorizer class provided. Please specify an authorizer class via the '%s' configuration property", SecureSchemaRegistryConfig.CONFLUENT_SCHEMA_REGISTRY_AUTHORIZER_CONFIG));
        }
        try {
            this.authorizer = (SchemaRegistryAuthorizer) Class.forName(string).newInstance();
            this.authorizer.configure(secureSchemaRegistryConfig, schemaRegistry);
        } catch (AuthorizerException e) {
            throw new RestSchemaRegistryException("Unable to initialize the authorizer " + string, e);
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e2) {
            throw new RestSchemaRegistryException("Unable to load resource extension class " + string + ". Check your classpath and that the configured class implements the SchemaRegistryAuthorizer interface.");
        }
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        SchemaRegistryResourceOperation operation = operation(containerRequestContext);
        if (SchemaRegistryResourceOperation.AUTHORIZATION_NOT_REQUIRED.equals(operation)) {
            return;
        }
        if (operation == null) {
            log.error(String.format("Couldn't find a corresponding operation to authorize for  %s:%s.Possibly using an older version of plugin ", this.resourceInfo.getResourceClass(), this.resourceInfo.getResourceMethod()));
            containerRequestContext.abortWith(accessDenied("User cannot access the resource."));
            return;
        }
        try {
            String currentSubject = currentSubject();
            if (!this.authorizer.authorize(new AuthorizeRequest(containerRequestContext.getSecurityContext().getUserPrincipal(), currentSubject, operation, containerRequestContext, this.httpServletRequest))) {
                containerRequestContext.abortWith(accessDenied(operationDeniedMessage(operation, currentSubject)));
            }
        } catch (AuthorizerException e) {
            containerRequestContext.abortWith(accessDenied("error authorizing the resource"));
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        List<Schema> list;
        Class resourceClass = this.resourceInfo.getResourceClass();
        Method resourceMethod = this.resourceInfo.getResourceMethod();
        if (containerResponseContext.getStatus() == Response.Status.OK.getStatusCode() && SchemaRegistryResourceOperation.GLOBAL_READ.equals(operation(containerRequestContext))) {
            if (SubjectsResource.class.equals(resourceClass)) {
                Set<String> set = (Set) readEntity(containerResponseContext);
                if (set != null) {
                    containerResponseContext.setEntity(authorizedSubjects(containerRequestContext, set));
                    return;
                }
                return;
            }
            if (SchemasResource.class.equals(resourceClass) && resourceMethod.getName().equals("getSchemas") && (list = (List) readEntity(containerResponseContext)) != null) {
                containerResponseContext.setEntity(authorizedSchemas(containerRequestContext, list));
            }
        }
    }

    static <T> T readEntity(ContainerResponseContext containerResponseContext) {
        return (T) containerResponseContext.getEntity();
    }

    Set<String> authorizedSubjects(ContainerRequestContext containerRequestContext, Set<String> set) {
        if (set.isEmpty()) {
            return set;
        }
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        ArrayList arrayList = new ArrayList();
        set.forEach(str -> {
            SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.forEach(schemaRegistryResourceOperation -> {
                arrayList.add(new AuthorizeRequest(userPrincipal, str, schemaRegistryResourceOperation, containerRequestContext, this.httpServletRequest));
            });
        });
        try {
            return (Set) StreamUtils.zip(this.authorizer.bulkAuthorize(userPrincipal, arrayList), arrayList).filter((v0) -> {
                return v0.getLeft();
            }).map(pair -> {
                return ((AuthorizeRequest) pair.getRight()).getSubject();
            }).collect(Collectors.toSet());
        } catch (AuthorizerException e) {
            throw new RestSchemaRegistryException("error authorizing the resource", e);
        }
    }

    List<Schema> authorizedSchemas(ContainerRequestContext containerRequestContext, List<Schema> list) {
        if (list.isEmpty()) {
            return list;
        }
        Set set = (Set) list.stream().map((v0) -> {
            return v0.getSubject();
        }).collect(Collectors.toSet());
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        ArrayList arrayList = new ArrayList();
        set.forEach(str -> {
            SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.forEach(schemaRegistryResourceOperation -> {
                arrayList.add(new AuthorizeRequest(userPrincipal, str, schemaRegistryResourceOperation, containerRequestContext, this.httpServletRequest));
            });
        });
        try {
            Set set2 = (Set) StreamUtils.zip(this.authorizer.bulkAuthorize(userPrincipal, arrayList), arrayList).filter((v0) -> {
                return v0.getLeft();
            }).map(pair -> {
                return ((AuthorizeRequest) pair.getRight()).getSubject();
            }).collect(Collectors.toSet());
            return (List) list.stream().filter(schema -> {
                return set2.contains(schema.getSubject());
            }).collect(Collectors.toList());
        } catch (AuthorizerException e) {
            throw new RestSchemaRegistryException("error authorizing the resource", e);
        }
    }

    public void shutdown() {
        this.authorizer.shutdown();
    }

    protected SchemaRegistryResourceOperation operation(ContainerRequestContext containerRequestContext) {
        return schemaRegistryResourceActionMap.get(new SchemaRegistryResourceActionKey(this.resourceInfo.getResourceClass(), containerRequestContext.getMethod(), StringUtil.isNotBlank(currentSubject()) || StringUtil.isNotBlank(currentSchemaId())));
    }

    protected String currentSubject() {
        return (String) this.uriInfo.getPathParameters().getFirst("subject");
    }

    protected String currentSchemaId() {
        return (String) this.uriInfo.getPathParameters().getFirst("id");
    }

    public SchemaRegistryAuthorizer authorizer() {
        return this.authorizer;
    }

    private String operationDeniedMessage(SchemaRegistryResourceOperation schemaRegistryResourceOperation, String str) {
        String str2;
        try {
            String name = SchemaRegistryOperations.operationFor(schemaRegistryResourceOperation).name();
            str2 = SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.contains(schemaRegistryResourceOperation) ? String.format("User is denied operation %s on %s: %s", name, SchemaRegistryOperations.resourceTypeFor(schemaRegistryResourceOperation).name(), str) : String.format("User is denied operation %s on this server.", name);
        } catch (RestSchemaRegistryException e) {
            str2 = "User is denied operation on this server.";
        }
        return str2;
    }

    private Response accessDenied(String str) {
        return Response.status(Response.Status.FORBIDDEN).entity(ImmutableMap.of("error_code", Integer.valueOf(OPERATION_FORBIDDEN_ERROR_CODE), "message", str)).build();
    }

    static {
        initializeSchemaRegistryResourceActionMap();
    }
}
