package io.confluent.kafka.schemaregistry.security;

import com.google.common.annotations.VisibleForTesting;
import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException;
import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.rest.extensions.SchemaRegistryResourceExtension;
import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.rest.NamedURI;
import io.confluent.rest.RestConfigException;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.ws.rs.core.Configurable;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.fips.FipsValidator;
import org.apache.kafka.common.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/SchemaRegistryFipsResourceExtension.class */
public class SchemaRegistryFipsResourceExtension implements SchemaRegistryResourceExtension {
    private static final Logger log = LoggerFactory.getLogger(SchemaRegistryFipsResourceExtension.class);

    public void register(Configurable<?> configurable, SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) throws SchemaRegistryException {
        try {
            validateFipsConfig(new SecureSchemaRegistryConfig(schemaRegistryConfig.originalProperties()));
        } catch (RestConfigException e) {
            throw new SchemaRegistryException(e);
        }
    }

    public void close() throws IOException {
    }

    @VisibleForTesting
    static void validateFipsConfig(SecureSchemaRegistryConfig secureSchemaRegistryConfig) {
        if (secureSchemaRegistryConfig.getBoolean("enable.fips").booleanValue()) {
            log.info("Schema Registry has FIPS enabled. Starting FIPS validation...");
            String str = (String) secureSchemaRegistryConfig.originals().get("security.providers");
            if (str == null || str.isEmpty()) {
                log.error("FIPS 140-2 Configuration Error, invalid security provider: <empty>");
                throw new SecurityException("FIPS 140-2 Configuration Error, invalid security provider: <empty>");
            }
            SecurityUtils.addConfiguredSecurityProviders(secureSchemaRegistryConfig.originals());
            FipsValidator buildFipsValidator = ConfluentConfigs.buildFipsValidator();
            validateListenerCipherSuitesAndTlsVersions(buildFipsValidator, secureSchemaRegistryConfig);
            validateBrokerCommunicationProtocol(buildFipsValidator, secureSchemaRegistryConfig);
            log.info("FIPS validation successful for Schema Registry");
        }
    }

    private static void validateListenerCipherSuitesAndTlsVersions(FipsValidator fipsValidator, SchemaRegistryConfig schemaRegistryConfig) {
        for (Map.Entry<NamedURI, Map<String, Object>> entry : getListenerConfigMaps(schemaRegistryConfig).entrySet()) {
            NamedURI key = entry.getKey();
            Map<String, Object> value = entry.getValue();
            List list = (List) value.get("ssl.cipher.suites");
            if (list == null || list.isEmpty()) {
                log.warn("FIPS 140-2 Configuration Warning, ssl.cipher.suites not provided.");
            }
            List list2 = (List) value.get("ssl.enabled.protocols");
            if (list2 == null || list2.isEmpty()) {
                log.error("FIPS 140-2 Configuration Error, invalid TLS versions: <empty>");
                throw new SecurityException("FIPS 140-2 Configuration Error, invalid TLS versions: <empty>");
            }
            try {
                fipsValidator.validateRestProtocol(key.getUri().getScheme());
                fipsValidator.validateFipsTls(value);
            } catch (Exception e) {
                log.error(e.getMessage());
                throw new SecurityException(e.getMessage());
            }
        }
    }

    private static void validateBrokerCommunicationProtocol(FipsValidator fipsValidator, SchemaRegistryConfig schemaRegistryConfig) {
        String string = schemaRegistryConfig.getString("kafkastore.security.protocol");
        HashMap hashMap = new HashMap();
        hashMap.put("kafkastore.security.protocol", SecurityProtocol.forName(string));
        try {
            fipsValidator.validateFipsBrokerProtocol(hashMap);
        } catch (Exception e) {
            log.error(e.getMessage());
            throw new SecurityException(e.getMessage());
        }
    }

    private static Map<NamedURI, Map<String, Object>> getListenerConfigMaps(SchemaRegistryConfig schemaRegistryConfig) {
        return (Map) schemaRegistryConfig.getListeners().stream().collect(Collectors.toMap(Function.identity(), namedURI -> {
            return schemaRegistryConfig.valuesWithPrefixOverride("listener.name." + ((String) Optional.ofNullable(namedURI.getName()).orElse("https")) + ".");
        }));
    }
}
