package io.confluent.kafka.schemaregistry.security.permissions;

import io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizeRequest;
import io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerException;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryAuthorizer;
import io.confluent.kafka.schemaregistry.security.authorizer.SchemaRegistryResourceOperation;
import io.confluent.kafka.schemaregistry.security.authorizer.rbac.SchemaRegistryOperations;
import io.confluent.kafka.schemaregistry.security.permissions.entities.Permissions;
import io.confluent.kafka.schemaregistry.storage.LookupFilter;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.roledefinitions.ResourceType;
import java.security.Principal;
import java.util.EnumSet;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Context;

@Produces({"application/json"})
@Path("/permissions")
/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/permissions/PermissionsResource.class */
public class PermissionsResource {
    private static final EnumSet<SchemaRegistryResourceOperation> GLOBAL_COMPATIBILITY_RESOURCE_OPERATIONS = EnumSet.of(SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_READ, SchemaRegistryResourceOperation.GLOBAL_COMPATIBILITY_WRITE);
    private final Scope scope;
    private final SchemaRegistry schemaRegistry;
    private final SchemaRegistryAuthorizer authorizer;

    @Context
    HttpServletRequest httpServletRequest;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/kafka/schemaregistry/security/permissions/PermissionsResource$AuthorizeRequestUtils.class */
    public static class AuthorizeRequestUtils {
        private final Principal principal;
        private final ContainerRequestContext requestContext;
        private final HttpServletRequest httpServletRequest;

        public AuthorizeRequestUtils(Principal principal, ContainerRequestContext containerRequestContext, HttpServletRequest httpServletRequest) {
            this.principal = principal;
            this.requestContext = containerRequestContext;
            this.httpServletRequest = httpServletRequest;
        }

        public AuthorizeRequest subjectRequest(String str, SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
            return new AuthorizeRequest(this.principal, str, schemaRegistryResourceOperation, this.requestContext, this.httpServletRequest);
        }

        public AuthorizeRequest globalRequest(SchemaRegistryResourceOperation schemaRegistryResourceOperation) {
            return new AuthorizeRequest(this.principal, null, schemaRegistryResourceOperation, this.requestContext, this.httpServletRequest);
        }
    }

    public PermissionsResource(Scope scope, SchemaRegistry schemaRegistry, SchemaRegistryAuthorizer schemaRegistryAuthorizer) {
        this.scope = scope;
        this.schemaRegistry = schemaRegistry;
        this.authorizer = schemaRegistryAuthorizer;
    }

    @GET
    public Permissions getPermissions(@Context ContainerRequestContext containerRequestContext) throws SchemaRegistryException, AuthorizerException {
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        PermissionsBuilder withScope = new PermissionsBuilder(userPrincipal).withAuthorizer(this.authorizer).withScope(this.scope);
        AuthorizeRequestUtils authorizeRequestUtils = new AuthorizeRequestUtils(userPrincipal, containerRequestContext, this.httpServletRequest);
        this.schemaRegistry.listSubjects(LookupFilter.DEFAULT).forEach(str -> {
            withScope.withRequests(SchemaRegistryOperations.SUBJECT_RESOURCE, str, (List) SchemaRegistryResourceOperation.SUBJECT_RESOURCE_OPERATIONS.stream().map(schemaRegistryResourceOperation -> {
                return authorizeRequestUtils.subjectRequest(str, schemaRegistryResourceOperation);
            }).collect(Collectors.toList()));
        });
        ResourceType resourceType = SchemaRegistryOperations.SUBJECT_RESOURCE;
        Stream stream = GLOBAL_COMPATIBILITY_RESOURCE_OPERATIONS.stream();
        authorizeRequestUtils.getClass();
        withScope.withRequests(resourceType, SchemaRegistryOperations.GLOBAL_RESOURCE_NAME, (List) stream.map(authorizeRequestUtils::globalRequest).collect(Collectors.toList()));
        return withScope.build();
    }
}
