package io.confluent.rbacapi.app;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import com.fasterxml.jackson.jaxrs.base.JsonParseExceptionMapper;
import com.google.common.annotations.VisibleForTesting;
import io.confluent.auditlogapi.authorizer.AuditLogConfigAuthorizer;
import io.confluent.auditlogapi.credentials.CredentialExtractor;
import io.confluent.auditlogapi.entities.AuditLogConfigSpec;
import io.confluent.auditlogapi.kafka.DestinationTopicManager;
import io.confluent.auditlogapi.store.DynamicConfigAuditLogConfigStore;
import io.confluent.auditlogapi.store.TopicRetentionUpdateCallback;
import io.confluent.common.security.jetty.JwtLoginService;
import io.confluent.common.security.jetty.JwtWithFallbackLoginService;
import io.confluent.common.security.jetty.OAuthOrBasicAuthenticator;
import io.confluent.crn.ConfluentServerCrnAuthority;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticator;
import io.confluent.kafka.clients.plugins.auth.jwt.JwtAuthenticatorConfig;
import io.confluent.mds.DefaultDynamicConfigurator;
import io.confluent.mds.DynamicConfigurator;
import io.confluent.rbacapi.authorizer.SecurityMetadataAuthorizer;
import io.confluent.rbacapi.errorhandlers.NoJettyDefaultStackTraceErrorHandler;
import io.confluent.rbacapi.errormappers.ClusterRegistryConflictExceptionMapper;
import io.confluent.rbacapi.errormappers.ClusterRegistryGenericClientErrorExceptionMapper;
import io.confluent.rbacapi.errormappers.ClusterRegistryNoAccessExceptionMapper;
import io.confluent.rbacapi.errormappers.ClusterRegistryNotFoundExceptionMapper;
import io.confluent.rbacapi.errormappers.ClusterRegistryUpdateExceptionMapper;
import io.confluent.rbacapi.errormappers.ClusterRegistryVerifyExceptionMapper;
import io.confluent.rbacapi.errormappers.ConstraintViolationExceptionMapper;
import io.confluent.rbacapi.errormappers.CrnSyntaxExceptionMapper;
import io.confluent.rbacapi.errormappers.DeletedNonexistentResourceExceptionMapper;
import io.confluent.rbacapi.errormappers.KafkaApiExceptionMapper;
import io.confluent.rbacapi.errormappers.KafkaExecutionExceptionMapper;
import io.confluent.rbacapi.errormappers.Mds400ExceptionMapper;
import io.confluent.rbacapi.errormappers.MdsJacksonBindingErrorMapper;
import io.confluent.rbacapi.errormappers.MdsJacksonParseErrorMapper;
import io.confluent.rbacapi.errormappers.MdsJacksonProcessingErrorMapper;
import io.confluent.rbacapi.errormappers.MdsJerseyExceptionMapper;
import io.confluent.rbacapi.errormappers.MdsUncaughtExceptionMapper;
import io.confluent.rbacapi.errormappers.MdsValidationExceptionMapper;
import io.confluent.rbacapi.errormappers.TimeoutExceptionMapper;
import io.confluent.rbacapi.jackson.MdsJacksonMessageBodyProvider;
import io.confluent.rbacapi.jackson.MdsJacksonModule;
import io.confluent.rbacapi.jackson.MdsObjectMapperProvider;
import io.confluent.rbacapi.login.MdsLoginService;
import io.confluent.rbacapi.resources.v1.V1AclResource;
import io.confluent.rbacapi.resources.v1.V1AuditLogConfigResource;
import io.confluent.rbacapi.resources.v1.V1AuthorizeResource;
import io.confluent.rbacapi.resources.v1.V1ClusterRegistryResource;
import io.confluent.rbacapi.resources.v1.V1FeaturesResource;
import io.confluent.rbacapi.resources.v1.V1LookupResource;
import io.confluent.rbacapi.resources.v1.V1MetadataServiceResource;
import io.confluent.rbacapi.resources.v1.V1OperationsResource;
import io.confluent.rbacapi.resources.v1.V1PrincipalsResource;
import io.confluent.rbacapi.resources.v1.V1RolesResource;
import io.confluent.rbacapi.resources.v1.V1UserGroupResource;
import io.confluent.rbacapi.rest.LeaderAwareApplication;
import io.confluent.rbacapi.rest.MdsWriterProxyServlet;
import io.confluent.rbacapi.rest.MdsWritesFilter;
import io.confluent.rbacapi.services.CPFeatureConfigurationService;
import io.confluent.rbacapi.services.ClusterRegistryGatekeeper;
import io.confluent.rbacapi.services.ClusterRegistryService;
import io.confluent.rbacapi.services.FeatureConfigurationService;
import io.confluent.rbacapi.services.MdsFeatures;
import io.confluent.rbacapi.services.RoleBindingProcessing;
import io.confluent.rbacapi.swagger.SwaggerFilesResource;
import io.confluent.rbacapi.utils.ClusterType;
import io.confluent.rbacapi.validation.common.ValidOperation;
import io.confluent.rbacapi.validation.common.ValidOptionalResourceType;
import io.confluent.rbacapi.validation.common.ValidResourceType;
import io.confluent.rbacapi.validation.common.ValidRole;
import io.confluent.rbacapi.validation.v1.MDSValidationConfigurationContextResolver;
import io.confluent.rbacapi.validation.v1.V1ValidRoleResourceType;
import io.confluent.rbacapi.validation.v2.V2ValidRoleFilter;
import io.confluent.rbacapi.validation.v2.V2ValidScopeResourceType;
import io.confluent.rest.Application;
import io.confluent.rest.RestConfig;
import io.confluent.rest.auth.AuthUtil;
import io.confluent.security.auth.metadata.AuthStore;
import io.confluent.security.authorizer.Authorizer;
import io.confluent.security.authorizer.Scope;
import io.confluent.security.authorizer.jackson.KafkaModule;
import io.confluent.tokenapi.errormappers.AuthenticationTokenExceptionMapper;
import io.confluent.tokenapi.jwt.JwtProvider;
import io.confluent.tokenapi.resources.v1.V1TokenResource;
import io.confluent.tokenapi.services.TokenService;
import java.io.IOException;
import java.net.URL;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.LogManager;
import java.util.stream.Collectors;
import javax.ws.rs.core.Configurable;
import org.apache.commons.lang3.StringUtils;
import org.apache.kafka.clients.admin.ConfluentAdmin;
import org.apache.kafka.common.Reconfigurable;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.HashLoginService;
import org.eclipse.jetty.servlet.FilterHolder;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.util.security.Constraint;
import org.glassfish.jersey.logging.LoggingFeature;
import org.glassfish.jersey.logging.MDSLoggingFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.bridge.SLF4JBridgeHandler;

/* loaded from: input_file:io/confluent/rbacapi/app/RbacApiApplication.class */
public class RbacApiApplication extends Application<RestConfig> implements Reconfigurable, LeaderAwareApplication {
    private static final Logger log = LoggerFactory.getLogger(RbacApiApplication.class);
    protected final ClusterRegistryService clusterRegistryService;
    private final ObjectMapper objectMapper;
    private final RbacApiAppConfig config;
    private final Authorizer authorizer;
    private final AuthStore authStore;
    private final JwtProvider jwtProvider;
    private final AuthenticateCallbackHandler authenticateCallbackHandler;
    private final MdsWriterProxyServlet proxyWriter;
    private final DestinationTopicManager auditLogDestinationTopicManager;
    private final DynamicConfigAuditLogConfigStore auditLogConfigStore;
    private final String metadataClusterId;
    private final Scope metadataClusterScope;
    private final ClusterRegistryGatekeeper clusterRegistryGatekeeper;
    private final SecurityMetadataAuthorizer metadataAuthorizer;
    private final Map<String, Reconfigurable> reconfigurables;
    private final DynamicConfigurator dynamicConfigurator;
    private final MdsFeatures mdsFeatures;
    private FeatureConfigurationService featureConfigurationService;
    private final ConfluentServerCrnAuthority v1CrnAuthority;

    public RbacApiApplication(RbacApiAppConfig rbacApiAppConfig, Authorizer authorizer, AuthStore authStore, JwtProvider jwtProvider, AuthenticateCallbackHandler authenticateCallbackHandler, String str, ConfluentAdmin confluentAdmin) {
        this(rbacApiAppConfig, authorizer, authStore, jwtProvider, authenticateCallbackHandler, str, confluentAdmin, new CPFeatureConfigurationService());
    }

    public RbacApiApplication(RbacApiAppConfig rbacApiAppConfig, Authorizer authorizer, AuthStore authStore, JwtProvider jwtProvider, AuthenticateCallbackHandler authenticateCallbackHandler, String str, ConfluentAdmin confluentAdmin, FeatureConfigurationService featureConfigurationService) {
        super(rbacApiAppConfig, "/security");
        this.objectMapper = MdsObjectMapperProvider.getObjectMapper();
        this.v1CrnAuthority = new ConfluentServerCrnAuthority();
        this.objectMapper.registerModule(new MdsJacksonModule());
        this.objectMapper.registerModule(new KafkaModule());
        this.objectMapper.registerModule(new JavaTimeModule());
        this.config = rbacApiAppConfig;
        this.authorizer = authorizer;
        this.authStore = authStore;
        this.jwtProvider = jwtProvider;
        this.authenticateCallbackHandler = authenticateCallbackHandler;
        this.dynamicConfigurator = new DefaultDynamicConfigurator(confluentAdmin);
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Metadata cluster id must be non-empty");
        }
        this.metadataClusterId = str;
        this.metadataClusterScope = Scope.kafkaClusterScope(str);
        this.proxyWriter = new MdsWriterProxyServlet(this);
        this.metadataAuthorizer = new SecurityMetadataAuthorizer(authorizer, this.metadataClusterScope);
        this.clusterRegistryGatekeeper = new ClusterRegistryGatekeeper(authorizer, authStore.authCache(), str);
        this.clusterRegistryService = new ClusterRegistryService(this.objectMapper, this.clusterRegistryGatekeeper, this.dynamicConfigurator);
        this.auditLogDestinationTopicManager = new DestinationTopicManager(confluentAdmin);
        this.auditLogDestinationTopicManager.configure(rbacApiAppConfig.originals());
        this.auditLogConfigStore = new DynamicConfigAuditLogConfigStore(this.clusterRegistryService, this.dynamicConfigurator);
        this.auditLogConfigStore.configure(rbacApiAppConfig.originals());
        this.reconfigurables = new ConcurrentHashMap();
        this.reconfigurables.put("auditLogDestinationTopicManager", this.auditLogDestinationTopicManager);
        this.reconfigurables.put("auditLogConfigStore", this.auditLogConfigStore);
        this.reconfigurables.put("clusterRegistryService", this.clusterRegistryService);
        this.mdsFeatures = MdsFeatures.loadBaselineFeatures(this.objectMapper);
        this.featureConfigurationService = featureConfigurationService;
    }

    @VisibleForTesting
    public int getActualMdsPort() {
        return this.server.getConnectors()[0].getLocalPort();
    }

    @Override // io.confluent.rbacapi.rest.LeaderAwareApplication
    public boolean isLeader() {
        return this.authStore.isMasterWriter();
    }

    @Override // io.confluent.rbacapi.rest.LeaderAwareApplication
    public URL getLeader(String str) {
        return this.authStore.masterWriterUrl(str);
    }

    @Override // io.confluent.rbacapi.rest.LeaderAwareApplication
    public Collection<URL> getNodes(String str) {
        return this.authStore.activeNodeUrls(str);
    }

    protected void configurePreResourceHandling(ServletContextHandler servletContextHandler) {
        servletContextHandler.setErrorHandler(new NoJettyDefaultStackTraceErrorHandler());
        servletContextHandler.addFilter(new FilterHolder(new MdsWritesFilter(this)), "/*", (EnumSet) null);
        servletContextHandler.addServlet(new ServletHolder(this.proxyWriter), "/leader/*");
        if (getSslContextFactory() != null) {
            this.proxyWriter.setSslContextFactory(getSslContextFactory());
        }
    }

    public void setupResources(Configurable<?> configurable, RestConfig restConfig) {
        ValidRole.RoleValidator.loadRoles(this.authStore.authCache().rbacRoles());
        V2ValidRoleFilter.RoleFilterValidator.loadRoles(this.authStore.authCache().rbacRoles());
        ValidOperation.OperationValidator.loadOperations(this.authStore.authCache().rbacRoles());
        ValidResourceType.ResourceTypeValidator.loadResourceType(this.authStore.authCache().rbacRoles());
        ValidOptionalResourceType.OptionalResourceTypeValidator.loadResourceType(this.authStore.authCache().rbacRoles());
        V1ValidRoleResourceType.RoleResourceTypeValidator.loadRoleResourceType(this.authStore.authCache().rbacRoles());
        V2ValidScopeResourceType.ScopeResourceTypeValidator.loadScopeResourceType(this.authStore.authCache().rbacRoles());
        configurable.register(new MDSValidationConfigurationContextResolver());
        String string = this.config.getString("authentication.method");
        String string2 = this.config.getString(RbacApiAppConfig.MDS_USER_STORE_CONFIG);
        if ("BEARER".equals(string) && !RbacApiAppConfig.MDS_USER_STORE_NONE.equals(string2)) {
            this.jwtProvider.configure(this.config.originals());
            this.mdsFeatures.markTokenGenerationEnabled();
            configurable.register(new V1TokenResource(new TokenService(this.jwtProvider)));
        }
        if (this.config.getBoolean(RbacApiAppConfig.MDS_OPENAPI_ENABLE_CONFIG).booleanValue()) {
            configurable.register(new SwaggerFilesResource());
        }
        RoleBindingProcessing roleBindingProcessing = new RoleBindingProcessing(this.authorizer, this.authStore.authCache());
        configurable.register(new V1FeaturesResource(this.mdsFeatures));
        configurable.register(new V1AuthorizeResource(this.authorizer, this.metadataAuthorizer));
        configurable.register(new V1RolesResource(this.authStore.authCache().rbacRoles()));
        configurable.register(new V1LookupResource(this.authStore.authCache(), this.metadataAuthorizer, this.clusterRegistryService));
        Long configuredTimeoutNanos = getConfiguredTimeoutNanos(this.config);
        this.clusterRegistryService.configure(this.config.values());
        configurable.register(new V1PrincipalsResource(this.authStore, this.metadataAuthorizer, configuredTimeoutNanos.longValue(), this.clusterRegistryService, this.v1CrnAuthority, this.objectMapper));
        configurable.register(new V1MetadataServiceResource(this.authStore, this.metadataClusterId));
        configurable.register(new V1AclResource(this.authStore, this.metadataAuthorizer, configuredTimeoutNanos.longValue()));
        configurable.register(new V1OperationsResource(roleBindingProcessing, this.metadataAuthorizer, this.clusterRegistryService));
        configurable.register(new V1UserGroupResource(this.authStore.authCache(), this.clusterRegistryService));
        configurable.register(new V1ClusterRegistryResource(this.clusterRegistryService));
        AuditLogConfigAuthorizer auditLogConfigAuthorizer = new AuditLogConfigAuthorizer(this.authorizer, this.metadataClusterId, this::getAllRegisteredKafkaClusterIds);
        Object obj = this.config.originals().get("advertised.listeners");
        CredentialExtractor credentialExtractor = obj instanceof String ? new CredentialExtractor((String) obj) : null;
        TopicRetentionUpdateCallback topicRetentionUpdateCallback = auditLogConfigSpec -> {
            if (log.isInfoEnabled()) {
                log.info("Received an audit log destination topic retention time policy update. {}", StringUtils.join(new AuditLogConfigSpec[]{auditLogConfigSpec}));
            }
            return this.auditLogDestinationTopicManager.update(auditLogConfigSpec);
        };
        DynamicConfigAuditLogConfigStore dynamicConfigAuditLogConfigStore = this.auditLogConfigStore;
        DestinationTopicManager destinationTopicManager = this.auditLogDestinationTopicManager;
        destinationTopicManager.getClass();
        configurable.register(new V1AuditLogConfigResource(auditLogConfigAuthorizer, dynamicConfigAuditLogConfigStore, credentialExtractor, (v1) -> {
            return r6.getTopicRetentionMillis(v1);
        }, topicRetentionUpdateCallback, configuredTimeoutNanos.longValue()));
        DynamicConfigAuditLogConfigStore dynamicConfigAuditLogConfigStore2 = this.auditLogConfigStore;
        DestinationTopicManager destinationTopicManager2 = this.auditLogDestinationTopicManager;
        destinationTopicManager2.getClass();
        configurable.register(new V1AuditLogConfigResource(auditLogConfigAuthorizer, dynamicConfigAuditLogConfigStore2, credentialExtractor, (v1) -> {
            return r6.getTopicRetentionMillis(v1);
        }, topicRetentionUpdateCallback, configuredTimeoutNanos.longValue()));
        configurable.register(new MDSLoggingFilter(java.util.logging.Logger.getLogger("io.confluent.mds.request.logger"), Level.INFO, LoggingFeature.Verbosity.PAYLOAD_TEXT, 8192));
    }

    @VisibleForTesting
    protected Long getConfiguredTimeoutNanos(RbacApiAppConfig rbacApiAppConfig) {
        return Long.valueOf(rbacApiAppConfig.getLong("idle.timeout.ms").longValue() * 1000000);
    }

    public void stop() throws Exception {
        this.server.stop();
        join();
        super.stop();
    }

    public void onShutdown() {
        log.info("Jetty server has processed the shutdown request, now running onShutdown hook...");
        try {
            this.authorizer.close();
        } catch (IOException e) {
            log.error("Failed to close authorizer onShutdown.");
        }
        try {
            this.authStore.close();
        } catch (IOException e2) {
            log.error("Failed to close authStore onShutdown.");
        }
        try {
            this.dynamicConfigurator.close();
        } catch (IOException e3) {
            log.error("Failed to close dynamicConfigurator onShutdown.");
        }
    }

    protected void registerJsonProvider(Configurable<?> configurable, RestConfig restConfig, boolean z) {
        configurable.register(new MdsJacksonMessageBodyProvider(this.objectMapper));
    }

    protected void registerExceptionMappers(Configurable<?> configurable, RestConfig restConfig) {
        MdsUncaughtExceptionMapper mdsUncaughtExceptionMapper = new MdsUncaughtExceptionMapper();
        configurable.register(mdsUncaughtExceptionMapper);
        configurable.register(new MdsJacksonProcessingErrorMapper());
        configurable.register(new MdsJacksonParseErrorMapper());
        configurable.register(new MdsJacksonBindingErrorMapper());
        configurable.register(JsonParseExceptionMapper.class);
        configurable.register(new Mds400ExceptionMapper());
        configurable.register(new MdsValidationExceptionMapper());
        configurable.register(new ConstraintViolationExceptionMapper());
        configurable.register(new AuthenticationTokenExceptionMapper(mdsUncaughtExceptionMapper));
        configurable.register(new TimeoutExceptionMapper());
        configurable.register(new KafkaApiExceptionMapper(this.config));
        configurable.register(new KafkaExecutionExceptionMapper(this.config, mdsUncaughtExceptionMapper));
        configurable.register(new ClusterRegistryNoAccessExceptionMapper());
        configurable.register(new ClusterRegistryNotFoundExceptionMapper());
        configurable.register(new ClusterRegistryConflictExceptionMapper());
        configurable.register(new ClusterRegistryGenericClientErrorExceptionMapper());
        configurable.register(new ClusterRegistryUpdateExceptionMapper());
        configurable.register(new ClusterRegistryVerifyExceptionMapper());
        configurable.register(new CrnSyntaxExceptionMapper());
        configurable.register(new DeletedNonexistentResourceExceptionMapper());
        configurable.register(new MdsJerseyExceptionMapper());
    }

    protected void configureSecurityHandler(ServletContextHandler servletContextHandler) {
        if (servletContextHandler.getContextPath().equals(this.config.getString("websocket.path.prefix"))) {
            return;
        }
        String string = this.config.getString("authentication.method");
        if (RbacApiAppConfig.MDS_USER_STORE_NONE.equals(string)) {
            return;
        }
        HashLoginService hashLoginService = null;
        String string2 = this.config.getString("authentication.realm");
        String string3 = this.config.getString(RbacApiAppConfig.MDS_USER_STORE_CONFIG);
        boolean z = -1;
        switch (string3.hashCode()) {
            case 2157948:
                if (string3.equals(RbacApiAppConfig.MDS_USER_STORE_FILE)) {
                    z = false;
                    break;
                }
                break;
            case 2331559:
                if (string3.equals(RbacApiAppConfig.MDS_USER_STORE_LDAP)) {
                    z = true;
                    break;
                }
                break;
            case 2402104:
                if (string3.equals(RbacApiAppConfig.MDS_USER_STORE_NONE)) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                hashLoginService = new HashLoginService(string2, this.config.getString(RbacApiAppConfig.FILE_LOGIN_PATH_PROP));
                break;
            case true:
                if (this.authenticateCallbackHandler != null) {
                    log.trace("Confluent authenticate callback handler is enabled.");
                    hashLoginService = new MdsLoginService(string2, this.authenticateCallbackHandler);
                    break;
                } else {
                    throw new IllegalStateException("LDAP authentication requested, but no authenticationCallback provided");
                }
            case true:
                log.info("No user store configured. Disabling basic auth.");
                break;
            default:
                throw new IllegalStateException("Invalid user store config of " + string3);
        }
        ConstraintSecurityHandler createSecurityHandler = createSecurityHandler();
        MdsBasicAuthenticator mdsBasicAuthenticator = new MdsBasicAuthenticator();
        boolean z2 = -1;
        switch (string.hashCode()) {
            case 62970894:
                if (string.equals("BASIC")) {
                    z2 = false;
                    break;
                }
                break;
            case 1955264353:
                if (string.equals("BEARER")) {
                    z2 = true;
                    break;
                }
                break;
        }
        switch (z2) {
            case false:
                this.mdsFeatures.markBasicAuthEnabled();
                createSecurityHandler.setAuthenticator(mdsBasicAuthenticator);
                createSecurityHandler.setLoginService(hashLoginService);
                break;
            case true:
                this.mdsFeatures.markTokenValidationEnabled();
                createSecurityHandler.setAuthenticator(new OAuthOrBasicAuthenticator(mdsBasicAuthenticator, MdsBasicAuthenticator.MDS_NO_AUTH_ENDPOINTS));
                if (!string3.equals(RbacApiAppConfig.MDS_USER_STORE_NONE)) {
                    JwtLoginService jwtLoginService = new JwtLoginService(string2, this.jwtProvider.issuer, Collections.singletonList(this.jwtProvider.getPublicKey()), "");
                    this.mdsFeatures.markBasicAuthEnabled();
                    createSecurityHandler.setLoginService(new JwtWithFallbackLoginService(jwtLoginService, hashLoginService));
                    break;
                } else {
                    createSecurityHandler.setLoginService(new JwtLoginService(string2, new JwtAuthenticator(new JwtAuthenticatorConfig(this.config.originals()))));
                    break;
                }
            default:
                throw new IllegalStateException("Invalid authentication config of " + string);
        }
        servletContextHandler.setSecurityHandler(createSecurityHandler);
    }

    protected ConstraintSecurityHandler createSecurityHandler() {
        String string = this.config.getString("authentication.realm");
        ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
        constraintSecurityHandler.addConstraintMapping(createSecurePathConstraint("/1.0/*"));
        constraintSecurityHandler.addConstraintMapping(createSecurePathConstraint("/v2alpha1/*"));
        constraintSecurityHandler.addConstraintMapping(createSecurePathConstraint("/v2/*"));
        constraintSecurityHandler.setRealmName(string);
        List createUnsecuredConstraints = AuthUtil.createUnsecuredConstraints(this.config);
        constraintSecurityHandler.getClass();
        createUnsecuredConstraints.forEach(constraintSecurityHandler::addConstraintMapping);
        return constraintSecurityHandler;
    }

    private ConstraintMapping createSecurePathConstraint(String str) {
        Constraint constraint = new Constraint();
        constraint.setAuthenticate(true);
        List list = this.config.getList("authentication.roles");
        if (list.equals(RestConfig.AUTHENTICATION_ROLES_DEFAULT)) {
            list = Collections.singletonList("**");
        }
        constraint.setRoles((String[]) list.toArray(new String[0]));
        ConstraintMapping constraintMapping = new ConstraintMapping();
        constraintMapping.setConstraint(constraint);
        constraintMapping.setMethod("*");
        if (AuthUtil.isCorsEnabled(this.config)) {
            constraintMapping.setMethodOmissions(new String[]{"OPTIONS"});
        }
        constraintMapping.setPathSpec(str);
        return constraintMapping;
    }

    private Set<String> getAllRegisteredKafkaClusterIds() {
        return (Set) this.clusterRegistryService.getUnrestrictedClusters(ClusterType.KAFKA_CLUSTER).stream().map(clusterInfo -> {
            return (String) clusterInfo.getScope().clusters().get("kafka-cluster");
        }).collect(Collectors.toSet());
    }

    public Set<String> reconfigurableConfigs() {
        HashSet hashSet = new HashSet();
        this.reconfigurables.values().forEach(reconfigurable -> {
            hashSet.addAll(reconfigurable.reconfigurableConfigs());
        });
        return hashSet;
    }

    public void validateReconfiguration(Map<String, ?> map) throws ConfigException {
        this.reconfigurables.values().forEach(reconfigurable -> {
            reconfigurable.validateReconfiguration(map);
        });
    }

    public void reconfigure(Map<String, ?> map) {
        this.reconfigurables.values().forEach(reconfigurable -> {
            reconfigurable.reconfigure(map);
        });
    }

    public void configure(Map<String, ?> map) {
        this.reconfigurables.values().forEach(reconfigurable -> {
            reconfigurable.configure(map);
        });
    }

    static {
        LogManager.getLogManager().reset();
        SLF4JBridgeHandler.install();
    }
}
