package io.confluent.ksql.rest.server.filters;

import io.confluent.ksql.rest.Errors;
import io.confluent.ksql.rest.server.resources.HealthCheckResource;
import io.confluent.ksql.rest.server.resources.ServerMetadataResource;
import io.confluent.ksql.security.KsqlAuthorizationProvider;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.annotation.Priority;
import javax.ws.rs.Path;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(2000)
/* loaded from: input_file:io/confluent/ksql/rest/server/filters/KsqlAuthorizationFilter.class */
public class KsqlAuthorizationFilter implements ContainerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(KsqlAuthorizationFilter.class);
    private static final Set<String> PATHS_WITHOUT_AUTHORIZATION = getPathsFrom(ServerMetadataResource.class, HealthCheckResource.class);
    private final KsqlAuthorizationProvider authorizationProvider;

    public KsqlAuthorizationFilter(KsqlAuthorizationProvider ksqlAuthorizationProvider) {
        this.authorizationProvider = ksqlAuthorizationProvider;
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        Principal userPrincipal = containerRequestContext.getSecurityContext().getUserPrincipal();
        String method = containerRequestContext.getMethod();
        String str = "/" + containerRequestContext.getUriInfo().getPath();
        if (requiresAuthorization(str)) {
            try {
                this.authorizationProvider.checkEndpointAccess(userPrincipal, method, str);
            } catch (Throwable th) {
                log.warn(String.format("User:%s is denied access to \"%s %s\"", userPrincipal.getName(), method, str), th);
                containerRequestContext.abortWith(Errors.accessDenied(th.getMessage()));
            }
        }
    }

    public static Set<String> getPathsWithoutAuthorization() {
        return PATHS_WITHOUT_AUTHORIZATION;
    }

    private boolean requiresAuthorization(String str) {
        return !PATHS_WITHOUT_AUTHORIZATION.contains(str);
    }

    private static Set<String> getPathsFrom(Class<?>... clsArr) {
        HashSet hashSet = new HashSet();
        for (Class<?> cls : clsArr) {
            String stripEnd = StringUtils.stripEnd(cls.getAnnotation(Path.class).value(), "/");
            hashSet.add(stripEnd);
            for (Method method : cls.getMethods()) {
                if (method.isAnnotationPresent(Path.class)) {
                    hashSet.add(stripEnd + "/" + StringUtils.strip(method.getAnnotation(Path.class).value(), "/"));
                }
            }
        }
        return Collections.unmodifiableSet(hashSet);
    }
}
