package io.confluent.ksql.api.server;

import io.confluent.ksql.api.auth.AuthenticationPlugin;
import io.confluent.ksql.api.auth.AuthenticationPluginHandler;
import io.confluent.ksql.api.auth.JaasAuthProvider;
import io.confluent.ksql.api.auth.KsqlAuthorizationProviderHandler;
import io.confluent.ksql.api.auth.SystemAuthenticationHandler;
import io.confluent.ksql.rest.Errors;
import io.confluent.ksql.rest.server.KsqlRestConfig;
import io.confluent.ksql.security.KsqlSecurityExtension;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.vertx.core.Handler;
import io.vertx.core.http.ClientAuth;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.AuthHandler;
import io.vertx.ext.web.handler.BasicAuthHandler;
import java.net.URI;
import java.util.Optional;

/* loaded from: input_file:io/confluent/ksql/api/server/AuthHandlers.class */
public final class AuthHandlers {
    private AuthHandlers() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void setupAuthHandlers(Server server, Router router, boolean z) {
        Optional<AuthHandler> jaasAuthHandler = getJaasAuthHandler(server);
        KsqlSecurityExtension securityExtension = server.getSecurityExtension();
        Optional<AuthenticationPlugin> authenticationPlugin = server.getAuthenticationPlugin();
        Optional<U> map = authenticationPlugin.map(authenticationPlugin2 -> {
            return new AuthenticationPluginHandler(server, authenticationPlugin2);
        });
        getSystemAuthenticationHandler(server, z).ifPresent(systemAuthenticationHandler -> {
            router.route().handler(systemAuthenticationHandler);
        });
        if (jaasAuthHandler.isPresent() || authenticationPlugin.isPresent()) {
            router.route().handler(AuthHandlers::pauseHandler);
            router.route().handler(routingContext -> {
                wrappedAuthHandler(routingContext, jaasAuthHandler, map);
            });
            securityExtension.getAuthorizationProvider().ifPresent(ksqlAuthorizationProvider -> {
                router.route().handler(new KsqlAuthorizationProviderHandler(server.getWorkerExecutor(), ksqlAuthorizationProvider));
            });
            router.route().handler(AuthHandlers::resumeHandler);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void wrappedAuthHandler(RoutingContext routingContext, Optional<AuthHandler> optional, Optional<Handler<RoutingContext>> optional2) {
        String header;
        if (SystemAuthenticationHandler.isAuthenticatedAsSystemUser(routingContext)) {
            routingContext.next();
            return;
        }
        if (optional.isPresent() && (header = routingContext.request().getHeader("Authorization")) != null && header.toLowerCase().startsWith("basic ")) {
            optional.get().handle(routingContext);
        } else if (optional2.isPresent()) {
            optional2.get().handle(routingContext);
        } else {
            routingContext.fail(HttpResponseStatus.UNAUTHORIZED.code(), new KsqlApiException("Unauthorized", Errors.ERROR_CODE_UNAUTHORIZED));
        }
    }

    private static Optional<AuthHandler> getJaasAuthHandler(Server server) {
        String string = server.getConfig().getString(KsqlRestConfig.AUTHENTICATION_METHOD_CONFIG);
        boolean z = -1;
        switch (string.hashCode()) {
            case 2402104:
                if (string.equals("NONE")) {
                    z = true;
                    break;
                }
                break;
            case 62970894:
                if (string.equals(KsqlRestConfig.AUTHENTICATION_METHOD_BASIC)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Optional.of(basicAuthHandler(server));
            case true:
                return Optional.empty();
            default:
                throw new IllegalStateException(String.format("Unexpected value for %s: %s", KsqlRestConfig.AUTHENTICATION_METHOD_CONFIG, string));
        }
    }

    private static AuthHandler basicAuthHandler(Server server) {
        AuthHandler create = BasicAuthHandler.create(new JaasAuthProvider(server, server.getConfig()), server.getConfig().getString(KsqlRestConfig.AUTHENTICATION_REALM_CONFIG));
        create.addAuthority("ksql");
        return create;
    }

    private static Optional<SystemAuthenticationHandler> getSystemAuthenticationHandler(Server server, boolean z) {
        String string = server.getConfig().getString(KsqlRestConfig.INTERNAL_LISTENER_CONFIG);
        if (string == null) {
            return Optional.empty();
        }
        return (server.getConfig().getClientAuthInternal() == ClientAuth.REQUIRED && "https".equalsIgnoreCase(URI.create(string).getScheme()) && z) ? Optional.of(new SystemAuthenticationHandler()) : Optional.empty();
    }

    private static void pauseHandler(RoutingContext routingContext) {
        routingContext.request().pause();
        routingContext.next();
    }

    private static void resumeHandler(RoutingContext routingContext) {
        routingContext.request().resume();
        routingContext.next();
    }
}
